False positives in cpp/user-after-free

[ajohnston9]

cpp-user-after-free seems to have a number of false positives, particular when a pointer is freed, re-allocated, and then reused correctly.

Consider the following code snippet from this part of OpenSC:

free(priv->aid_der.value);  /* free previous value if any */
if ((priv->aid_der.value = malloc(resplen)) == NULL) {
	LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
}
memcpy(priv->aid_der.value, rbuf, resplen);
priv->aid_der.len = resplen;
LOG_FUNC_RETURN(card->ctx,i);

Analysis of the code shows that although free(priv->aid_der.value) is called at line 2939, the pointer priv->aid_der.value is immediately reassigned by a malloc call at line 2940. If the malloc fails, the function returns before the potentially dangerous memcpy at line 2943 is reached. If malloc succeeds, the memcpy operates on the newly allocated buffer, preventing a use-after-free. This finding appears to be a false positive.

Similarly, consider this snippet from this part of Assimp:

        delete[] pcScene->mRootNode->mChildren;
        for (std::vector<const BaseNode *>::/*const_*/ iterator i = aiList.begin(); i != aiList.end(); ++i) {
            const ASE::BaseNode *src = *i;

            // The parent is not known, so we can assume that we must add
            // this node to the root node of the whole scene
            aiNode *pcNode = new aiNode();
            pcNode->mParent = pcScene->mRootNode;
            pcNode->mName.Set(src->mName);
            AddMeshes(src, pcNode);
            AddNodes(nodes, pcNode, pcNode->mName.data);
            apcNodes.push_back(pcNode);
        }

        // Regenerate our output array
        pcScene->mRootNode->mChildren = new aiNode *[apcNodes.size()];
        for (unsigned int i = 0; i < apcNodes.size(); ++i)
            pcScene->mRootNode->mChildren[i] = apcNodes[i];

        pcScene->mRootNode->mNumChildren = (unsigned int)apcNodes.size();
    }

Again, the CodeQL finding indicates a potential use-after-free vulnerability where pcScene->mRootNode->mChildren is deleted at line 661 and potentially used later at line 678. Analysis of the code shows that pcScene->mRootNode->mChildren is reallocated with new aiNode*[apcNodes.size()] on line 678 before being accessed in the loop starting on line 679. Therefore, this finding appears to be a false positive, as the memory is valid when accessed.

These findings were generated when running codeql/cpp-queries against the given codebases.

Recommendation

Revise the query to look for use of a freed pointer where the the use of the pointer is done before any malloc, new or similar memory-allocating function is performed. Validate the query against test cases such as these to ensure that proper pointer re-use isn't flagged as a potential UAF.

[coadaflorin]

Hey @ajohnston9 thanks for raising this!
Also, thank you for the detailed description here. Did you attempt any QL modifications to sort this issue? If you have anything that could help us kick-start the work on our side, we'll be very happy to look at it :)

[jketema]

Hi @ajohnston9,

Thanks for your report. We are aware of this problem, and unfortunately there's no easy fix for this. I've added a link to this issue to our internal issue tracking this.

[ajohnston9]

@coadaflorin We haven't yet attempted to modify the query. I understand that fixing this issue in a global sense is difficult, but ideally I'd like to see examples like the ones above captured since they're relatively trivial (re-allocation happens within the same method within a few lines of the free().

Could you also consider dropping the precision value of this query? I think it is apparent that in its current state precision is low, and documentation should likely be updated to acknowledge that the query will trigger FPs on any pointer that is freed and re-allocated.

[coadaflorin]

@ajohnston9 we'll add this to our to do list. We'll consider both options and publish w/e change we make in the changelogs.