Skip to content

Rust: New query rust/access-after-lifetime-ended#19702

Merged
hvitved merged 37 commits intogithub:mainfrom
geoffw0:lifetime
Jun 30, 2025
Merged

Rust: New query rust/access-after-lifetime-ended#19702
hvitved merged 37 commits intogithub:mainfrom
geoffw0:lifetime

Conversation

@geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Jun 9, 2025
edited
Loading

New query rust/access-after-lifetime-ended, for detecting pointer dereferences after the lifetime of the pointed-to object has ended. Makes use of some existing tests that were created for rust/access-invalid-pointer (before I realized that the idea for that query needed breaking into two separate queries). Also adds quite a lot of new test cases as well.

Note that the query is currently @precision medium due to several remaining false positive results in the tests (and in MRVA results). I made some effort to fix these, but I didn't get them all, I feel it's time to get what we have merged and plan further improvements as follow-up work.

Before merging:

  • QL review
  • docs review
  • DCA run

geoffw0 added 18 commits June 5, 2025 10:37
@geoffw0
Rust: Placeholder new query.
da4fbfb
@geoffw0
Rust: Label source annotations in the test properly.
8e8374b
@geoffw0
Rust: Fix some warnings in the existing test.
43cb98a
@geoffw0
Rust: Add test cases involving lifetimes + closures and async blocks.
ae19ecc
@geoffw0
Rust: Add test cases involving lifetimes + lifetime annotations.
e2fb1d3
@geoffw0
Rust: Add test cases for implicit dereferences and more pointer/enum …
66c1e2c 
…mixes (inspired by early real world results).
@geoffw0
Rust: Even more test cases (inspired by real world results).
96dc34e
@geoffw0
Rust: Add some helper predicates for finding enclosing blocks.
526620c
@geoffw0
Rust: Implement the query.
bf4ea02
@geoffw0
Rust: Fix spurious results involving closures.
79f8584
@geoffw0
Rust: Have the alert message cite the variable, so it's easier to und…
21b4bae 
…erstand whether the alert is correct.
@geoffw0
Rust: More robust fix for closures.
fe20fb4
@geoffw0
Rust: Add qhelp, examples, and examples as tests.
26f8558
@geoffw0
Rust: Exclude results in macro invocations.
7bae451
@geoffw0
Rust: Exclude results where the source is a reference.
858eec3
@geoffw0
Rust: Add test showing yet another spurious result.
d3d0a53
@geoffw0
Rust: Allow parameter accesses as sources.
b3330b5
@geoffw0
Rust: Add security-severity tag and reduce precision to medium for now.
9b0ee8f 
precis
Copilot AI review requested due to automatic review settings June 9, 2025 17:41
@geoffw0 geoffw0 requested a review from a team as a code owner June 9, 2025 17:41
@geoffw0 geoffw0 added the Rust Pull requests that update Rust code label Jun 9, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Jun 9, 2025
edited
Loading

QHelp previews:

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.qhelp

Access of a pointer after its lifetime has ended

Dereferencing a pointer after the lifetime of its target has ended causes undefined behavior. Memory may be corrupted, causing the program to crash or behave incorrectly, in some cases exposing the program to potential attacks.

Recommendation

When dereferencing a pointer in unsafe code, take care that the pointer is still valid at the time it is dereferenced. Code may need to be rearranged or changed to extend lifetimes. If possible, rewrite the code using safe Rust types to avoid this kind of problem altogether.

Example

In the following example, val is local to get_pointer so its lifetime ends when that function returns. However, a pointer to val is returned and dereferenced after that lifetime has ended, causing undefined behavior:

fn get_pointer() -> *const i64 {
	let val = 123;

	&val
} // lifetime of `val` ends here, the pointer becomes dangling

fn example() {
	let ptr = get_pointer();
	let dereferenced_ptr;

	// ...

	unsafe {
		dereferenced_ptr = *ptr; // BAD: dereferences `ptr` after the lifetime of `val` has ended
	}

	// ...
}

One way to fix this is to change the return type of the function from a pointer to a Box, which ensures that the value it points to remains on the heap for the lifetime of the Box itself. Note that there is no longer a need for an unsafe block as the code no longer handles pointers directly:

fn get_box() -> Box<i64> {
	let val = 123;

	Box::new(val) // copies `val` onto the heap, where it remains for the lifetime of the `Box`.
}

fn example() {
	let ptr = get_box();
	let dereferenced_ptr;

	// ...

	dereferenced_ptr = *ptr; // GOOD

	// ...
}

References

Copilot AI reviewed Jun 9, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a new CodeQL query to detect pointer dereferences after the lifetime of their target has ended, including examples, documentation, and scope‐tracking support.

  • Introduce AccessAfterLifetime.ql with configuration, flow definition, and filtering logic
  • Add QL test harness entries (.qlref), examples (Good.rs/Bad.rs), and documentation (.qhelp)
  • Extend the internal QL library to track enclosing blocks (getEnclosingBlock) and support the new query

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
rust/ql/test/query-tests/security/CWE-825/options.yml Add futures dependency for async tests
rust/ql/test/query-tests/security/CWE-825/main.rs Invoke newly added test cases in main()
rust/ql/test/query-tests/security/CWE-825/deallocation.rs Update existing invalid-pointer test annotations
rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.qlref Register the new query with test harness
rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeGood.rs Add good example using Box
rust/ql/src/queries/security/CWE-825/AccessAfterLifetimeBad.rs Add bad example that returns a dangling pointer
rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql Implement the new query logic
rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.qhelp Add documentation and examples
rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll Define sources, sinks, barriers, and scope checks
rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll Add Variable.getEnclosingBlock()
rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll Add AstNode.getEnclosingBlock()
Comments suppressed due to low confidence (1)

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql:44

  • The predicate isFromMacroExpansion() does not exist; you likely meant isInMacroExpansion() to filter out macro expansions.
not sinkNode.getNode().asExpr().getExpr().isFromMacroExpansion()

@geoffw0
Copy link
Contributor Author

geoffw0 commented Jun 11, 2025
edited
Loading

DCA:

  • 95 results for the new query; that's quite a lot...
    • confusing results that have sources in macros - fixed ✅
    • results matching self; I think this kind of thing is probably OK: match self { EnumValue(x) => &x.y }
      • but the query is @precision medium, so deferring that for now should be OK I think
  • otherwise LGTM

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. labels Jun 12, 2025
mchammer01
mchammer01 previously approved these changes Jun 13, 2025
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geoffw0 - LGTM ✨
Added a couple of very minor comments/suggestions.

@geoffw0 @mchammer01
Apply suggestions from code review
14b75a9 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
@geoffw0
Copy link
Contributor Author

geoffw0 commented Jun 13, 2025

Thanks for the review @mchammer01 , I've accepted both suggestions. :)

hvitved
hvitved requested changes Jun 17, 2025
View reviewed changes
paldepind
paldepind previously requested changes Jun 18, 2025
View reviewed changes
Copy link
Contributor

@paldepind paldepind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really great to me! Lots of true positives.

@geoffw0 @paldepind
Apply suggestions from code review
5bf799e 
Co-authored-by: Simon Friis Vindum <paldepind@github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 18, 2025
View reviewed changes
@geoffw0
Copy link
Contributor Author

geoffw0 commented Jun 25, 2025

CI is finally passing 🎉 (thanks again @redsun82 for spotting and fixing the problem here)

@hvitved would you mind approving?

hvitved
hvitved approved these changes Jun 30, 2025
View reviewed changes
rust/ql/test/query-tests/security/CWE-825/CONSISTENCY/SsaConsistency.expected
@@ -0,0 +1,6 @@
readWithoutDef
Copy link
Contributor

@hvitved hvitved Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should investigate those inconsistencies.

@hvitved hvitved dismissed paldepind’s stale review June 30, 2025 07:35

Requested changes have been applied.

@hvitved hvitved merged commit 632cde6 into github:main Jun 30, 2025
22 checks passed
@hvitved hvitved mentioned this pull request Jun 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paldepind paldepind paldepind left review comments

Copilot code review Copilot Copilot left review comments

@hvitved hvitved hvitved approved these changes

@mchammer01 mchammer01 mchammer01 left review comments

Assignees

No one assigned

Labels

documentation no-change-note-required This PR does not need a change note ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@geoffw0 @paldepind @hvitved @mchammer01