WIP

Author: paldepind

rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll

@@ -31,12 +31,18 @@ module AccessAfterLifetime {
 
   /**
    * A data flow sink for accesses to a pointer after its lifetime has ended,
-   * that is, a dereference.
+   * that is, a dereference. We re-use the same sinks as for the accesses to
+   * invalid pointers query.
    */
-  abstract class Sink extends QuerySink::Range {
-    override string getSinkType() { result = "AccessAfterLifetime" }
-  }
+  class Sink = AccessInvalidPointer::Sink;
 
+  // /**
+  //  * A data flow sink for accesses to a pointer after its lifetime has ended,
+  //  * that is, a dereference.
+  //  */
+  // abstract class Sink extends QuerySink::Range {
+  //   override string getSinkType() { result = "AccessAfterLifetime" }
+  // }
   /**
    * A barrier for accesses to a pointer after its lifetime has ended.
    */
@@ -115,23 +121,14 @@ module AccessAfterLifetime {
   private class RefExprSource extends Source {
     Expr targetValue;
 
-    RefExprSource() { this.asExpr().(RefExpr).getExpr() = targetValue }
+    RefExprSource() {
+      this.asExpr().(RefExpr).getExpr() = targetValue and
+      this.asExpr().(RefExpr).isRaw()
+    }
 
     override Expr getTarget() { result = targetValue }
   }
 
-  /**
-   * A pointer access using the unary `*` operator.
-   */
-  private class DereferenceSink extends Sink {
-    DereferenceSink() { any(DerefExpr p).getExpr() = this.asExpr() }
-  }
-
-  /** A pointer access from model data. */
-  private class ModelsAsDataSink extends Sink {
-    ModelsAsDataSink() { sinkNode(this, "pointer-access") }
-  }
-
   /**
    * A barrier for nodes inside closures, as we don't model lifetimes of
    * variables through closures properly.

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql

@@ -26,7 +26,8 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
     node instanceof AccessAfterLifetime::Source and
     // exclude cases with sources in macros, since these results are difficult to interpret
-    not node.asExpr().isFromMacroExpansion()
+    not node.asExpr().isFromMacroExpansion() and
+    AccessAfterLifetime::sourceValueScope(node, _, _)
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -36,7 +37,8 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
     // include only results inside `unsafe` blocks, as other results tend to be false positives
     (
       node.asExpr().getEnclosingBlock*().isUnsafe() or
-      node.asExpr().getEnclosingCallable().(Function).isUnsafe()
+      node.asExpr().getEnclosingCallable().(Function).isUnsafe() or
+      not exists(node.asExpr())
     )
   }