Rust: Lets just not model 'drop' incorrectly, for now.

Author: geoffw0

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -30,8 +30,6 @@ extensions:
       pack: codeql/rust-all
       extensible: sourceModel
     data:
-      # Mem
-      - ["lang:core", "crate::mem::drop", "Argument[0]", "pointer-invalidate", "manual"]
       # Ptr
       - ["lang:core", "crate::ptr::drop_in_place", "Argument[0]", "pointer-invalidate", "manual"]
       - ["lang:core", "crate::ptr::dangling", "ReturnValue", "pointer-invalidate", "manual"]

rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll

@@ -36,6 +36,11 @@ module AccessInvalidPointer {
 
   /**
    * A pointer invalidation from model data.
+   *
+   * Note: we don't currently support invalidation via the object itself rather than via a pointer, such as:
+   * ```
+   * drop(obj)
+   * ```
    */
   private class ModelsAsDataSource extends Source {
     ModelsAsDataSource() { sourceNode(this, "pointer-invalidate") }

rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected

@@ -13,7 +13,6 @@
 | deallocation.rs:131:14:131:15 | p2 | deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:131:14:131:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:124:21:124:42 | ...::dangling_mut | invalid |
 | deallocation.rs:132:14:132:15 | p3 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:132:14:132:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:125:23:125:36 | ...::null | invalid |
 | deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:3:176:25 | ...::drop_in_place | invalid |
-| deallocation.rs:212:10:212:17 | self.ptr | deallocation.rs:212:10:212:17 | self.ptr | deallocation.rs:212:10:212:17 | self.ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:212:10:212:17 | self.ptr | invalid |
 | deallocation.rs:245:18:245:20 | ptr | deallocation.rs:239:3:239:25 | ...::drop_in_place | deallocation.rs:245:18:245:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:239:3:239:25 | ...::drop_in_place | invalid |
 edges
 | deallocation.rs:20:3:20:21 | ...::dealloc | deallocation.rs:20:23:20:24 | [post] m1 | provenance | Src:MaD:3 MaD:3 |
@@ -84,7 +83,6 @@ nodes
 | deallocation.rs:176:3:176:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
 | deallocation.rs:176:27:176:28 | [post] p1 | semmle.label | [post] p1 |
 | deallocation.rs:180:15:180:16 | p1 | semmle.label | p1 |
-| deallocation.rs:212:10:212:17 | self.ptr | semmle.label | self.ptr |
 | deallocation.rs:239:3:239:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
 | deallocation.rs:239:27:239:29 | [post] ptr | semmle.label | [post] ptr |
 | deallocation.rs:245:18:245:20 | ptr | semmle.label | ptr |

rust/ql/test/query-tests/security/CWE-825/deallocation.rs

@@ -209,7 +209,7 @@ impl Drop for MyDropBuffer {
 
 		unsafe {
 			_ = *self.ptr;
-			drop(*self.ptr); // $ MISSING: Source=drop SPURIOUS: Alert[rust/access-invalid-pointer]=drop
+			drop(*self.ptr); // $ MISSING: Source=drop
 			_ = *self.ptr; // $ MISSING: Alert[rust/access-invalid-pointer]=drop
 			std::alloc::dealloc(self.ptr, layout);
 		}