admin管理员组

文章数量:1291454

Is it possible to search for UAF by tracking clones of arguments from the "free" function? For example, in this code:

/**
 * @name Use after free
 * @kind path-problem
 * @id cpp/use-after-free
 */
import cpp
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.dataflow.TaintTracking
import Configs::PathGraph

module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node arg) {
    exists(FunctionCall call |
      call.getTarget().hasGlobalOrStdName("free") and
      arg.asDefiningArgument() = call.getArgument(0)
    )
  }

  predicate isSink(DataFlow::Node sink) {
    exists(Expr e |
      sink.asExpr() = e and
      dereferenced(e)
    )
  }

}

module Configs = TaintTracking::Global<Config>;

from Configs::PathNode source, Configs::PathNode sink
where Configs::hasFlowPath(source, sink)
select sink, source, sink,
  "Memory is freed here and used here, causing a potential vulnerability.",
  source, "freed here", sink, "used here"

In this code I am tracking the argument of the "free" function. However, it doesn't track other references to the allocation memory. Can I use some functions to trace these cases?

For this test I can't find CWE, because I track only 'a':

#include <stdlib.h>
#include <time.h>

int main() {
  char *a = (char *)malloc(sizeof(char)); // Memory allocation
  char *b = a;
  if (a != NULL) {
    free(a); // Free allocated memory
  }
  *b = 'b'; // Use after free
  return 0;
}

And for this:

int main() {
  struct char2 *c2_alias;
  struct char2 *c2 = (struct char2 *)malloc(sizeof(struct char2));
  c2->a = (char *)malloc(sizeof(char)); // Memory allocation
  c2_alias = c2;
  time_t seconds = time(NULL) % 3;
  free(c2->a); // Free memory which was allocated in 'c2->a'
  if (seconds >= 0 && seconds <= 2)
    *(c2_alias->a) = 'a'; // Use after free
  if (seconds >= 3)
    *(c2_alias->b) = 'b';
  free(c2);
  return 0;
}

Or is it necessary to somehow start from where the "malloc" was made?

本文标签: cIs it possible to track clone value in CodeQLStack Overflow

版权声明:本文标题:c - Is it possible to track clone value in CodeQL - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741534933a2383973.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。