ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.qhelp at 91d273ad761f3ec64808b9727af847d5b901aca8 · geoffw0/ql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>
<overview>

<p>
Dereferencing an invalid or dangling pointer is undefined behavior. Memory may be corrupted
causing the program to crash or behave incorrectly, in some cases exposing the program to
potential attacks.
</p>

</overview>
<recommendation>

<p>
When dereferencing a pointer in <code>unsafe</code> code, take care that the pointer is valid and
points to the intended data. Code may need to be rearranged or additional checks added to ensure
safety in all circumstances. If possible, rewrite the code using safe Rust types to avoid this
class of problems altogether.
</p>

</recommendation>
<example>

<p>
In the following example, <code>std::ptr::drop_in_place</code> is used to execute the destructor
of an object. However, a pointer to that object is dereferenced later in the program, causing
undefined behavior:
</p>

<sample src="AccessInvalidPointerBad.rs" />

<p>
In this case undefined behavior can be avoided by rearranging the code so that the dereference
comes before the call to <code>std::ptr::drop_in_place</code>:
</p>

<sample src="AccessInvalidPointerGood.rs" />

</example>
<references>

<li>Rust Documentation: <a href="https://doc.rust-lang.org/reference/behavior-considered-undefined.html#dangling-pointers">Behavior considered undefined &gt;&gt; Dangling pointers</a>.</li>
<li>Rust Documentation: <a href="https://doc.rust-lang.org/std/ptr/index.html#safety">Module ptr - Safety</a>.</li>
<li>Massachusetts Institute of Technology: <a href="https://web.mit.edu/rust-lang_v1.25/arch/amd64_ubuntu1404/share/doc/rust/html/book/second-edition/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer">Unsafe Rust - Dereferencing a Raw Pointer</a>.</li>

</references>
</qhelp>