Merge pull request github#12569 from andersfugmann/andersfugmann/use_after_free

C++: Implement use-after-free and double-free queries using the new IR use-use dataflow

Author: MathiasVP

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -897,23 +897,6 @@ private class MyConsistencyConfiguration extends Consistency::ConsistencyConfigu
   }
 }
 
-/**
- * Gets the basic block of `node`.
- */
-IRBlock getBasicBlock(Node node) {
-  node.asInstruction().getBlock() = result
-  or
-  node.asOperand().getUse().getBlock() = result
-  or
-  node.(SsaPhiNode).getPhiNode().getBasicBlock() = result
-  or
-  node.(RawIndirectOperand).getOperand().getUse().getBlock() = result
-  or
-  node.(RawIndirectInstruction).getInstruction().getBlock() = result
-  or
-  result = getBasicBlock(node.(PostUpdateNode).getPreUpdateNode())
-}
-
 /**
  * A local flow relation that includes both local steps, read steps and
  * argument-to-return flow through summarized functions.
@@ -999,7 +982,8 @@ private int countNumberOfBranchesUsingParameter(SwitchInstruction switch, Parame
     // we pick the one with the highest edge count.
     result =
       max(SsaPhiNode phi |
-        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() = getBasicBlock(phi) and
+        switch.getSuccessor(caseOrDefaultEdge()).getBlock().dominanceFrontier() =
+          phi.getBasicBlock() and
         phi.getSourceVariable() = sv
       |
         strictcount(phi.getAnInput())

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -160,6 +160,28 @@ class Node extends TIRDataFlowNode {
   /** Gets the operands corresponding to this node, if any. */
   Operand asOperand() { result = this.(OperandNode).getOperand() }
 
+  /**
+   * Holds if this node is at index `i` in basic block `block`.
+   *
+   * Note: Phi nodes are considered to be at index `-1`.
+   */
+  final predicate hasIndexInBlock(IRBlock block, int i) {
+    this.asInstruction() = block.getInstruction(i)
+    or
+    this.asOperand().getUse() = block.getInstruction(i)
+    or
+    this.(SsaPhiNode).getPhiNode().getBasicBlock() = block and i = -1
+    or
+    this.(RawIndirectOperand).getOperand().getUse() = block.getInstruction(i)
+    or
+    this.(RawIndirectInstruction).getInstruction() = block.getInstruction(i)
+    or
+    this.(PostUpdateNode).getPreUpdateNode().hasIndexInBlock(block, i)
+  }
+
+  /** Gets the basic block of this node, if any. */
+  final IRBlock getBasicBlock() { this.hasIndexInBlock(result, _) }
+
   /**
    * Gets the non-conversion expression corresponding to this node, if any.
    * This predicate only has a result on nodes that represent the value of
@@ -530,7 +552,7 @@ class SsaPhiNode extends Node, TSsaPhiNode {
    */
   final Node getAnInput(boolean fromBackEdge) {
     localFlowStep(result, this) and
-    if phi.getBasicBlock().dominates(getBasicBlock(result))
+    if phi.getBasicBlock().dominates(result.getBasicBlock())
     then fromBackEdge = true
     else fromBackEdge = false
   }
@@ -1887,7 +1909,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
       e = value.getAnInstruction().getConvertedResultExpression() and
       result.getConvertedExpr() = e and
       guardChecks(g, value.getAnInstruction().getConvertedResultExpression(), edge) and
-      g.controls(getBasicBlock(result), edge)
+      g.controls(result.getBasicBlock(), edge)
     )
   }
 }

cpp/ql/src/Critical/DoubleFree.cpp

@@ -0,0 +1,10 @@
+int* f() {
+	int *buff = malloc(SIZE*sizeof(int));
+	do_stuff(buff);
+	free(buff);
+	int *new_buffer = malloc(SIZE*sizeof(int));
+	free(buff); // BAD: If new_buffer is assigned the same address as buff,
+              // the memory allocator will free the new buffer memory region,
+              // leading to use-after-free problems and memory corruption.
+	return new_buffer;
+}

cpp/ql/src/Critical/DoubleFree.qhelp

@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+Deallocating memory more than once can lead to a double-free vulnerability. This can be exploited to
+corrupt the allocator's internal data structures, which can lead to denial-of-service attacks by crashing
+the program, or security vulnerabilities, by allowing an attacker to overwrite arbitrary memory locations.
+</p>
+
+</overview>
+<recommendation>
+<p>
+Ensure that all execution paths deallocate the allocated memory at most once. If possible, reassign
+the pointer to a null value after deallocating it. This will prevent double-free vulnerabilities since
+most deallocation functions will perform a null-pointer check before attempting to deallocate the memory.
+</p>
+
+</recommendation>
+<example><sample src="DoubleFree.cpp" />
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://owasp.org/www-community/vulnerabilities/Doubly_freeing_memory">Doubly freeing memory</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/Critical/DoubleFree.ql

@@ -0,0 +1,49 @@
+/**
+ * @name Potential double free
+ * @description Freeing a resource more than once can lead to undefined behavior and cause memory corruption.
+ * @kind path-problem
+ * @precision medium
+ * @id cpp/double-free
+ * @problem.severity warning
+ * @security-severity 9.3
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-415
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+import FlowAfterFree
+import DoubleFree::PathGraph
+
+predicate isFree(DataFlow::Node n, Expr e) { isFree(n, e, _) }
+
+/**
+ * `dealloc1` is a deallocation expression and `e` is an expression such
+ * that is deallocated by a deallocation expression, and the `(dealloc1, e)` pair
+ * should be excluded by the `FlowFromFree` library.
+ *
+ * Note that `e` is not necessarily the expression deallocated by `dealloc1`. It will
+ * be bound to the second deallocation as identified by the `FlowFromFree` library.
+ */
+bindingset[dealloc1, e]
+predicate isExcludeFreePair(DeallocationExpr dealloc1, Expr e) {
+  exists(DeallocationExpr dealloc2 | isFree(_, e, dealloc2) |
+    dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
+    // From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
+    // "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
+    // to release the memory that was allocated for the MDL structure."
+    isExFreePoolCall(dealloc2, _)
+  )
+}
+
+module DoubleFree = FlowFromFree<isFree/2, isExcludeFreePair/2>;
+
+from DoubleFree::PathNode source, DoubleFree::PathNode sink, DeallocationExpr dealloc, Expr e2
+where
+  DoubleFree::flowPath(source, sink) and
+  isFree(source.getNode(), _, dealloc) and
+  isFree(sink.getNode(), e2)
+select sink.getNode(), source, sink,
+  "Memory pointed to by '" + e2.toString() + "' may already have been freed by $@.", dealloc,
+  dealloc.toString()

cpp/ql/src/Critical/FlowAfterFree.qll

@@ -0,0 +1,129 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+private import semmle.code.cpp.ir.IR
+
+/**
+ * Signature for a predicate that holds if `n.asExpr() = e` and `n` is a sink in
+ * the `FlowFromFreeConfig` module.
+ */
+private signature predicate isSinkSig(DataFlow::Node n, Expr e);
+
+/**
+ * Holds if `dealloc` is a deallocation expression and `e` is an expression such
+ * that `isFree(_, e)` holds for some `isFree` predicate satisfying `isSinkSig`,
+ * and this source-sink pair should be excluded from the analysis.
+ */
+bindingset[dealloc, e]
+private signature predicate isExcludedSig(DeallocationExpr dealloc, Expr e);
+
+/**
+ * Holds if `(b1, i1)` strictly post-dominates `(b2, i2)`
+ */
+bindingset[i1, i2]
+predicate strictlyPostDominates(IRBlock b1, int i1, IRBlock b2, int i2) {
+  b1 = b2 and
+  i1 > i2
+  or
+  b1.strictlyPostDominates(b2)
+}
+
+/**
+ * Holds if `(b1, i1)` strictly dominates `(b2, i2)`
+ */
+bindingset[i1, i2]
+predicate strictlyDominates(IRBlock b1, int i1, IRBlock b2, int i2) {
+  b1 = b2 and
+  i1 < i2
+  or
+  b1.strictlyDominates(b2)
+}
+
+/**
+ * Constructs a `FlowFromFreeConfig` module that can be used to find flow between
+ * a pointer being freed by some deallocation function, and a user-specified sink.
+ *
+ * In order to reduce false positives, the set of sinks is restricted to only those
+ * that satisfy at least one of the following two criteria:
+ * 1. The source dominates the sink, or
+ * 2. The sink post-dominates the source.
+ */
+module FlowFromFree<isSinkSig/2 isASink, isExcludedSig/2 isExcluded> {
+  module FlowFromFreeConfig implements DataFlow::StateConfigSig {
+    class FlowState instanceof Expr {
+      FlowState() { isFree(_, this, _) }
+
+      string toString() { result = super.toString() }
+    }
+
+    predicate isSource(DataFlow::Node node, FlowState state) { isFree(node, state, _) }
+
+    pragma[inline]
+    predicate isSink(DataFlow::Node sink, FlowState state) {
+      exists(
+        Expr e, DataFlow::Node source, IRBlock b1, int i1, IRBlock b2, int i2,
+        DeallocationExpr dealloc
+      |
+        isASink(sink, e) and
+        isFree(source, state, dealloc) and
+        e != state and
+        source.hasIndexInBlock(b1, i1) and
+        sink.hasIndexInBlock(b2, i2) and
+        not isExcluded(dealloc, e)
+      |
+        strictlyDominates(b1, i1, b2, i2)
+        or
+        strictlyPostDominates(b2, i2, b1, i1)
+      )
+    }
+
+    predicate isBarrierIn(DataFlow::Node n) {
+      n.asIndirectExpr() = any(AddressOfExpr aoe)
+      or
+      n.asIndirectExpr() = any(Call call).getAnArgument()
+      or
+      exists(Expr e |
+        n.asIndirectExpr() = e.(PointerDereferenceExpr).getOperand() or
+        n.asIndirectExpr() = e.(ArrayExpr).getArrayBase()
+      |
+        e = any(StoreInstruction store).getDestinationAddress().getUnconvertedResultExpression()
+      )
+    }
+
+    predicate isBarrier(DataFlow::Node n, FlowState state) { none() }
+
+    predicate isAdditionalFlowStep(
+      DataFlow::Node n1, FlowState state1, DataFlow::Node n2, FlowState state2
+    ) {
+      none()
+    }
+  }
+
+  import DataFlow::GlobalWithState<FlowFromFreeConfig>
+}
+
+/**
+ * Holds if `n` is a dataflow node such that `n.asExpr() = e` and `e`
+ * is being freed by a deallocation expression `dealloc`.
+ */
+predicate isFree(DataFlow::Node n, Expr e, DeallocationExpr dealloc) {
+  e = dealloc.getFreedExpr() and
+  e = n.asExpr() and
+  // Ignore realloc functions
+  not exists(dealloc.(FunctionCall).getTarget().(AllocationFunction).getReallocPtrArg())
+}
+
+/**
+ * Holds if `fc` is a function call that is the result of expanding
+ * the `ExFreePool` macro.
+ */
+predicate isExFreePoolCall(FunctionCall fc, Expr e) {
+  e = fc.getArgument(0) and
+  (
+    exists(MacroInvocation mi |
+      mi.getMacroName() = "ExFreePool" and
+      mi.getExpr() = fc
+    )
+    or
+    fc.getTarget().hasGlobalName("ExFreePool")
+  )
+}