Rust: Add test cases for rust/access-invalid-pointer based on real world FPs.

Author: geoffw0

rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected

@@ -24,27 +24,27 @@
 | lifetime.rs:808:23:808:25 | ptr | lifetime.rs:798:9:798:12 | &val | lifetime.rs:808:23:808:25 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:796:6:796:8 | val | val |
 | main.rs:64:23:64:24 | p2 | main.rs:44:26:44:28 | &b2 | main.rs:64:23:64:24 | p2 | Access of a pointer to $@ after its lifetime has ended. | main.rs:43:13:43:14 | b2 | b2 |
 edges
-| deallocation.rs:148:6:148:7 | p1 | deallocation.rs:151:14:151:15 | p1 | provenance |  |
-| deallocation.rs:148:6:148:7 | p1 | deallocation.rs:158:14:158:15 | p1 | provenance |  |
-| deallocation.rs:148:30:148:38 | &raw const my_buffer | deallocation.rs:148:6:148:7 | p1 | provenance |  |
-| deallocation.rs:228:28:228:43 | ...: ... | deallocation.rs:230:18:230:20 | ptr | provenance |  |
-| deallocation.rs:240:27:240:42 | ...: ... | deallocation.rs:248:18:248:20 | ptr | provenance |  |
-| deallocation.rs:257:7:257:10 | ptr1 | deallocation.rs:260:4:260:7 | ptr1 | provenance |  |
-| deallocation.rs:257:7:257:10 | ptr1 | deallocation.rs:260:4:260:7 | ptr1 | provenance |  |
-| deallocation.rs:257:14:257:33 | &raw mut ... | deallocation.rs:257:7:257:10 | ptr1 | provenance |  |
-| deallocation.rs:258:7:258:10 | ptr2 | deallocation.rs:261:4:261:7 | ptr2 | provenance |  |
-| deallocation.rs:258:7:258:10 | ptr2 | deallocation.rs:261:4:261:7 | ptr2 | provenance |  |
-| deallocation.rs:258:14:258:33 | &raw mut ... | deallocation.rs:258:7:258:10 | ptr2 | provenance |  |
-| deallocation.rs:260:4:260:7 | ptr1 | deallocation.rs:263:27:263:30 | ptr1 | provenance |  |
-| deallocation.rs:261:4:261:7 | ptr2 | deallocation.rs:265:26:265:29 | ptr2 | provenance |  |
-| deallocation.rs:263:27:263:30 | ptr1 | deallocation.rs:228:28:228:43 | ...: ... | provenance |  |
-| deallocation.rs:265:26:265:29 | ptr2 | deallocation.rs:240:27:240:42 | ...: ... | provenance |  |
-| deallocation.rs:276:6:276:9 | ptr1 | deallocation.rs:279:13:279:16 | ptr1 | provenance |  |
-| deallocation.rs:276:6:276:9 | ptr1 | deallocation.rs:287:13:287:16 | ptr1 | provenance |  |
-| deallocation.rs:276:13:276:28 | &raw mut ... | deallocation.rs:276:6:276:9 | ptr1 | provenance |  |
-| deallocation.rs:295:6:295:9 | ptr2 | deallocation.rs:298:13:298:16 | ptr2 | provenance |  |
-| deallocation.rs:295:6:295:9 | ptr2 | deallocation.rs:308:13:308:16 | ptr2 | provenance |  |
-| deallocation.rs:295:13:295:28 | &raw mut ... | deallocation.rs:295:6:295:9 | ptr2 | provenance |  |
+| deallocation.rs:220:6:220:7 | p1 | deallocation.rs:223:14:223:15 | p1 | provenance |  |
+| deallocation.rs:220:6:220:7 | p1 | deallocation.rs:230:14:230:15 | p1 | provenance |  |
+| deallocation.rs:220:30:220:38 | &raw const my_buffer | deallocation.rs:220:6:220:7 | p1 | provenance |  |
+| deallocation.rs:300:28:300:43 | ...: ... | deallocation.rs:302:18:302:20 | ptr | provenance |  |
+| deallocation.rs:312:27:312:42 | ...: ... | deallocation.rs:320:18:320:20 | ptr | provenance |  |
+| deallocation.rs:329:7:329:10 | ptr1 | deallocation.rs:332:4:332:7 | ptr1 | provenance |  |
+| deallocation.rs:329:7:329:10 | ptr1 | deallocation.rs:332:4:332:7 | ptr1 | provenance |  |
+| deallocation.rs:329:14:329:33 | &raw mut ... | deallocation.rs:329:7:329:10 | ptr1 | provenance |  |
+| deallocation.rs:330:7:330:10 | ptr2 | deallocation.rs:333:4:333:7 | ptr2 | provenance |  |
+| deallocation.rs:330:7:330:10 | ptr2 | deallocation.rs:333:4:333:7 | ptr2 | provenance |  |
+| deallocation.rs:330:14:330:33 | &raw mut ... | deallocation.rs:330:7:330:10 | ptr2 | provenance |  |
+| deallocation.rs:332:4:332:7 | ptr1 | deallocation.rs:335:27:335:30 | ptr1 | provenance |  |
+| deallocation.rs:333:4:333:7 | ptr2 | deallocation.rs:337:26:337:29 | ptr2 | provenance |  |
+| deallocation.rs:335:27:335:30 | ptr1 | deallocation.rs:300:28:300:43 | ...: ... | provenance |  |
+| deallocation.rs:337:26:337:29 | ptr2 | deallocation.rs:312:27:312:42 | ...: ... | provenance |  |
+| deallocation.rs:348:6:348:9 | ptr1 | deallocation.rs:351:13:351:16 | ptr1 | provenance |  |
+| deallocation.rs:348:6:348:9 | ptr1 | deallocation.rs:359:13:359:16 | ptr1 | provenance |  |
+| deallocation.rs:348:13:348:28 | &raw mut ... | deallocation.rs:348:6:348:9 | ptr1 | provenance |  |
+| deallocation.rs:367:6:367:9 | ptr2 | deallocation.rs:370:13:370:16 | ptr2 | provenance |  |
+| deallocation.rs:367:6:367:9 | ptr2 | deallocation.rs:380:13:380:16 | ptr2 | provenance |  |
+| deallocation.rs:367:13:367:28 | &raw mut ... | deallocation.rs:367:6:367:9 | ptr2 | provenance |  |
 | lifetime.rs:21:2:21:18 | return ... | lifetime.rs:54:11:54:30 | get_local_dangling(...) | provenance |  |
 | lifetime.rs:21:9:21:18 | &my_local1 | lifetime.rs:21:2:21:18 | return ... | provenance |  |
 | lifetime.rs:27:2:27:22 | return ... | lifetime.rs:55:11:55:34 | get_local_dangling_mut(...) | provenance |  |
@@ -234,32 +234,32 @@ models
 | 4 | Summary: <alloc::boxed::Box>::as_ptr; Argument[0].Reference.Reference; ReturnValue.Reference; value |
 | 5 | Summary: core::ptr::from_ref; Argument[0]; ReturnValue; value |
 nodes
-| deallocation.rs:148:6:148:7 | p1 | semmle.label | p1 |
-| deallocation.rs:148:30:148:38 | &raw const my_buffer | semmle.label | &raw const my_buffer |
-| deallocation.rs:151:14:151:15 | p1 | semmle.label | p1 |
-| deallocation.rs:158:14:158:15 | p1 | semmle.label | p1 |
-| deallocation.rs:228:28:228:43 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:230:18:230:20 | ptr | semmle.label | ptr |
-| deallocation.rs:240:27:240:42 | ...: ... | semmle.label | ...: ... |
-| deallocation.rs:248:18:248:20 | ptr | semmle.label | ptr |
-| deallocation.rs:257:7:257:10 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:257:14:257:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:258:7:258:10 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:258:14:258:33 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:260:4:260:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:260:4:260:7 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:261:4:261:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:261:4:261:7 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:263:27:263:30 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:265:26:265:29 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:276:6:276:9 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:276:13:276:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:279:13:279:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:287:13:287:16 | ptr1 | semmle.label | ptr1 |
-| deallocation.rs:295:6:295:9 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:295:13:295:28 | &raw mut ... | semmle.label | &raw mut ... |
-| deallocation.rs:298:13:298:16 | ptr2 | semmle.label | ptr2 |
-| deallocation.rs:308:13:308:16 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:220:6:220:7 | p1 | semmle.label | p1 |
+| deallocation.rs:220:30:220:38 | &raw const my_buffer | semmle.label | &raw const my_buffer |
+| deallocation.rs:223:14:223:15 | p1 | semmle.label | p1 |
+| deallocation.rs:230:14:230:15 | p1 | semmle.label | p1 |
+| deallocation.rs:300:28:300:43 | ...: ... | semmle.label | ...: ... |
+| deallocation.rs:302:18:302:20 | ptr | semmle.label | ptr |
+| deallocation.rs:312:27:312:42 | ...: ... | semmle.label | ...: ... |
+| deallocation.rs:320:18:320:20 | ptr | semmle.label | ptr |
+| deallocation.rs:329:7:329:10 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:329:14:329:33 | &raw mut ... | semmle.label | &raw mut ... |
+| deallocation.rs:330:7:330:10 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:330:14:330:33 | &raw mut ... | semmle.label | &raw mut ... |
+| deallocation.rs:332:4:332:7 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:332:4:332:7 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:333:4:333:7 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:333:4:333:7 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:335:27:335:30 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:337:26:337:29 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:348:6:348:9 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:348:13:348:28 | &raw mut ... | semmle.label | &raw mut ... |
+| deallocation.rs:351:13:351:16 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:359:13:359:16 | ptr1 | semmle.label | ptr1 |
+| deallocation.rs:367:6:367:9 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:367:13:367:28 | &raw mut ... | semmle.label | &raw mut ... |
+| deallocation.rs:370:13:370:16 | ptr2 | semmle.label | ptr2 |
+| deallocation.rs:380:13:380:16 | ptr2 | semmle.label | ptr2 |
 | lifetime.rs:21:2:21:18 | return ... | semmle.label | return ... |
 | lifetime.rs:21:9:21:18 | &my_local1 | semmle.label | &my_local1 |
 | lifetime.rs:27:2:27:22 | return ... | semmle.label | return ... |

rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected

@@ -13,10 +13,10 @@
 | deallocation.rs:130:14:130:15 | p1 | deallocation.rs:123:23:123:40 | ...::dangling | deallocation.rs:130:14:130:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:123:23:123:40 | ...::dangling | invalid |
 | deallocation.rs:131:14:131:15 | p2 | deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:131:14:131:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:124:21:124:42 | ...::dangling_mut | invalid |
 | deallocation.rs:132:14:132:15 | p3 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:132:14:132:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:125:23:125:36 | ...::null | invalid |
-| deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:3:176:25 | ...::drop_in_place | invalid |
-| deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:3:176:25 | ...::drop_in_place | invalid |
-| deallocation.rs:248:18:248:20 | ptr | deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:248:18:248:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:242:3:242:25 | ...::drop_in_place | invalid |
-| deallocation.rs:248:18:248:20 | ptr | deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:248:18:248:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:242:3:242:25 | ...::drop_in_place | invalid |
+| deallocation.rs:252:15:252:16 | p1 | deallocation.rs:248:3:248:25 | ...::drop_in_place | deallocation.rs:252:15:252:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:248:3:248:25 | ...::drop_in_place | invalid |
+| deallocation.rs:252:15:252:16 | p1 | deallocation.rs:248:3:248:25 | ...::drop_in_place | deallocation.rs:252:15:252:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:248:3:248:25 | ...::drop_in_place | invalid |
+| deallocation.rs:320:18:320:20 | ptr | deallocation.rs:314:3:314:25 | ...::drop_in_place | deallocation.rs:320:18:320:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:314:3:314:25 | ...::drop_in_place | invalid |
+| deallocation.rs:320:18:320:20 | ptr | deallocation.rs:314:3:314:25 | ...::drop_in_place | deallocation.rs:320:18:320:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:314:3:314:25 | ...::drop_in_place | invalid |
 edges
 | deallocation.rs:20:3:20:21 | ...::dealloc | deallocation.rs:20:23:20:24 | [post] m1 | provenance | Src:MaD:3 MaD:3 |
 | deallocation.rs:20:23:20:24 | [post] m1 | deallocation.rs:26:15:26:16 | m1 | provenance |  |
@@ -44,12 +44,12 @@ edges
 | deallocation.rs:125:6:125:7 | p3 | deallocation.rs:132:14:132:15 | p3 | provenance |  |
 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:125:23:125:38 | ...::null(...) | provenance | Src:MaD:7 MaD:7 |
 | deallocation.rs:125:23:125:38 | ...::null(...) | deallocation.rs:125:6:125:7 | p3 | provenance |  |
-| deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:176:27:176:28 | [post] p1 | provenance | Src:MaD:6 MaD:6 |
-| deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:176:27:176:28 | [post] p1 | provenance | Src:MaD:6 MaD:6 |
-| deallocation.rs:176:27:176:28 | [post] p1 | deallocation.rs:180:15:180:16 | p1 | provenance |  |
-| deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:242:27:242:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
-| deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:242:27:242:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
-| deallocation.rs:242:27:242:29 | [post] ptr | deallocation.rs:248:18:248:20 | ptr | provenance |  |
+| deallocation.rs:248:3:248:25 | ...::drop_in_place | deallocation.rs:248:27:248:28 | [post] p1 | provenance | Src:MaD:6 MaD:6 |
+| deallocation.rs:248:3:248:25 | ...::drop_in_place | deallocation.rs:248:27:248:28 | [post] p1 | provenance | Src:MaD:6 MaD:6 |
+| deallocation.rs:248:27:248:28 | [post] p1 | deallocation.rs:252:15:252:16 | p1 | provenance |  |
+| deallocation.rs:314:3:314:25 | ...::drop_in_place | deallocation.rs:314:27:314:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
+| deallocation.rs:314:3:314:25 | ...::drop_in_place | deallocation.rs:314:27:314:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
+| deallocation.rs:314:27:314:29 | [post] ptr | deallocation.rs:320:18:320:20 | ptr | provenance |  |
 models
 | 1 | Sink: core::ptr::read; Argument[0]; pointer-access |
 | 2 | Sink: core::ptr::write; Argument[0]; pointer-access |
@@ -92,12 +92,12 @@ nodes
 | deallocation.rs:130:14:130:15 | p1 | semmle.label | p1 |
 | deallocation.rs:131:14:131:15 | p2 | semmle.label | p2 |
 | deallocation.rs:132:14:132:15 | p3 | semmle.label | p3 |
-| deallocation.rs:176:3:176:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
-| deallocation.rs:176:3:176:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
-| deallocation.rs:176:27:176:28 | [post] p1 | semmle.label | [post] p1 |
-| deallocation.rs:180:15:180:16 | p1 | semmle.label | p1 |
-| deallocation.rs:242:3:242:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
-| deallocation.rs:242:3:242:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
-| deallocation.rs:242:27:242:29 | [post] ptr | semmle.label | [post] ptr |
-| deallocation.rs:248:18:248:20 | ptr | semmle.label | ptr |
+| deallocation.rs:248:3:248:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
+| deallocation.rs:248:3:248:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
+| deallocation.rs:248:27:248:28 | [post] p1 | semmle.label | [post] p1 |
+| deallocation.rs:252:15:252:16 | p1 | semmle.label | p1 |
+| deallocation.rs:314:3:314:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
+| deallocation.rs:314:3:314:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
+| deallocation.rs:314:27:314:29 | [post] ptr | semmle.label | [post] ptr |
+| deallocation.rs:320:18:320:20 | ptr | semmle.label | ptr |
 subpaths

rust/ql/test/query-tests/security/CWE-825/deallocation.rs

@@ -137,6 +137,78 @@ pub fn test_ptr_invalid(mode: i32) {
 	}
 }
 
+struct MyObject {
+	value: i64
+}
+
+impl MyObject {
+	fn is_zero(&self) -> bool {
+		self.value == 0
+	}
+}
+
+pub unsafe fn test_ptr_invalid_conditions(mode: i32) {
+	let layout = std::alloc::Layout::new::<MyObject>();
+	let mut ptr = std::alloc::alloc(layout) as *mut MyObject;
+	(*ptr).value = 0; // good
+
+	if mode == 121 {
+		ptr = std::ptr::null_mut(); // (causes a panic below)
+	}
+
+	if ptr.is_null() {
+		let v = (*ptr).value; // $ MISSING: Alert[rust/access-invalid-pointer]
+		println!("	cond1 v = {v}");
+	} else {
+		let v = (*ptr).value; // good - unreachable with null pointer
+		println!("	cond2 v = {v}");
+	}
+
+	if mode == 122 {
+		ptr = std::ptr::null_mut(); // (causes a panic below)
+	}
+
+	if !(ptr.is_null()) {
+		let v = (*ptr).value; // good - unreachable with null pointer
+		println!("	cond3 v = {v}");
+	} else {
+		let v = (*ptr).value; // $ MISSING: Alert[rust/access-invalid-pointer]
+		println!("	cond4 v = {v}");
+	}
+
+	if mode == 123 {
+		ptr = std::ptr::null_mut(); // (causes a panic below)
+	}
+
+	if ptr.is_null() || (*ptr).value == 0 { // good - deref is protected by short-circuiting
+		println!("	cond5");
+	}
+
+	if ptr.is_null() || (*ptr).is_zero() { // good - deref is protected by short-circuiting
+		println!("	cond6");
+	}
+
+	if !ptr.is_null() || (*ptr).value == 0 { // $ MISSING: Alert[rust/access-invalid-pointer]
+		println!("	cond7");
+	}
+
+	if mode == 124 {
+		ptr = std::ptr::null_mut(); // (causes a panic below)
+	}
+
+	if ptr.is_null() && (*ptr).is_zero() { // $ MISSING: Alert[rust/access-invalid-pointer]
+		println!("	cond8");
+	}
+
+	if mode == 125 {
+		ptr = std::ptr::null_mut(); // (causes a panic below)
+	}
+
+	if (*ptr).is_zero() || ptr.is_null() { // $ MISSING: Alert[rust/access-invalid-pointer]
+		println!("	cond9");
+	}
+}
+
 // --- drop ---
 
 struct MyBuffer {

rust/ql/test/query-tests/security/CWE-825/main.rs

@@ -126,6 +126,11 @@ fn main() {
     println!("test_ptr_invalid:");
     test_ptr_invalid(mode);
 
+    println!("test_ptr_invalid_conditions:");
+    unsafe {
+        test_ptr_invalid_conditions(mode);
+    }
+
     println!("test_drop:");
     test_drop();