Skip to content

Rust: Query for access to a dangling pointer #18300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
geoffw0 wants to merge 12 commits into from
Closed

Rust: Query for access to a dangling pointer #18300

geoffw0 wants to merge 12 commits into from

Conversation

@geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Dec 16, 2024
edited
Loading

Query for access to a dangling pointer, i.e. something along the lines of:

let ptr = &raw const my_thing;

// ... my_thing goes out of scope, leaving ptr dangling ...

unsafe {
	_ = *ptr; // BAD
}

This is a draft because I still need to:

  • do a DCA run, iterate on results if necessary. here
  • I think I want to split the concept of this query in three, as the implementations and documentation might be quite different:
    • dangling pointer access due to lifetime end (implemented in this PR)
    • dangling pointer access due to deallocation (which will have a different implementation, though sources / sinks may be in common)
    • dangling pointer access due to overwritten target (check if this one is really undefined behaviour / real world cases are likely to be on purpose)
  • add qhelp with examples.

Then I will need:

  • code review.
  • docs review.

As you can see from the test, there are a lot of cases we don't cover yet, which will be follow-up work. Right now I want to get a minimal version of the query merged before worrying about them too much.

@geoffw0 geoffw0 added the Rust Pull requests that update Rust code label Dec 16, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 16, 2024
View reviewed changes
geoffw0
geoffw0 commented Dec 16, 2024
View reviewed changes
rust/ql/lib/codeql/rust/security/DanglingPointerExtensions.qll
maybeOnStack(a, ce.getEnclosingBlock()) and
ce.getStaticTarget() = b.getEnclosingCallable()
)
}
Copy link
Contributor Author

@geoffw0 geoffw0 Dec 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An entirely different approach is possible, where having done the data flow we would check the control flow as well, all the way from the pointer creation to dereference, to see if it crosses a point where the objects lifetime ends. I ran into problems even defining these points, wasn't sure how best to implement that kind of flow effectively, and my attempts didn't get good results so I changed tactics. Nevertheless it could be more accurate in the sense of finding more results, and some of these issues might get easier as our libraries mature.

@geoffw0
Copy link
Contributor Author

geoffw0 commented Mar 13, 2025

Closing. I'm going to reassemble the pieces into two or three separate queries, and in the process hopefully remember where I was with this work.

@geoffw0 geoffw0 closed this Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@geoffw0