codeql
codeql copied to clipboard
UAF not flagged
I borrowed the query from UseAfterFree.ql present in CodeQL repo and modified to include a custom free function, but the query is not flagging UAF.
import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.security.flowafterfree.FlowAfterFree
import semmle.code.cpp.security.flowafterfree.UseAfterFree
import UseAfterFreeTrace::PathGraph
module UseAfterFreeParam implements FlowFromFreeParamSig {
predicate isSink = isUse/2;
predicate isExcluded = isExcludedMmFreePageFromMdl/2;
predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
}
import UseAfterFreeParam
module UseAfterFreeTrace = FlowFromFree<UseAfterFreeParam>;
class FreeAddrInfo extends DeallocationExpr,FunctionCall {
FreeAddrInfo() {
this.getTarget().hasGlobalName("freeaddrinfo")
}
override Expr getFreedExpr(){
result = this.getArgument(0)
}
}
from UseAfterFreeTrace::PathNode source, UseAfterFreeTrace::PathNode sink, FreeAddrInfo dealloc
where
UseAfterFreeTrace::flowPath(source, sink) and
isFree(source.getNode(), _, _, dealloc)
select sink.getNode(), source, sink, "Memory may have been previously freed by $@.", dealloc,
dealloc.toString()
I'm trying to analyse https://nvd.nist.gov/vuln/detail/CVE-2021-38383
Verify that freeaddrinfo is correctly identified and matches the signature expected by the UseAfterFree query. Ensure that the function call this.getTarget().hasGlobalName("freeaddrinfo") correctly identifies the freeaddrinfo function.
Hi @tardigrade-9 👋
Sorry for the late reply, your question seems to have fallen through the cracks last month.
Do you have a minimal code example where you would expect your query to find a result, but it doesn't?
Have you checked (e.g. by using the quick eval feature in the VSCode extension) that FreeAddrInfo
can find the call to freeaddrinfo
in your test database?