Expand description

CWE-252: Unchecked Return Value.

It is a common programming pattern that called procedures indicate their success or failure to the caller via their return value. If a caller does not check the return value of a called procedure they can not know if the operation was successful or not. This may lead to bugs with security implications when the program resumes execution under the assumption that the failed call has worked.

Examples

See the following CVEs for examples in Linux user-mode programs:

  • CVE-2007-5191
  • CVE-2017-6964
  • CVE-2018-16643
  • CVE-2019-15900
  • CVE-2023-40303

Also see CWE252 at Mitre.

Algorithm

We perform a taint analysis where the sources are return values of calls to external functions and the sinks are:

  • Places where all taint vanishes from the state. Here, the program losses all information about success of failure of the API call; thus, it can not possibly adapt its behavior in the subsequent execution.
  • Taint reaches a return site of a function without any taint being returned to the caller. Here, the caller of the function cannot know if the API call was successful.

Taint propagation is stopped along paths as soon as a conditional control flow transfer depends on a tainted value.

Limitations

False Positives

  • For many API functions the necessity to check the return value depends on the context of the caller.
  • Cases where the result is checked before it is assumed that the operation has worked, but there are paths from the call site that are correct irrespective of the success or failure of the call.
  • Patterns where the return value is handled by giving it as an argument to another function call.
  • Taint loss due to Pointer Inference inexactness may cause the return value check to not be recognized as such.

False Negatives

  • Return value is checked but the program does not act accordingly.
  • The API function is not in the list of checked functions.

Configuration

The list of checked external functions can be configured via the config.json. By selecting the strict_mode additional functions can be included, however, those are more likely to produce false positives.

Statics

Functions