Content-Length: 269278 | pFad | http://github.com/github/codeql/issues/19387

13 False positives in cpp/user-after-free · Issue #19387 · github/codeql · GitHub
Skip to content

False positives in cpp/user-after-free #19387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ajohnston9 opened this issue Apr 25, 2025 · 4 comments
Open

False positives in cpp/user-after-free #19387

ajohnston9 opened this issue Apr 25, 2025 · 4 comments
Labels
acknowledged GitHub staff acknowledges this issue false-positive

Comments

@ajohnston9
Copy link

cpp-user-after-free seems to have a number of false positives, particular when a pointer is freed, re-allocated, and then reused correctly.

Consider the following code snippet from this part of OpenSC:

free(priv->aid_der.value);  /* free previous value if any */
if ((priv->aid_der.value = malloc(resplen)) == NULL) {
	LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
}
memcpy(priv->aid_der.value, rbuf, resplen);
priv->aid_der.len = resplen;
LOG_FUNC_RETURN(card->ctx,i);

Analysis of the code shows that although free(priv->aid_der.value) is called at line 2939, the pointer priv->aid_der.value is immediately reassigned by a malloc call at line 2940. If the malloc fails, the function returns before the potentially dangerous memcpy at line 2943 is reached. If malloc succeeds, the memcpy operates on the newly allocated buffer, preventing a use-after-free. This finding appears to be a false positive.

Similarly, consider this snippet from this part of Assimp:

        delete[] pcScene->mRootNode->mChildren;
        for (std::vector<const BaseNode *>::/*const_*/ iterator i = aiList.begin(); i != aiList.end(); ++i) {
            const ASE::BaseNode *src = *i;

            // The parent is not known, so we can assume that we must add
            // this node to the root node of the whole scene
            aiNode *pcNode = new aiNode();
            pcNode->mParent = pcScene->mRootNode;
            pcNode->mName.Set(src->mName);
            AddMeshes(src, pcNode);
            AddNodes(nodes, pcNode, pcNode->mName.data);
            apcNodes.push_back(pcNode);
        }

        // Regenerate our output array
        pcScene->mRootNode->mChildren = new aiNode *[apcNodes.size()];
        for (unsigned int i = 0; i < apcNodes.size(); ++i)
            pcScene->mRootNode->mChildren[i] = apcNodes[i];

        pcScene->mRootNode->mNumChildren = (unsigned int)apcNodes.size();
    }

Again, the CodeQL finding indicates a potential use-after-free vulnerability where pcScene->mRootNode->mChildren is deleted at line 661 and potentially used later at line 678. Analysis of the code shows that pcScene->mRootNode->mChildren is reallocated with new aiNode*[apcNodes.size()] on line 678 before being accessed in the loop starting on line 679. Therefore, this finding appears to be a false positive, as the memory is valid when accessed.

These findings were generated when running codeql/cpp-queries against the given codebases.

Recommendation

Revise the query to look for use of a freed pointer where the the use of the pointer is done before any malloc, new or similar memory-allocating function is performed. Validate the query against test cases such as these to ensure that proper pointer re-use isn't flagged as a potential UAF.
@coadaflorin
Copy link
Contributor

Hey @ajohnston9 thanks for raising this!
Also, thank you for the detailed description here. Did you attempt any QL modifications to sort this issue? If you have anything that could help us kick-start the work on our side, we'll be very happy to look at it :)

@jketema
Copy link
Contributor

jketema commented Apr 28, 2025

Hi @ajohnston9,

Thanks for your report. We are aware of this problem, and unfortunately there's no easy fix for this. I've added a link to this issue to our internal issue tracking this.

@jketema jketema mentioned this issue Apr 28, 2025
Merged
@jketema jketema added the acknowledged GitHub staff acknowledges this issue label Apr 28, 2025
@ajohnston9
Copy link
Author

@coadaflorin We haven't yet attempted to modify the query. I understand that fixing this issue in a global sense is difficult, but ideally I'd like to see examples like the ones above captured since they're relatively trivial (re-allocation happens within the same method within a few lines of the free().

Could you also consider dropping the precision value of this query? I think it is apparent that in its current state precision is low, and documentation should likely be updated to acknowledge that the query will trigger FPs on any pointer that is freed and re-allocated.

@coadaflorin
Copy link
Contributor

@ajohnston9 we'll add this to our to do list. We'll consider both options and publish w/e change we make in the changelogs.

@QuLogic QuLogic mentioned this issue May 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged GitHub staff acknowledges this issue false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ajohnston9 @coadaflorin @jketema








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/github/codeql/issues/19387

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy