Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rust: Query for access to a dangling pointer #18300

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Rust: Query for access to a dangling pointer #18300

wants to merge 10 commits into from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Dec 16, 2024
edited
Loading

Query for access to a dangling pointer, i.e. something along the lines of:

let ptr = &raw const my_thing;

// ... my_thing goes out of scope, leaving ptr dangling ...

unsafe {
	_ = *ptr; // BAD
}

This is a draft because I still need to:

  • do a DCA run, iterate on results if necessary.
  • I think I want to split the concept of this query in three, as the implementations and documentation might be quite different:
    • dangling pointer access due to lifetime end (implemented in this PR)
    • dangling pointer access due to deallocation (which will have a different implementation, though sources / sinks may be in common)
    • dangling pointer access due to overwritten target (check if this one is really undefined behaviour / real world cases are likely to be on purpose)
  • add qhelp with examples.

Then I will need:

  • code review.
  • docs review.

As you can see from the test, there are a lot of cases we don't cover yet, which will be follow-up work. Right now I want to get a minimal version of the query merged before worrying about them too much.

@geoffw0 geoffw0 added the Rust Pull requests that update Rust code label Dec 16, 2024
geoffw0
geoffw0 commented Dec 16, 2024
View reviewed changes
rust/ql/lib/codeql/rust/security/DanglingPointerExtensions.qll
maybeOnStack(a, ce.getEnclosingBlock()) and
ce.getStaticTarget() = b.getEnclosingCallable()
)
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An entirely different approach is possible, where having done the data flow we would check the control flow as well, all the way from the pointer creation to dereference, to see if it crosses a point where the objects lifetime ends. I ran into problems even defining these points, wasn't sure how best to implement that kind of flow effectively, and my attempts didn't get good results so I changed tactics. Nevertheless it could be more accurate in the sense of finding more results, and some of these issues might get easier as our libraries mature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@geoffw0