Skip to content

Use-After-Query.ql does not work on this simple situation #16542

New issue
New issue
Open
Open
Use-After-Query.ql does not work on this simple situation#16542
Labels
C++questionFurther information is requested
@glorious064

Description

@glorious064
glorious064
opened on May 21, 2024

I use Use-After-Query.ql to detec a simple c code which exists UAF bug , but it doesn't works

  • Use-After-Query.ql
/**
 * @name Potential use after free
 * @description An allocated memory block is used after it has been freed. Behavior in such cases is undefined and can cause memory corruption.
 * @kind path-problem
 * @precision high
 * @id cpp/use-after-free
 * @problem.severity warning
 * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
 */

import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.security.flowafterfree.FlowAfterFree
import semmle.code.cpp.security.flowafterfree.UseAfterFree
import UseAfterFreeTrace::PathGraph

module UseAfterFreeParam implements FlowFromFreeParamSig {
  predicate isSink = isUse/2;

  predicate isExcluded = isExcludedMmFreePageFromMdl/2;

  predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
}

import UseAfterFreeParam

module UseAfterFreeTrace = FlowFromFree<UseAfterFreeParam>;

from UseAfterFreeTrace::PathNode source, UseAfterFreeTrace::PathNode sink, DeallocationExpr dealloc
where
  UseAfterFreeTrace::flowPath(source, sink) and
  isFree(source.getNode(), _, _, dealloc)
select sink.getNode(), source, sink, "Memory may have been previously freed by $@.", dealloc,
  dealloc.toString()
  • my code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void process_buffer(char *buffer) {
    if (buffer != NULL) {
        printf("Processing buffer: %s\n", buffer);
    }
}

void free_buffer(char *buffer) {
    if (buffer != NULL) {
        free(buffer); // 释放内存
        printf("Buffer freed.\n");
    }
}

void use_after_free(char *buffer) {
    // 释放后再次使用内存,存在UAF漏洞
    process_buffer(buffer);
}

int main() {
    char *buffer = (char *)malloc(100); // 分配100字节的内存
    if (buffer == NULL) {
        perror("Failed to allocate memory");
        exit(EXIT_FAILURE);
    }

    strcpy(buffer, "This is a test string."); // 使用分配的内存
    printf("Buffer before free: %s\n", buffer);

    free_buffer(buffer); // 调用函数释放内存

    use_after_free(buffer); // 释放后再次使用

    return 0;
}

its result shows there has no bugs, I don't know why

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    C++questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions