hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Fix use after free FPs by elimnatiing freeing nodes rather than freeing expressions.

Browse Source
This commit is contained in:
Alex Eyers-Taylor
2023-09-20 18:31:55 +01:00
parent 9de6230bbf
commit d0849311a6
2 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/src/Critical/UseAfterFree.ql
View File

@@ -31,7 +31,7 @@ private predicate externalCallNeverDereferences(FormattingFunctionCall call, int
predicate isUse0(DataFlow::Node n, Expr e) {
e = n.asExpr() and
not isFree(_, e, _) and
not isFree(n, _, _) and
(
e = any(PointerDereferenceExpr pde).getOperand()
or
@@ -43,7 +43,7 @@ predicate isUse0(DataFlow::Node n, Expr e) {
or
// Assume any function without a body will dereference the pointer
exists(int i, Call call, Function f |
n.asExpr() = call.getArgument(i) and
e = call.getArgument(i) and
f = call.getTarget() and
not f.hasEntryPoint() and
// Exclude known functions we know won't dereference the pointer.

2
cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected
View File

@@ -13,7 +13,6 @@ edges
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
nodes
| test.cpp:205:7:205:11 | ... = ... | semmle.label | ... = ... |
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
| test_free.cpp:12:5:12:5 | a | semmle.label | a |
| test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
@@ -41,7 +40,6 @@ nodes
| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
subpaths
#select
| test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | Memory may have been previously freed by $@. | test.cpp:205:2:205:5 | call to free | call to free |
| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |