General library for finding flow from a pointer being freed to a user-specified sink
Import path
import semmle.code.cpp.security.flowafterfree.FlowAfterFree
Imports
| DataFlow | Provides a library for local (intra-procedural) and global (inter-procedural) data flow analysis: deciding whether data can flow from a source to a sink. This library differs from the one in semmle.code.cpp.dataflow in that this library uses the IR (Intermediate Representation) library, which provides a more precise semantic representation of the program, whereas the other dataflow library uses the more syntax-oriented ASTs. This library should provide more accurate results than the AST-based library in most scenarios.
|
| cpp | Provides classes and predicates for working with C/C++ code.
|
Predicates
| defaultSourceSinkIsRelated | Holds if either source strictly dominates sink, or sink strictly post-dominates source.
|
| isExFreePoolCall | Holds if fc is a function call that is the result of expanding the ExFreePool macro.
|
| isExcludedMmFreePageFromMdl | dealloc1 is a deallocation expression, e is an expression that dereferences a pointer, and the (dealloc1, e) pair should be excluded by the FlowFromFree library.
|
| isFree | Holds if outgoing is a dataflow node that represents the pointer passed to dealloc after the call returns (i.e., the post-update node associated with the argument to dealloc), and incoming is the corresponding argument node going into dealloc (i.e., the pre-update node of outgoing).
|
| strictlyDominates | Holds if (b1, i1) strictly dominates (b2, i2)
|
| strictlyPostDominates | Holds if (b1, i1) strictly post-dominates (b2, i2)
|
Modules
| FlowFromFree | Constructs a FlowFromFreeConfig module that can be used to find flow between a pointer being freed by some deallocation function, and a user-specified sink.
|
Module signatures
| FlowFromFreeParamSig | The signature for a module that is used to specify the inputs to the FlowFromFree module.
|