Rust: Work around data flow source issue.

geoffw0 · geoffw0 · commit be6d0d1f8630 · 2025-03-20T14:26:09.000Z
diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
@@ -8,6 +8,7 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.FlowSource
 private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
+private import codeql.rust.dataflow.internal.Node
 
 /**
  * Provides default sources, sinks and barriers for detecting accesses to
@@ -40,6 +41,20 @@ module AccessInvalidPointer {
     ModelsAsDataSource() { sourceNode(this, "pointer-invalidate") }
   }
 
+  /**
+   * A pointer invalidation from an argument of a modelled call (this is a workaround).
+   */
+  private class ModelsAsDataArgumentSource extends Source {
+    ModelsAsDataArgumentSource() {
+      exists(DataFlow::Node n, CallExpr ce, Expr arg |
+        sourceNode(n, "pointer-invalidate") and
+        n.(FlowSummaryNode).getSourceElement() = ce.getFunction() and
+        arg = ce.getArgList().getAnArg() and
+        this.asExpr().getExpr() = arg
+      )
+    }
+  }
+
   /**
    * A pointer access using the unary `*` operator.
    */
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected b/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
@@ -1,32 +1,57 @@
 #select
-| deallocation.rs:96:14:96:15 | p1 | deallocation.rs:89:23:89:40 | ...::dangling | deallocation.rs:96:14:96:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:89:23:89:40 | ...::dangling | invalid |
-| deallocation.rs:97:14:97:15 | p2 | deallocation.rs:90:21:90:42 | ...::dangling_mut | deallocation.rs:97:14:97:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:90:21:90:42 | ...::dangling_mut | invalid |
-| deallocation.rs:98:14:98:15 | p3 | deallocation.rs:91:23:91:36 | ...::null | deallocation.rs:98:14:98:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:91:23:91:36 | ...::null | invalid |
+| deallocation.rs:23:13:23:14 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:23:13:23:14 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:25:12:25:31 | ...::read::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:25:12:25:31 | ...::read::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:33:5:33:6 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:5:33:6 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:35:4:35:24 | ...::write::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:35:4:35:24 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:97:14:97:15 | p1 | deallocation.rs:90:23:90:40 | ...::dangling | deallocation.rs:97:14:97:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:90:23:90:40 | ...::dangling | invalid |
+| deallocation.rs:98:14:98:15 | p2 | deallocation.rs:91:21:91:42 | ...::dangling_mut | deallocation.rs:98:14:98:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:91:21:91:42 | ...::dangling_mut | invalid |
+| deallocation.rs:99:14:99:15 | p3 | deallocation.rs:92:23:92:36 | ...::null | deallocation.rs:99:14:99:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:92:23:92:36 | ...::null | invalid |
+| deallocation.rs:146:14:146:15 | p1 | deallocation.rs:143:27:143:28 | p1 | deallocation.rs:146:14:146:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:143:27:143:28 | p1 | invalid |
 edges
-| deallocation.rs:89:6:89:7 | p1 | deallocation.rs:96:14:96:15 | p1 | provenance |  |
-| deallocation.rs:89:23:89:40 | ...::dangling | deallocation.rs:89:23:89:42 | ...::dangling(...) | provenance | Src:MaD:1 MaD:1 |
-| deallocation.rs:89:23:89:42 | ...::dangling(...) | deallocation.rs:89:6:89:7 | p1 | provenance |  |
-| deallocation.rs:90:6:90:7 | p2 | deallocation.rs:97:14:97:15 | p2 | provenance |  |
-| deallocation.rs:90:21:90:42 | ...::dangling_mut | deallocation.rs:90:21:90:44 | ...::dangling_mut(...) | provenance | Src:MaD:2 MaD:2 |
-| deallocation.rs:90:21:90:44 | ...::dangling_mut(...) | deallocation.rs:90:6:90:7 | p2 | provenance |  |
-| deallocation.rs:91:6:91:7 | p3 | deallocation.rs:98:14:98:15 | p3 | provenance |  |
-| deallocation.rs:91:23:91:36 | ...::null | deallocation.rs:91:23:91:38 | ...::null(...) | provenance | Src:MaD:3 MaD:3 |
-| deallocation.rs:91:23:91:38 | ...::null(...) | deallocation.rs:91:6:91:7 | p3 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:23:13:23:14 | m1 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:25:33:25:34 | m1 | provenance |  |
+| deallocation.rs:25:33:25:34 | m1 | deallocation.rs:25:12:25:31 | ...::read::<...> | provenance | MaD:1 Sink:MaD:1 |
+| deallocation.rs:25:33:25:34 | m1 | deallocation.rs:33:5:33:6 | m1 | provenance |  |
+| deallocation.rs:25:33:25:34 | m1 | deallocation.rs:33:5:33:6 | m1 | provenance |  |
+| deallocation.rs:33:5:33:6 | m1 | deallocation.rs:35:26:35:27 | m1 | provenance |  |
+| deallocation.rs:35:26:35:27 | m1 | deallocation.rs:35:4:35:24 | ...::write::<...> | provenance | MaD:2 Sink:MaD:2 |
+| deallocation.rs:90:6:90:7 | p1 | deallocation.rs:97:14:97:15 | p1 | provenance |  |
+| deallocation.rs:90:23:90:40 | ...::dangling | deallocation.rs:90:23:90:42 | ...::dangling(...) | provenance | Src:MaD:3 MaD:3 |
+| deallocation.rs:90:23:90:42 | ...::dangling(...) | deallocation.rs:90:6:90:7 | p1 | provenance |  |
+| deallocation.rs:91:6:91:7 | p2 | deallocation.rs:98:14:98:15 | p2 | provenance |  |
+| deallocation.rs:91:21:91:42 | ...::dangling_mut | deallocation.rs:91:21:91:44 | ...::dangling_mut(...) | provenance | Src:MaD:4 MaD:4 |
+| deallocation.rs:91:21:91:44 | ...::dangling_mut(...) | deallocation.rs:91:6:91:7 | p2 | provenance |  |
+| deallocation.rs:92:6:92:7 | p3 | deallocation.rs:99:14:99:15 | p3 | provenance |  |
+| deallocation.rs:92:23:92:36 | ...::null | deallocation.rs:92:23:92:38 | ...::null(...) | provenance | Src:MaD:5 MaD:5 |
+| deallocation.rs:92:23:92:38 | ...::null(...) | deallocation.rs:92:6:92:7 | p3 | provenance |  |
+| deallocation.rs:143:27:143:28 | p1 | deallocation.rs:146:14:146:15 | p1 | provenance |  |
 models
-| 1 | Source: lang:core; crate::ptr::dangling; pointer-invalidate; ReturnValue |
-| 2 | Source: lang:core; crate::ptr::dangling_mut; pointer-invalidate; ReturnValue |
-| 3 | Source: lang:core; crate::ptr::null; pointer-invalidate; ReturnValue |
+| 1 | Sink: lang:core; crate::ptr::read; pointer-access; Argument[0] |
+| 2 | Sink: lang:core; crate::ptr::write; pointer-access; Argument[0] |
+| 3 | Source: lang:core; crate::ptr::dangling; pointer-invalidate; ReturnValue |
+| 4 | Source: lang:core; crate::ptr::dangling_mut; pointer-invalidate; ReturnValue |
+| 5 | Source: lang:core; crate::ptr::null; pointer-invalidate; ReturnValue |
 nodes
-| deallocation.rs:89:6:89:7 | p1 | semmle.label | p1 |
-| deallocation.rs:89:23:89:40 | ...::dangling | semmle.label | ...::dangling |
-| deallocation.rs:89:23:89:42 | ...::dangling(...) | semmle.label | ...::dangling(...) |
-| deallocation.rs:90:6:90:7 | p2 | semmle.label | p2 |
-| deallocation.rs:90:21:90:42 | ...::dangling_mut | semmle.label | ...::dangling_mut |
-| deallocation.rs:90:21:90:44 | ...::dangling_mut(...) | semmle.label | ...::dangling_mut(...) |
-| deallocation.rs:91:6:91:7 | p3 | semmle.label | p3 |
-| deallocation.rs:91:23:91:36 | ...::null | semmle.label | ...::null |
-| deallocation.rs:91:23:91:38 | ...::null(...) | semmle.label | ...::null(...) |
-| deallocation.rs:96:14:96:15 | p1 | semmle.label | p1 |
-| deallocation.rs:97:14:97:15 | p2 | semmle.label | p2 |
-| deallocation.rs:98:14:98:15 | p3 | semmle.label | p3 |
+| deallocation.rs:20:23:20:24 | m1 | semmle.label | m1 |
+| deallocation.rs:23:13:23:14 | m1 | semmle.label | m1 |
+| deallocation.rs:25:12:25:31 | ...::read::<...> | semmle.label | ...::read::<...> |
+| deallocation.rs:25:33:25:34 | m1 | semmle.label | m1 |
+| deallocation.rs:33:5:33:6 | m1 | semmle.label | m1 |
+| deallocation.rs:33:5:33:6 | m1 | semmle.label | m1 |
+| deallocation.rs:35:4:35:24 | ...::write::<...> | semmle.label | ...::write::<...> |
+| deallocation.rs:35:26:35:27 | m1 | semmle.label | m1 |
+| deallocation.rs:90:6:90:7 | p1 | semmle.label | p1 |
+| deallocation.rs:90:23:90:40 | ...::dangling | semmle.label | ...::dangling |
+| deallocation.rs:90:23:90:42 | ...::dangling(...) | semmle.label | ...::dangling(...) |
+| deallocation.rs:91:6:91:7 | p2 | semmle.label | p2 |
+| deallocation.rs:91:21:91:42 | ...::dangling_mut | semmle.label | ...::dangling_mut |
+| deallocation.rs:91:21:91:44 | ...::dangling_mut(...) | semmle.label | ...::dangling_mut(...) |
+| deallocation.rs:92:6:92:7 | p3 | semmle.label | p3 |
+| deallocation.rs:92:23:92:36 | ...::null | semmle.label | ...::null |
+| deallocation.rs:92:23:92:38 | ...::null(...) | semmle.label | ...::null(...) |
+| deallocation.rs:97:14:97:15 | p1 | semmle.label | p1 |
+| deallocation.rs:98:14:98:15 | p2 | semmle.label | p2 |
+| deallocation.rs:99:14:99:15 | p3 | semmle.label | p3 |
+| deallocation.rs:143:27:143:28 | p1 | semmle.label | p1 |
+| deallocation.rs:146:14:146:15 | p1 | semmle.label | p1 |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -17,21 +17,22 @@ pub fn test_alloc(do_dangerous_writes: bool) {
 		println!("	v3 = {v3}");
 		println!("	v4 = {v4}");
 
-		std::alloc::dealloc(m1, layout); // m1, m2 are now dangling
+		std::alloc::dealloc(m1, layout); // $ Source=dealloc
+		// (m1, m2 are now dangling)
 
-		let v5 = *m1; // $ MISSING: Alert
+		let v5 = *m1; // $ Alert[rust/access-invalid-pointer]=dealloc
 		let v6 = *m2; // $ MISSING: Alert
-		let v7 = std::ptr::read::<u8>(m1); // $ MISSING: Alert
+		let v7 = std::ptr::read::<u8>(m1); // $ Alert[rust/access-invalid-pointer]=dealloc
 		let v8 = std::ptr::read::<i64>(m2); // $ MISSING: Alert
 		println!("	v5 = {v5} (!)"); // corrupt in practice
 		println!("	v6 = {v6} (!)"); // corrupt in practice
 		println!("	v7 = {v7} (!)"); // corrupt in practice
 		println!("	v8 = {v8} (!)"); // corrupt in practice
 
 		if do_dangerous_writes {
-			*m1 = 2; // $ MISSING: Alert
+			*m1 = 2; // $ Alert[rust/access-invalid-pointer]=dealloc
 			*m2 = 3; // $ MISSING: Alert
-			std::ptr::write::<u8>(m1, 4); // $ MISSING: Alert
+			std::ptr::write::<u8>(m1, 4); // $ Alert[rust/access-invalid-pointer]=dealloc
 			std::ptr::write::<i64>(m2, 5); // $ MISSING: Alert
 		}
 	}
@@ -139,9 +140,10 @@ pub fn test_ptr_drop() {
 		println!("	v1 = {v1}");
 		println!("	v2 = {v2}");
 
-		std::ptr::drop_in_place(p1); // explicitly destructs the pointed-to `m2`
+		std::ptr::drop_in_place(p1); // $ Source=drop_in_place
+		// explicitly destructs the pointed-to `m2`
 
-		let v3 = (*p1)[0]; // $ MISSING: Alert
+		let v3 = (*p1)[0]; // $ Alert[rust/access-invalid-pointer]=drop_in_place
 		let v4 = (*p2)[0]; // $ MISSING: Alert
 		println!("	v3 = {v3} (!)"); // corrupt in practice
 		println!("	v4 = {v4} (!)"); // corrupt in practice
