Rust: Add qhelp, examples, and examples as tests.

geoffw0 · geoffw0 · commit 26f85585fd55 · 2025-06-09T17:58:37.000+01:00
diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.qhelp b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.qhelp
@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>
+Dereferencing a pointer after the lifetime of its target has ended causes undefined behavior. Memory
+may be corrupted causing the program to crash or behave incorrectly, in some cases exposing the program
+to potential attacks.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+When dereferencing a pointer in <code>unsafe</code> code, take care that the pointer is still valid
+at the time it is dereferenced. Code may need to be rearranged or changed to extend lifetimes. If
+possible, rewrite the code using safe Rust types to avoid this kind of problem altogether.
+</p>
+
+</recommendation>
+<example>
+
+<p>
+In the following example, <code>val</code> is local to <code>get_pointer</code> so its lifetime
+ends when that function returns. However, a pointer to <code>val</code> is returned and dereferenced
+after that lifetime has ended, causing undefined behavior:
+</p>
+
+<sample src="AccessAfterLifetimeBad.rs" />
+
+<p>
+One way to fix this is to change the return type of the function from a pointer to a <code>Box</code>,
+which ensures that the value it points to remains on the heap for the lifetime of the <code>Box</code>
+itself. Notice that there is no longer a need for an <code>unsafe</code> block as the code no longer
+handles pointers directly:
+</p>
+
+<sample src="AccessAfterLifetimeGood.rs" />
+
+</example>
+<references>
+
+<li>Rust Documentation: <a href="https://doc.rust-lang.org/reference/behavior-considered-undefined.html#dangling-pointers">Behavior considered undefined &gt;&gt; Dangling pointers</a>.</li>
+<li>Rust Documentation: <a href="https://doc.rust-lang.org/std/ptr/index.html#safety">Module ptr - Safety</a>.</li>
+<li>Massachusetts Institute of Technology: <a href="https://web.mit.edu/rust-lang_v1.25/arch/amd64_ubuntu1404/share/doc/rust/html/book/second-edition/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer">Unsafe Rust - Dereferencing a Raw Pointer</a>.</li>
+
+</references>
+</qhelp>
diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeBad.rs b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeBad.rs
@@ -0,0 +1,19 @@
+
+fn get_pointer() -> *const i64 {
+	let val = 123;
+
+	return &val;
+} // lifetime of `val` ends here, the pointer becomes dangling
+
+fn example() {
+	let ptr = get_pointer();
+	let val;
+
+	// ...
+
+	unsafe {
+		val = *ptr; // BAD: dereferences `ptr` after the lifetime of `val` has ended
+	}
+
+	// ...
+}
diff --git a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeGood.rs b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeGood.rs
@@ -0,0 +1,17 @@
+
+fn get_box() -> Box<i64> {
+	let val = 123;
+
+	return Box::new(val); // copies `val` onto the heap, where it remains for the lifetime of the `Box`.
+}
+
+fn example() {
+	let ptr = get_box();
+	let val;
+
+	// ...
+
+	val = *ptr; // GOOD
+
+	// ...
+}
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -23,6 +23,7 @@
 | lifetime.rs:692:13:692:14 | r1 | lifetime.rs:682:4:682:12 | &... | lifetime.rs:692:13:692:14 | r1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:681:8:681:9 | v1 | v1 |
 | lifetime.rs:693:13:693:14 | r2 | lifetime.rs:686:5:686:13 | &... | lifetime.rs:693:13:693:14 | r2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:685:8:685:9 | v2 | v2 |
 | lifetime.rs:725:2:725:12 | ptr | lifetime.rs:724:2:724:12 | &val | lifetime.rs:725:2:725:12 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:724:2:724:12 | val | val |
+| lifetime.rs:743:10:743:12 | ptr | lifetime.rs:733:9:733:12 | &val | lifetime.rs:743:10:743:12 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:731:6:731:8 | val | val |
 edges
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:151:14:151:15 | p1 | provenance |  |
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:158:14:158:15 | p1 | provenance |  |
@@ -187,6 +188,10 @@ edges
 | lifetime.rs:687:5:687:15 | &... | lifetime.rs:686:4:687:16 | TupleExpr [tuple.1] | provenance |  |
 | lifetime.rs:724:2:724:12 | &val | lifetime.rs:724:2:724:12 | ptr | provenance |  |
 | lifetime.rs:724:2:724:12 | ptr | lifetime.rs:725:2:725:12 | ptr | provenance |  |
+| lifetime.rs:733:2:733:12 | return ... | lifetime.rs:737:12:737:24 | get_pointer(...) | provenance |  |
+| lifetime.rs:733:9:733:12 | &val | lifetime.rs:733:2:733:12 | return ... | provenance |  |
+| lifetime.rs:737:6:737:8 | ptr | lifetime.rs:743:10:743:12 | ptr | provenance |  |
+| lifetime.rs:737:12:737:24 | get_pointer(...) | lifetime.rs:737:6:737:8 | ptr | provenance |  |
 models
 | 1 | Summary: lang:core; crate::ptr::from_ref; Argument[0]; ReturnValue; value |
 nodes
@@ -383,4 +388,9 @@ nodes
 | lifetime.rs:724:2:724:12 | &val | semmle.label | &val |
 | lifetime.rs:724:2:724:12 | ptr | semmle.label | ptr |
 | lifetime.rs:725:2:725:12 | ptr | semmle.label | ptr |
+| lifetime.rs:733:2:733:12 | return ... | semmle.label | return ... |
+| lifetime.rs:733:9:733:12 | &val | semmle.label | &val |
+| lifetime.rs:737:6:737:8 | ptr | semmle.label | ptr |
+| lifetime.rs:737:12:737:24 | get_pointer(...) | semmle.label | get_pointer(...) |
+| lifetime.rs:743:10:743:12 | ptr | semmle.label | ptr |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -724,3 +724,41 @@ pub fn test_macros() {
 	my_macro!(); // $ SPURIOUS: Source[rust/access-after-lifetime-ended]
 	my_macro!(); // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]
 }
+
+// --- examples from qhelp ---
+
+fn get_pointer() -> *const i64 {
+	let val = 123;
+
+	return &val; // $ Source[rust/access-after-lifetime-ended]=val
+} // lifetime of `val` ends here, the pointer becomes dangling
+
+pub fn test_lifetimes_example_bad() {
+	let ptr = get_pointer();
+	let val;
+
+	use_the_stack();
+
+	unsafe {
+		val = *ptr; // $ Alert[rust/access-after-lifetime-ended]=val
+	}
+
+	println!("	val = {val} (!)"); // corrupt in practice
+}
+
+fn get_box() -> Box<i64> {
+	let val = 123;
+
+	return Box::new(val);
+}
+
+pub fn test_lifetimes_example_good() {
+	let ptr = get_box();
+	let val;
+
+	use_the_stack();
+
+	val = *ptr; // GOOD
+
+	println!("	val = {val}");
+}
diff --git a/rust/ql/test/query-tests/security/CWE-825/main.rs b/rust/ql/test/query-tests/security/CWE-825/main.rs
@@ -186,4 +186,10 @@ fn main() {
 
 	println!("test_macros:");
 	test_macros();
+
+	println!("test_lifetimes_example_bad:");
+	test_lifetimes_example_bad();
+
+	println!("test_lifetimes_example_good:");
+	test_lifetimes_example_good();
 }
