Merge pull request #14275 from alexet/fix-use-after-free-fp

CPP: Fix some use after free FPs.
2026-04-25 16:55:19 +02:00 · 2023-10-03 09:16:42 +02:00
parent 2684a22484 6b0ae0f312
commit 5632dd5e46
4 changed files with 13 additions and 6 deletions
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -29,8 +29,7 @@ private predicate externalCallNeverDereferences(FormattingFunctionCall call, int
  )
 }

-predicate isUse0(DataFlow::Node n, Expr e) {
-  e = n.asExpr() and
+predicate isUse0(Expr e) {
  not isFree(_, e, _) and
  (
    e = any(PointerDereferenceExpr pde).getOperand()
@@ -43,7 +42,7 @@ predicate isUse0(DataFlow::Node n, Expr e) {
    or
    // Assume any function without a body will dereference the pointer
    exists(int i, Call call, Function f |
-      n.asExpr() = call.getArgument(i) and
+      e = call.getArgument(i) and
      f = call.getTarget() and
      not f.hasEntryPoint() and
      // Exclude known functions we know won't dereference the pointer.
@@ -57,7 +56,7 @@ module ParameterSinks {
  import semmle.code.cpp.ir.ValueNumbering

  predicate flowsToUse(DataFlow::Node n) {
-    isUse0(n, _)
+    isUse0(n.asExpr())
    or
    exists(DataFlow::Node succ |
      flowsToUse(succ) and
@@ -90,7 +89,7 @@ module ParameterSinks {
  ) {
    pragma[only_bind_out](source.asParameter()) = pragma[only_bind_out](init.getParameter()) and
    paramToUse(source, sink) and
-    isUse0(sink, _)
+    isUse0(sink.asExpr())
  }

  private InitializeParameterInstruction getAnAlwaysDereferencedParameter0() {
@@ -139,7 +138,7 @@ module IsUse {
  private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon

  predicate isUse(DataFlow::Node n, Expr e) {
-    isUse0(n, e)
+    isUse0(e) and n.asExpr() = e
    or
    exists(CallInstruction call, InitializeParameterInstruction init |
      n.asOperand().getDef().getUnconvertedResultExpression() = e and
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryFreed.expected
@@ -96,6 +96,7 @@
 | test_free.cpp:255:10:255:10 | p |
 | test_free.cpp:260:9:260:9 | p |
 | test_free.cpp:263:12:263:12 | p |
+| test_free.cpp:269:7:269:11 | ... = ... |
 | virtual.cpp:18:10:18:10 | a |
 | virtual.cpp:19:10:19:10 | c |
 | virtual.cpp:38:10:38:10 | b |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/MemoryMayNotBeFreed.expected
@@ -1 +1,2 @@
 | test_free.cpp:36:22:36:35 | ... = ... | This memory allocation may not be released at $@. | test_free.cpp:38:1:38:1 | return ... | this exit point |
+| test_free.cpp:267:12:267:17 | call to malloc | This memory allocation may not be released at $@. | test_free.cpp:270:1:270:1 | return ... | this exit point |
--- a/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
+++ b/cpp/ql/test/query-tests/Critical/MemoryFreed/test_free.cpp
@@ -261,4 +261,10 @@ void test_ref_delete(int *&p) {
 	p = new int;
 	use(p);  // GOOD
    delete p;  // GOOD
+}
+
+void test_free_assign() {
+	void *a = malloc(10); 
+	void *b;
+	free(b = a); // GOOD 
 }