Rust: Model address-of and dereference as stores and loads

2026-04-27 01:35:13 +02:00 · 2024-12-16 11:15:37 +01:00
parent df0375103c
commit aab3428bc7
14 changed files with 97 additions and 18 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -712,6 +712,11 @@ private class CapturedVariableContent extends Content, TCapturedVariableContent
  override string toString() { result = "captured " + v }
 }

+/** A value refered to by a reference. */
+final class ReferenceContent extends Content, TReferenceContent {
+  override string toString() { result = "&ref" }
+}
+
 /**
 * An element in an array.
 */
@@ -1040,6 +1045,13 @@ module RustDataFlow implements InputSig<Location> {
          ["crate::option::Option::Some", "crate::result::Result::Ok"]
      )
      or
+      exists(PrefixExprCfgNode deref |
+        c instanceof ReferenceContent and
+        deref.getOperatorName() = "*" and
+        node1.asExpr() = deref.getExpr() and
+        node2.asExpr() = deref
+      )
+      or
      VariableCapture::readStep(node1, c, node2)
    )
    or
@@ -1123,6 +1135,12 @@ module RustDataFlow implements InputSig<Location> {
        node2.(PostUpdateNode).getPreUpdateNode().asExpr() = index.getBase()
      )
      or
+      exists(RefExprCfgNode ref |
+        c instanceof ReferenceContent and
+        node1.asExpr() = ref.getExpr() and
+        node2.asExpr() = ref
+      )
+      or
      VariableCapture::storeStep(node1, c, node2)
    )
    or
@@ -1382,7 +1400,8 @@ private module Cached {
      e =
        [
          any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(),
-          any(TryExprCfgNode try).getExpr()
+          any(TryExprCfgNode try).getExpr(),
+          any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr()
        ]
    } or
    TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
@@ -1482,7 +1501,8 @@ private module Cached {
    TStructFieldContent(StructCanonicalPath s, string field) {
      field = s.getStruct().getFieldList().(RecordFieldList).getAField().getName().getText()
    } or
-    TCapturedVariableContent(VariableCapture::CapturedVariable v)
+    TCapturedVariableContent(VariableCapture::CapturedVariable v) or
+    TReferenceContent()

  cached
  newtype TContentSet = TSingletonContentSet(Content c)
--- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -46,6 +46,8 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
        RustDataFlow::readStep(pred, cs, succ) and
        cs.getContent() instanceof ArrayElementContent
      )
+      or
+      pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()
    )
    or
    FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
@@ -59,7 +61,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
  bindingset[node]
  predicate defaultImplicitTaintRead(Node::Node node, ContentSet cs) {
    exists(node) and
-    cs.(SingletonContentSet).getContent() instanceof ArrayElementContent
+    exists(Content c | c = cs.(SingletonContentSet).getContent() |
+      c instanceof ArrayElementContent or
+      c instanceof ReferenceContent
+    )
  }

  /**
--- a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll
@@ -484,7 +484,6 @@ module Impl {
  class VariableReadAccess extends VariableAccess {
    VariableReadAccess() {
      not this instanceof VariableWriteAccess and
-      not this = any(RefExpr re).getExpr() and
      not this = any(CompoundAssignmentExpr cae).getLhs()
    }
  }