Open
Description
I borrowed the query from UseAfterFree.ql present in CodeQL repo and modified to include a custom free function, but the query is not flagging UAF.
import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.security.flowafterfree.FlowAfterFree
import semmle.code.cpp.security.flowafterfree.UseAfterFree
import UseAfterFreeTrace::PathGraph
module UseAfterFreeParam implements FlowFromFreeParamSig {
predicate isSink = isUse/2;
predicate isExcluded = isExcludedMmFreePageFromMdl/2;
predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
}
import UseAfterFreeParam
module UseAfterFreeTrace = FlowFromFree<UseAfterFreeParam>;
class FreeAddrInfo extends DeallocationExpr,FunctionCall {
FreeAddrInfo() {
this.getTarget().hasGlobalName("freeaddrinfo")
}
override Expr getFreedExpr(){
result = this.getArgument(0)
}
}
from UseAfterFreeTrace::PathNode source, UseAfterFreeTrace::PathNode sink, FreeAddrInfo dealloc
where
UseAfterFreeTrace::flowPath(source, sink) and
isFree(source.getNode(), _, _, dealloc)
select sink.getNode(), source, sink, "Memory may have been previously freed by $@.", dealloc,
dealloc.toString()
I'm trying to analyse https://nvd.nist.gov/vuln/detail/CVE-2021-38383