Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rust: Query for dereferencing an invalid pointer #19080

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Rust: Query for dereferencing an invalid pointer #19080

wants to merge 14 commits into from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Mar 20, 2025

New query rust/access-invalid-pointer that spots dereferences of pointers that are invalid to dereference. There are tests for two general cases, but this query is only intended to catch the first one:

  • (this query) dereference after a pointer is explicitly made invalid, for example by calling a dealloc function before dereferencing. Analogous to cpp/use-after-free.
    • an edge case we don't cover yet is when the deallocation is done through a distinct pointer to the same memory.
  • (future query) dereference of a pointer after the lifetime of the thing it points two has (implicitly) ended.

TODO:

  • DCA run
  • code review
  • docs review

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code labels Mar 20, 2025
@Copilot Copilot bot review requested due to automatic review settings March 20, 2025 14:29
Copilot
Copilot AI reviewed Mar 20, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 20, 2025
edited
Loading

QHelp previews:

rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.qhelp

Access of invalid pointer

Dereferencing an invalid or dangling pointer is undefined behavior. Memory may be corrupted causing the program to crash or behave incorrectly, in some cases exposing the program to potential attacks.

Recommendation

When dereferencing a pointer in unsafe code, take care that the pointer is valid and points to the intended data. Code may need to be rearranged or additional checks added to ensure safety in all circumstances. If possible, rewrite the code using safe Rust types to avoid this class of problems altogether.

Example

In the following example, std::ptr::drop_in_place is used to execute the destructor of an object. However, a pointer to that object is dereferenced later in the program, causing undefined behavior:

unsafe {
    std::ptr::drop_in_place(ptr); // executes the destructor of `*ptr`
}

// ...

unsafe {
    do_something(&*ptr); // BAD: dereferences `ptr`
}

In this case undefined behavior can be avoided by rearranging the code so that the dereference comes before the call to std::ptr::drop_in_place:

unsafe {
    do_something(&*ptr); // GOOD: dereferences `ptr` while it is still valid
}

// ...

{
    std::ptr::drop_in_place(ptr); // executes the destructor of `*ptr`
}

References

geoffw0
geoffw0 commented Mar 21, 2025
View reviewed changes
rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
n.(FlowSummaryNode).getSourceElement() = ce.getFunction() and
arg = ce.getArgList().getAnArg() and
this.asExpr().getExpr().getParentNode*() = arg
)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hvitved this is a workaround because the sinks with access path "Argument[0]" weren't working as written. I'm not sure if I've made a trivial mistake or whether something is wrong in the MaD library?

@geoffw0
Copy link
Contributor Author

geoffw0 commented Mar 21, 2025

DCA:

  • lots of new query sinks in all projects; this is unsurprising as dereferences are considered a sink for this query and they're quite common.
    • we should probably block flow past sinks to prevent excessive data flow and potentially reporting lots of similar results.
  • 8 query results across 4 projects.
    • most are inside Drop implementations, which is not something the query design anticipated and I need to look into whether they're acceptable results.

@geoffw0 geoffw0 added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Mar 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation no-change-note-required This PR does not need a change note ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. Rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@geoffw0