[C++/C] Local Data Flow and Global Data Flow

[irfanariq]

Hello,

I have several question regarding local data flow and global data flow.

Q1. Is there any differences between local data flow and global data flow except the scope of computation? If yes, what is it?

Q2. I tried to detect use-after-free of s_ptr inside main function using local data flow. However, my use-after-free-query is not able to detect it. Is there anything wrong with my use-after-free query?

This is the example of C++ code

struct MyStruct {
    char* content; 
};

void free_ptr(char * ptr) {
    free(ptr);
}

void test_free_in_other_func() {
    int ct_size = 200;
    MyStruct * s = (MyStruct*) malloc(sizeof(MyStruct));
    s->content = (char*) malloc(sizeof(char)*ct_size);
    sprintf(s->content, "test_free_in_other_func");
    printf("%s\n", s->content);
    free_ptr(s->content);
    char * s_ptr = s->content;
    printf("%s\n", s_ptr);
}

int main() {
    int ct_size = 200;
    MyStruct * s = (MyStruct*) malloc(sizeof(MyStruct));
    s->content = (char*) malloc(sizeof(char)*ct_size);
    sprintf(s->content, "test_free_in_other_func");
    printf("%s\n", s->content);
    free(s->content);
    char * s_ptr = s->content;
    printf("%s\n", s_ptr);
    return 0;
}

and this is the use-after-free query that uses local data flow:

import cpp
import semmle.code.cpp.dataflow.DataFlow

predicate nodeSource(Expr src) {
  exists( FunctionCall call| 
    call.getArgument(0) = src and 
    call.getTarget().hasGlobalOrStdName("free")
  )
}
  
predicate nodeSink(Expr sink) {
  dereferenced(sink)
}

from DataFlow::Node source, DataFlow::Node sink
where 
  nodeSource(source.asDefiningArgument()) and
  nodeSink(sink.asExpr()) and
  DataFlow::localFlow(source , sink)
select sink, "Potential use after free: occur in ", sink, " from ", source

Thank you.

[MathiasVP]

Hi @irfanariq,

1. There's a difference between the precision of the analysis. For instance, global dataflow has to deal with complicated issues like matching up function call entry and return points. This has both a precision and a performance impact.
   You can read more about the difference between local and global dataflow here: https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-cpp/#analyzing-data-flow-in-c-and-c.

2. As it happens, we previously had a workshop on creating just this kind of query :) You can watch it here:
   https://www.youtube.com/watch?v=eAjecQrfv3o.

Your query looks correct. The reason you're not finding the result in test_free_in_other_func is because that requires global dataflow:
Your "source" is the argument to free in free_ptr, and your "sink" is the dereference in test_free_in_other_func.

Now, why we're not detecting the flow in main using local-flow only is a good question. We should be able to detect that using local-only flow, but we're currently not.
Global dataflow handles field read/writes better than local flow, and that might be why it only works with global dataflow. I think this is something we should fix, and I've created an internal ticket for it.

You can find your results by using global flow like this, though:

import cpp
import semmle.code.cpp.dataflow.DataFlow

predicate nodeSource(Expr src) {
  exists(FunctionCall call |
    call.getArgument(0) = src and
    call.getTarget().hasGlobalOrStdName("free")
  )
}

predicate nodeSink(Expr sink) { dereferenced(sink) }

class Config extends DataFlow::Configuration {
  Config() { this = "Config" }

  override predicate isSource(DataFlow::Node src) { nodeSource(src.asDefiningArgument()) }

  override predicate isSink(DataFlow::Node sink) { nodeSink(sink.asExpr()) }
}

from Config config, DataFlow::Node source, DataFlow::Node sink
where config.hasFlow(source, sink)
select sink, "Potential use after free: occur in ", sink, " from ", source

This should give you both of the results. I hope this helps!

[irfanariq]

Hi @MathiasVP

Thank you for the detailed answer. It helps me a lot.

Actually, I already watched the workshop you mentioned and modified the query from the workshop that using global data flow to using local data flow. That's why I am a bit surprised that my query doesn't work. I thought that I make a mistake when modifying the query. Once again, thank you for your answer.

I have another question. Can I say that everything that is detected by local data flow should be detected too by global data flow?

Thank you

[MathiasVP]

I have another question. Can I say that everything that is detected by local data flow should be detected too by global data flow?

Ignoring possible bugs in our dataflow library, that should be the case, yes :) The global dataflow analysis uses the local dataflow analysis as a component, so if the local analysis finds it, the global one should also find it.

[irfanariq]

Okay, thank you very much for your help and answer. I will mark this discussion as answered and reopen or create a new one if I have any other question.