Merge pull request #46 from maltek/uaf-post

additional UseAfterFree query
joernio · Jan 20, 2021 · cfea27e · cfea27e
2 parents bf93c51 + 7f94c65
commit cfea27e
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 0 deletions.
diff --git a/src/main/scala/io/joern/scanners/c/UseAfterFree.scala b/src/main/scala/io/joern/scanners/c/UseAfterFree.scala
@@ -7,6 +7,7 @@ import io.shiftleft.console._
 import io.shiftleft.semanticcpg.language._
 import io.shiftleft.dataflowengineoss.language._
 import io.shiftleft.dataflowengineoss.queryengine.EngineContext
+import overflowdb.traversal.Traversal
 
 object UseAfterFree extends QueryBundle {
 
@@ -117,4 +118,41 @@ object UseAfterFree extends QueryBundle {
     docFileName = sourcecode.FileName()
   )
 
+  @q
+  def freePostDominatesUsage()(implicit context: EngineContext): Query = Query(
+    name = "free-follows-value-reuse",
+    author = Crew.malte,
+    title = "A value that is free'd is reused without reassignment.",
+    description = """
+        |A value is used after being free'd in a path that leads to it
+        |without reassignment.
+        |
+        |Modeled after CVE-2019-18903.
+        |""".stripMargin,
+    score = 5.0,
+    traversal = { cpg =>
+      cpg.method
+        .name("(.*_)?free")
+        .filter(_.parameter.size == 1)
+        .callIn
+        .where(_.argument(1).isIdentifier)
+        .flatMap(f => {
+          val freedIdentifierCode = f.argument(1).code
+          val postDom = f.postDominatedBy.toSet
+
+          val assignedPostDom = postDom.isIdentifier
+            .where(_.inAssignment)
+            .codeExact(freedIdentifierCode)
+            .flatMap(id => id ++ id.postDominatedBy)
+
+          postDom
+            .removedAll(assignedPostDom)
+            .isIdentifier
+            .codeExact(freedIdentifierCode)
+        })
+    },
+    docEndLine = sourcecode.Line(),
+    docFileName = sourcecode.FileName()
+  )
+
 }
diff --git a/src/test/scala/io/joern/scanners/c/UseAfterFreePostUsage.scala b/src/test/scala/io/joern/scanners/c/UseAfterFreePostUsage.scala
@@ -0,0 +1,59 @@
+package io.joern.scanners.c
+
+import io.shiftleft.codepropertygraph.generated.nodes
+import io.shiftleft.console.scan._
+import io.shiftleft.semanticcpg.language._
+import overflowdb.traversal.iterableToTraversal
+
+class UseAfterFreePostUsage extends Suite {
+
+  override val code =
+    """
+      |void *bad() {
+      |  void *x = NULL;
+      |  if (cond)
+      |    free(x);
+      |  return x;
+      |}
+      |
+      |void *false_negative() {
+      |  void *x = NULL;
+      |  if (cond) {
+      |    free(x);
+      |    if (cond2)
+      |      return x; // not post-dominated by free call
+      |    x = NULL;
+      |  }
+      |  return x;
+      |}
+      |
+      |void *false_positive() {
+      |  void *x = NULL;
+      |  free(x);
+      |  if (cond)
+      |    x = NULL;
+      |  else
+      |    x = NULL;
+      |  return x;
+      |}
+      |
+      |void *good() {
+      |  void *x = NULL;
+      |  if (cond)
+      |    free(x);
+      |  x = NULL;
+      |  return x;
+      |}
+      |""".stripMargin
+
+  "should flag functions `bad` and `false_positive` only" in {
+    val x = UseAfterFree.freePostDominatesUsage()
+    x(cpg)
+      .flatMap(_.evidence)
+      .cast[nodes.Identifier]
+      .method
+      .name
+      .toSet shouldBe Set("bad", "false_positive")
+  }
+
+}