Merge pull request #20941 from paldepind/rust/invalid-pointer-barriers

Rust: Reduce the number of sinks in `DereferenceSink`

rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll

@@ -10,6 +10,8 @@ private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.internal.Node
 private import codeql.rust.security.Barriers as Barriers
+private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.Type
 
 /**
  * Provides default sources, sinks and barriers for detecting accesses to
@@ -47,16 +49,22 @@ module AccessInvalidPointer {
     ModelsAsDataSource() { sourceNode(this, "pointer-invalidate") }
   }
 
-  /**
+  /** A raw pointer access using the unary `*` operator. */
-   * A pointer access using the unary `*` operator.
-   */
   private class DereferenceSink extends Sink {
-    DereferenceSink() { any(DerefExpr p).getExpr() = this.asExpr() }
+    DereferenceSink() {
+      exists(Expr p, DerefExpr d | p = d.getExpr() and p = this.asExpr() |
+        // Dereferencing a raw pointer is an unsafe operation. Hence relevant
+        // dereferences must occur inside code marked as unsafe.
+        // See: https://doc.rust-lang.org/reference/types/pointer.html#r-type.pointer.raw.safety
+        (p.getEnclosingBlock*().isUnsafe() or p.getEnclosingCallable().(Function).isUnsafe()) and
+        // We are only interested in dereferences of raw pointers, as other uses
+        // of `*` are safe.
+        (not exists(TypeInference::inferType(p)) or TypeInference::inferType(p) instanceof PtrType)
+      )
+    }
   }
 
-  /**
+  /** A pointer access from model data. */
-   * A pointer access from model data.
-   */
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "pointer-access") }
   }

rust/ql/src/change-notes/2025-12-05-exclude-dereference-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives from the `rust/access-invalid-pointer` query, by only considering dereferences of raw pointers as sinks.

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql

@@ -26,18 +26,18 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     node instanceof AccessAfterLifetime::Source and
     // exclude cases with sources in macros, since these results are difficult to interpret
-    not node.asExpr().isFromMacroExpansion()
+    not node.asExpr().isFromMacroExpansion() and
+    AccessAfterLifetime::sourceValueScope(node, _, _)
   }
 
   predicate isSink(DataFlow::Node node) {
     node instanceof AccessAfterLifetime::Sink and
-    // exclude cases with sinks in macros, since these results are difficult to interpret
+    // Exclude cases with sinks in macros, since these results are difficult to interpret
     not node.asExpr().isFromMacroExpansion() and
-    // include only results inside `unsafe` blocks, as other results tend to be false positives
+    // TODO: Remove this condition if it can be done without negatively
-    (
+    // impacting performance. This condition only include nodes with
-      node.asExpr().getEnclosingBlock*().isUnsafe() or
+    // corresponding to an expression. This excludes sinks from models-as-data.
-      node.asExpr().getEnclosingCallable().(Function).isUnsafe()
+    exists(node.asExpr())
-    )
   }
 
   predicate isBarrier(DataFlow::Node barrier) { barrier instanceof AccessAfterLifetime::Barrier }

rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected

@@ -27,24 +27,6 @@ edges
 | deallocation.rs:242:6:242:7 | p1 | deallocation.rs:245:14:245:15 | p1 | provenance |  |
 | deallocation.rs:242:6:242:7 | p1 | deallocation.rs:252:14:252:15 | p1 | provenance |  |
 | deallocation.rs:242:30:242:38 | &raw const my_buffer | deallocation.rs:242:6:242:7 | p1 | provenance |  |
-| deallocation.rs:322:28:322:43 | ...: ... | deallocation.rs:324:18:324:20 | ptr | provenance |  |
-| deallocation.rs:334:27:334:42 | ...: ... | deallocation.rs:342:18:342:20 | ptr | provenance |  |
-| deallocation.rs:351:7:351:10 | ptr1 | deallocation.rs:354:4:354:7 | ptr1 | provenance |  |
-| deallocation.rs:351:7:351:10 | ptr1 | deallocation.rs:354:4:354:7 | ptr1 | provenance |  |
-| deallocation.rs:351:14:351:33 | &raw mut ... | deallocation.rs:351:7:351:10 | ptr1 | provenance |  |
-| deallocation.rs:352:7:352:10 | ptr2 | deallocation.rs:355:4:355:7 | ptr2 | provenance |  |
-| deallocation.rs:352:7:352:10 | ptr2 | deallocation.rs:355:4:355:7 | ptr2 | provenance |  |
-| deallocation.rs:352:14:352:33 | &raw mut ... | deallocation.rs:352:7:352:10 | ptr2 | provenance |  |
-| deallocation.rs:354:4:354:7 | ptr1 | deallocation.rs:357:27:357:30 | ptr1 | provenance |  |
-| deallocation.rs:355:4:355:7 | ptr2 | deallocation.rs:359:26:359:29 | ptr2 | provenance |  |
-| deallocation.rs:357:27:357:30 | ptr1 | deallocation.rs:322:28:322:43 | ...: ... | provenance |  |
-| deallocation.rs:359:26:359:29 | ptr2 | deallocation.rs:334:27:334:42 | ...: ... | provenance |  |
-| deallocation.rs:370:6:370:9 | ptr1 | deallocation.rs:373:13:373:16 | ptr1 | provenance |  |
-| deallocation.rs:370:6:370:9 | ptr1 | deallocation.rs:381:13:381:16 | ptr1 | provenance |  |
-| deallocation.rs:370:13:370:28 | &raw mut ... | deallocation.rs:370:6:370:9 | ptr1 | provenance |  |
-| deallocation.rs:389:6:389:9 | ptr2 | deallocation.rs:392:13:392:16 | ptr2 | provenance |  |
-| deallocation.rs:389:6:389:9 | ptr2 | deallocation.rs:402:13:402:16 | ptr2 | provenance |  |
-| deallocation.rs:389:13:389:28 | &raw mut ... | deallocation.rs:389:6:389:9 | ptr2 | provenance |  |
 | lifetime.rs:21:2:21:18 | return ... | lifetime.rs:54:11:54:30 | get_local_dangling(...) | provenance |  |
 | lifetime.rs:21:9:21:18 | &my_local1 | lifetime.rs:21:2:21:18 | return ... | provenance |  |
 | lifetime.rs:27:2:27:22 | return ... | lifetime.rs:55:11:55:34 | get_local_dangling_mut(...) | provenance |  |
@@ -80,15 +62,6 @@ edges
 | lifetime.rs:94:7:94:16 | &my_local1 | lifetime.rs:94:2:94:3 | p3 | provenance |  |
 | lifetime.rs:119:15:119:24 | &my_local3 | lifetime.rs:91:17:91:30 | ...: ... | provenance |  |
 | lifetime.rs:119:27:119:44 | &mut my_local_mut4 | lifetime.rs:91:33:91:44 | ...: ... | provenance |  |
-| lifetime.rs:127:2:127:24 | return ... | lifetime.rs:139:11:139:21 | get_const(...) | provenance |  |
-| lifetime.rs:127:9:127:24 | &MY_GLOBAL_CONST | lifetime.rs:127:2:127:24 | return ... | provenance |  |
-| lifetime.rs:134:3:134:30 | return ... | lifetime.rs:140:11:140:26 | get_static_mut(...) | provenance |  |
-| lifetime.rs:134:10:134:30 | &mut MY_GLOBAL_STATIC | lifetime.rs:134:3:134:30 | return ... | provenance |  |
-| lifetime.rs:139:6:139:7 | p1 | lifetime.rs:147:14:147:15 | p1 | provenance |  |
-| lifetime.rs:139:11:139:21 | get_const(...) | lifetime.rs:139:6:139:7 | p1 | provenance |  |
-| lifetime.rs:140:6:140:7 | p2 | lifetime.rs:148:14:148:15 | p2 | provenance |  |
-| lifetime.rs:140:6:140:7 | p2 | lifetime.rs:154:5:154:6 | p2 | provenance |  |
-| lifetime.rs:140:11:140:26 | get_static_mut(...) | lifetime.rs:140:6:140:7 | p2 | provenance |  |
 | lifetime.rs:161:17:161:31 | ...: ... | lifetime.rs:164:13:164:15 | ptr | provenance |  |
 | lifetime.rs:169:17:169:31 | ...: ... | lifetime.rs:172:13:172:15 | ptr | provenance |  |
 | lifetime.rs:177:17:177:31 | ...: ... | lifetime.rs:180:13:180:15 | ptr | provenance |  |
@@ -106,7 +79,6 @@ edges
 | lifetime.rs:201:15:201:17 | ptr | lifetime.rs:177:17:177:31 | ...: ... | provenance |  |
 | lifetime.rs:206:19:206:36 | ...: ... | lifetime.rs:216:16:216:21 | ptr_up | provenance |  |
 | lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:211:33:211:40 | ptr_ours | provenance |  |
-| lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:217:18:217:25 | ptr_ours | provenance |  |
 | lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:225:2:225:16 | return ptr_ours | provenance |  |
 | lifetime.rs:208:17:208:29 | &my_local_rec | lifetime.rs:208:6:208:13 | ptr_ours | provenance |  |
 | lifetime.rs:211:7:211:14 | ptr_down | lifetime.rs:218:18:218:25 | ptr_down | provenance |  |
@@ -150,41 +122,21 @@ edges
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:428:7:428:8 | p1 | provenance |  |
 | lifetime.rs:383:3:383:4 | p1 | lifetime.rs:433:7:433:8 | p1 | provenance |  |
 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:383:3:383:4 | p1 | provenance |  |
-| lifetime.rs:384:3:384:4 | p2 | lifetime.rs:394:14:394:15 | p2 | provenance |  |
-| lifetime.rs:384:3:384:4 | p2 | lifetime.rs:421:15:421:16 | p2 | provenance |  |
-| lifetime.rs:384:27:384:35 | &raw const ... | lifetime.rs:384:3:384:4 | p2 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:395:14:395:15 | p3 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:400:5:400:6 | p3 | provenance |  |
-| lifetime.rs:385:3:385:4 | p3 | lifetime.rs:400:5:400:6 | p3 | provenance |  |
-| lifetime.rs:385:31:385:39 | &raw mut ... | lifetime.rs:385:3:385:4 | p3 | provenance |  |
-| lifetime.rs:400:5:400:6 | p3 | lifetime.rs:422:15:422:16 | p3 | provenance |  |
-| lifetime.rs:400:5:400:6 | p3 | lifetime.rs:429:6:429:7 | p3 | provenance |  |
 | lifetime.rs:442:6:442:7 | r1 | lifetime.rs:443:42:443:43 | r1 | provenance |  |
 | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:442:6:442:7 | r1 | provenance |  |
 | lifetime.rs:443:6:443:7 | p1 | lifetime.rs:446:13:446:14 | p1 | provenance |  |
 | lifetime.rs:443:6:443:7 | p1 | lifetime.rs:450:2:450:10 | return p1 | provenance |  |
 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | lifetime.rs:443:6:443:7 | p1 | provenance |  |
-| lifetime.rs:443:42:443:43 | r1 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | provenance | MaD:5 |
+| lifetime.rs:443:42:443:43 | r1 | lifetime.rs:443:23:443:44 | ...::from_ref(...) | provenance | MaD:3 |
 | lifetime.rs:450:2:450:10 | return p1 | lifetime.rs:454:11:454:29 | get_ptr_from_ref(...) | provenance |  |
 | lifetime.rs:450:2:450:10 | return p1 | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | provenance |  |
 | lifetime.rs:454:6:454:7 | p1 | lifetime.rs:459:13:459:14 | p1 | provenance |  |
 | lifetime.rs:454:11:454:29 | get_ptr_from_ref(...) | lifetime.rs:454:6:454:7 | p1 | provenance |  |
 | lifetime.rs:568:7:568:8 | p2 | lifetime.rs:572:14:572:15 | p2 | provenance |  |
 | lifetime.rs:568:24:568:33 | &my_local2 | lifetime.rs:568:7:568:8 | p2 | provenance |  |
-| lifetime.rs:630:3:630:6 | str2 | lifetime.rs:633:15:633:18 | str2 | provenance |  |
-| lifetime.rs:630:3:630:6 | str2 | lifetime.rs:641:14:641:17 | str2 | provenance |  |
-| lifetime.rs:630:10:630:25 | &... | lifetime.rs:630:3:630:6 | str2 | provenance |  |
-| lifetime.rs:654:4:654:7 | str2 | lifetime.rs:655:22:655:25 | str2 | provenance |  |
-| lifetime.rs:654:11:654:35 | ... + ... | lifetime.rs:654:4:654:7 | str2 | provenance |  |
-| lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:654:11:654:35 | ... + ... | provenance | MaD:2 |
-| lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:654:11:654:35 | ... + ... | provenance | MaD:1 |
 | lifetime.rs:655:4:655:7 | ref1 | lifetime.rs:659:15:659:18 | ref1 | provenance |  |
 | lifetime.rs:655:4:655:7 | ref1 | lifetime.rs:667:14:667:17 | ref1 | provenance |  |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | lifetime.rs:659:15:659:18 | ref1 | provenance |  |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | lifetime.rs:667:14:667:17 | ref1 | provenance |  |
 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:655:4:655:7 | ref1 | provenance |  |
-| lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | lifetime.rs:655:4:655:7 | ref1 [&ref] | provenance |  |
-| lifetime.rs:655:22:655:25 | str2 | lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | provenance |  |
 | lifetime.rs:781:2:781:19 | return ... | lifetime.rs:785:11:785:41 | get_local_for_unsafe_function(...) | provenance |  |
 | lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:781:2:781:19 | return ... | provenance |  |
 | lifetime.rs:785:6:785:7 | p1 | lifetime.rs:789:12:789:13 | p1 | provenance |  |
@@ -196,47 +148,23 @@ edges
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:21:19:21:20 | p1 | provenance |  |
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:29:19:29:20 | p1 | provenance |  |
 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | main.rs:18:9:18:10 | p1 [&ref] | provenance |  |
-| main.rs:18:26:18:28 | &b1 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | provenance | MaD:4 |
+| main.rs:18:26:18:28 | &b1 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | provenance | MaD:2 |
 | main.rs:44:9:44:10 | p2 [&ref] | main.rs:51:23:51:24 | p2 | provenance |  |
 | main.rs:44:9:44:10 | p2 [&ref] | main.rs:64:23:64:24 | p2 | provenance |  |
 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | main.rs:44:9:44:10 | p2 [&ref] | provenance |  |
-| main.rs:44:26:44:28 | &b2 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | provenance | MaD:4 |
+| main.rs:44:26:44:28 | &b2 | main.rs:44:14:44:29 | ...::as_ptr(...) [&ref] | provenance | MaD:2 |
 | main.rs:47:9:47:10 | p3 [&ref] | main.rs:52:23:52:24 | p3 | provenance |  |
 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | main.rs:47:9:47:10 | p3 [&ref] | provenance |  |
-| main.rs:47:30:47:36 | &mut b3 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | provenance | MaD:3 |
+| main.rs:47:30:47:36 | &mut b3 | main.rs:47:14:47:37 | ...::as_mut_ptr(...) [&ref] | provenance | MaD:1 |
 models
-| 1 | Summary: <_ as core::ops::arith::Add>::add; Argument[0].Reference; ReturnValue; taint |
+| 1 | Summary: <alloc::boxed::Box>::as_mut_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
-| 2 | Summary: <_ as core::ops::arith::Add>::add; Argument[0]; ReturnValue; taint |
+| 2 | Summary: <alloc::boxed::Box>::as_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
-| 3 | Summary: <alloc::boxed::Box>::as_mut_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
+| 3 | Summary: core::ptr::from_ref; Argument[0]; ReturnValue; value |
-| 4 | Summary: <alloc::boxed::Box>::as_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
-| 5 | Summary: core::ptr::from_ref; Argument[0]; ReturnValue; value |
 nodes
 | deallocation.rs:242:6:242:7 | p1 | semmle.label | p1 |
 | deallocation.rs:242:30:242:38 | &raw const my_buffer | semmle.label | &raw const my_buffer |
 | deallocation.rs:245:14:245:15 | p1 | semmle.label | p1 |
 | deallocation.rs:252:14:252:15 | p1 | semmle.label | p1 |
-| deallocation.rs:322:28:322:43 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:324:18:324:20 | ptr | semmle.label | ptr |
-| deallocation.rs:334:27:334:42 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:342:18:342:20 | ptr | semmle.label | ptr |
-| deallocation.rs:351:7:351:10 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:351:14:351:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:352:7:352:10 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:352:14:352:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:354:4:354:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:354:4:354:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:355:4:355:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:355:4:355:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:357:27:357:30 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:359:26:359:29 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:370:6:370:9 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:370:13:370:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:373:13:373:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:381:13:381:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:389:6:389:9 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:389:13:389:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:392:13:392:16 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:402:13:402:16 | ptr2 | semmle.label | ptr2 |
 | lifetime.rs:21:2:21:18 | return ... | semmle.label | return ... |
 | lifetime.rs:21:9:21:18 | &my_local1 | semmle.label | &my_local1 |
 | lifetime.rs:27:2:27:22 | return ... | semmle.label | return ... |
@@ -282,17 +210,6 @@ nodes
 | lifetime.rs:110:5:110:6 | p2 | semmle.label | p2 |
 | lifetime.rs:119:15:119:24 | &my_local3 | semmle.label | &my_local3 |
 | lifetime.rs:119:27:119:44 | &mut my_local_mut4 | semmle.label | &mut my_local_mut4 |
-| lifetime.rs:127:2:127:24 | return ... | semmle.label | return ... |
-| lifetime.rs:127:9:127:24 | &MY_GLOBAL_CONST | semmle.label | &MY_GLOBAL_CONST |
-| lifetime.rs:134:3:134:30 | return ... | semmle.label | return ... |
-| lifetime.rs:134:10:134:30 | &mut MY_GLOBAL_STATIC | semmle.label | &mut MY_GLOBAL_STATIC |
-| lifetime.rs:139:6:139:7 | p1 | semmle.label | p1 |
-| lifetime.rs:139:11:139:21 | get_const(...) | semmle.label | get_const(...) |
-| lifetime.rs:140:6:140:7 | p2 | semmle.label | p2 |
-| lifetime.rs:140:11:140:26 | get_static_mut(...) | semmle.label | get_static_mut(...) |
-| lifetime.rs:147:14:147:15 | p1 | semmle.label | p1 |
-| lifetime.rs:148:14:148:15 | p2 | semmle.label | p2 |
-| lifetime.rs:154:5:154:6 | p2 | semmle.label | p2 |
 | lifetime.rs:161:17:161:31 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:164:13:164:15 | ptr | semmle.label | ptr |
 | lifetime.rs:169:17:169:31 | ...: ... | semmle.label | ...: ... |
@@ -315,7 +232,6 @@ nodes
 | lifetime.rs:211:18:211:52 | access_ptr_rec(...) | semmle.label | access_ptr_rec(...) |
 | lifetime.rs:211:33:211:40 | ptr_ours | semmle.label | ptr_ours |
 | lifetime.rs:216:16:216:21 | ptr_up | semmle.label | ptr_up |
-| lifetime.rs:217:18:217:25 | ptr_ours | semmle.label | ptr_ours |
 | lifetime.rs:218:18:218:25 | ptr_down | semmle.label | ptr_down |
 | lifetime.rs:225:2:225:16 | return ptr_ours | semmle.label | return ptr_ours |
 | lifetime.rs:230:6:230:14 | ptr_start | semmle.label | ptr_start |
@@ -351,24 +267,13 @@ nodes
 | lifetime.rs:317:13:317:18 | result | semmle.label | result |
 | lifetime.rs:383:3:383:4 | p1 | semmle.label | p1 |
 | lifetime.rs:383:31:383:37 | &raw mut my_pair | semmle.label | &raw mut my_pair |
-| lifetime.rs:384:3:384:4 | p2 | semmle.label | p2 |
-| lifetime.rs:384:27:384:35 | &raw const ... | semmle.label | &raw const ... |
-| lifetime.rs:385:3:385:4 | p3 | semmle.label | p3 |
-| lifetime.rs:385:31:385:39 | &raw mut ... | semmle.label | &raw mut ... |
 | lifetime.rs:388:15:388:16 | p1 | semmle.label | p1 |
 | lifetime.rs:391:15:391:16 | p1 | semmle.label | p1 |
-| lifetime.rs:394:14:394:15 | p2 | semmle.label | p2 |
-| lifetime.rs:395:14:395:15 | p3 | semmle.label | p3 |
 | lifetime.rs:399:6:399:7 | p1 | semmle.label | p1 |
-| lifetime.rs:400:5:400:6 | p3 | semmle.label | p3 |
-| lifetime.rs:400:5:400:6 | p3 | semmle.label | p3 |
 | lifetime.rs:401:6:401:7 | p1 | semmle.label | p1 |
 | lifetime.rs:411:16:411:17 | p1 | semmle.label | p1 |
 | lifetime.rs:416:16:416:17 | p1 | semmle.label | p1 |
-| lifetime.rs:421:15:421:16 | p2 | semmle.label | p2 |
-| lifetime.rs:422:15:422:16 | p3 | semmle.label | p3 |
 | lifetime.rs:428:7:428:8 | p1 | semmle.label | p1 |
-| lifetime.rs:429:6:429:7 | p3 | semmle.label | p3 |
 | lifetime.rs:433:7:433:8 | p1 | semmle.label | p1 |
 | lifetime.rs:442:6:442:7 | r1 | semmle.label | r1 |
 | lifetime.rs:442:17:442:23 | &my_val | semmle.label | &my_val |
@@ -384,18 +289,8 @@ nodes
 | lifetime.rs:568:7:568:8 | p2 | semmle.label | p2 |
 | lifetime.rs:568:24:568:33 | &my_local2 | semmle.label | &my_local2 |
 | lifetime.rs:572:14:572:15 | p2 | semmle.label | p2 |
-| lifetime.rs:630:3:630:6 | str2 | semmle.label | str2 |
-| lifetime.rs:630:10:630:25 | &... | semmle.label | &... |
-| lifetime.rs:633:15:633:18 | str2 | semmle.label | str2 |
-| lifetime.rs:641:14:641:17 | str2 | semmle.label | str2 |
-| lifetime.rs:654:4:654:7 | str2 | semmle.label | str2 |
-| lifetime.rs:654:11:654:35 | ... + ... | semmle.label | ... + ... |
-| lifetime.rs:654:31:654:35 | &str1 | semmle.label | &str1 |
 | lifetime.rs:655:4:655:7 | ref1 | semmle.label | ref1 |
-| lifetime.rs:655:4:655:7 | ref1 [&ref] | semmle.label | ref1 [&ref] |
 | lifetime.rs:655:11:655:25 | &raw const str2 | semmle.label | &raw const str2 |
-| lifetime.rs:655:11:655:25 | &raw const str2 [&ref] | semmle.label | &raw const str2 [&ref] |
-| lifetime.rs:655:22:655:25 | str2 | semmle.label | str2 |
 | lifetime.rs:659:15:659:18 | ref1 | semmle.label | ref1 |
 | lifetime.rs:667:14:667:17 | ref1 | semmle.label | ref1 |
 | lifetime.rs:781:2:781:19 | return ... | semmle.label | return ... |

rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,6 +1,10 @@
 multipleResolvedTargets
 | deallocation.rs:354:11:354:29 | ...::from(...) |
 | deallocation.rs:355:11:355:29 | ...::from(...) |
+| deallocation.rs:420:2:420:4 | * ... |
+| deallocation.rs:421:23:421:25 | * ... |
+| deallocation.rs:425:33:425:35 | * ... |
+| deallocation.rs:430:27:430:29 | * ... |
 | lifetime.rs:217:17:217:25 | * ... |
 | lifetime.rs:610:13:610:31 | ...::from(...) |
 | lifetime.rs:611:13:611:31 | ...::from(...) |

rust/ql/test/query-tests/security/CWE-825/deallocation.rs

@@ -403,3 +403,29 @@ pub fn test_vec_reserve() {
 		println!("	v4 = {}", v4); // corrupt in practice
 	}
 }
+
+// --- pointer to reference ---
+
+pub fn test_pointer_converted_to_reference() {
+	let layout = std::alloc::Layout::new::<u128>();
+	let m3;
+
+	// allocate
+	unsafe {
+		let m1 = std::alloc::alloc(layout); // *mut u8
+		let m2 = m1 as *mut u128; // *mut u128
+		m3 = &mut *m2; // &u128
+	}
+
+	*m3 = 1; // GOOD
+	println!("	v1 = {}", *m3); // GOOD
+
+	// free
+	unsafe {
+		std::alloc::dealloc((&raw mut *m3) as *mut u8, layout); // $ MISSING: Source[rust/access-invalid-pointer]=dealloc
+	}
+	// (m1, m2, m3 are now dangling)
+
+	// (this is corrupt in practice)
+	println!("	v2 = {} (!)", *m3); // $ MISSING: Alert[rust/access-invalid-pointer]=dealloc
+}

rust/ql/test/query-tests/security/CWE-825/main.rs

@@ -143,6 +143,9 @@ fn main() {
     println!("test_vec_reserve:");
     test_vec_reserve();
 
+    println!("test_pointer_converted_to_reference:");
+    test_pointer_converted_to_reference();
+
     // ---
 
     println!("test_local_dangling:");