diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll index 5be47c3efddb..64b806331a66 100644 --- a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll @@ -102,7 +102,7 @@ module AccessAfterLifetime { // propagate through function calls exists(Call call | mayEncloseOnStack(a, call.getEnclosingBlock()) and - call.getStaticTarget() = b.getEnclosingCallable() + call.getARuntimeTarget() = b.getEnclosingCallable() ) } diff --git a/rust/ql/src/change-notes/2025-12-04-access-after-lifetime-ended.md b/rust/ql/src/change-notes/2025-12-04-access-after-lifetime-ended.md new file mode 100644 index 000000000000..1e9200eec8f1 --- /dev/null +++ b/rust/ql/src/change-notes/2025-12-04-access-after-lifetime-ended.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Fixed false positives from the `rust/access-after-lifetime-ended` query, involving calls to trait methods. diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected index c24c6a728bbf..8609b4bcb6f8 100644 --- a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected +++ b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected @@ -194,6 +194,10 @@ edges | lifetime.rs:798:9:798:12 | &val | lifetime.rs:798:2:798:12 | return ... | provenance | | | lifetime.rs:802:6:802:8 | ptr | lifetime.rs:808:23:808:25 | ptr | provenance | | | lifetime.rs:802:12:802:24 | get_pointer(...) | lifetime.rs:802:6:802:8 | ptr | provenance | | +| lifetime.rs:841:13:841:27 | ...: ... | lifetime.rs:843:12:843:14 | ptr | provenance | | +| lifetime.rs:851:6:851:8 | ptr | lifetime.rs:853:20:853:22 | ptr | provenance | | +| lifetime.rs:851:12:851:23 | &local_value | lifetime.rs:851:6:851:8 | ptr | provenance | | +| lifetime.rs:853:20:853:22 | ptr | lifetime.rs:841:13:841:27 | ...: ... | provenance | | | main.rs:18:9:18:10 | p1 [&ref] | main.rs:21:19:21:20 | p1 | provenance | | | main.rs:18:9:18:10 | p1 [&ref] | main.rs:29:19:29:20 | p1 | provenance | | | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | main.rs:18:9:18:10 | p1 [&ref] | provenance | | @@ -409,6 +413,11 @@ nodes | lifetime.rs:802:6:802:8 | ptr | semmle.label | ptr | | lifetime.rs:802:12:802:24 | get_pointer(...) | semmle.label | get_pointer(...) | | lifetime.rs:808:23:808:25 | ptr | semmle.label | ptr | +| lifetime.rs:841:13:841:27 | ...: ... | semmle.label | ...: ... | +| lifetime.rs:843:12:843:14 | ptr | semmle.label | ptr | +| lifetime.rs:851:6:851:8 | ptr | semmle.label | ptr | +| lifetime.rs:851:12:851:23 | &local_value | semmle.label | &local_value | +| lifetime.rs:853:20:853:22 | ptr | semmle.label | ptr | | main.rs:18:9:18:10 | p1 [&ref] | semmle.label | p1 [&ref] | | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | semmle.label | ...::as_ptr(...) [&ref] | | main.rs:18:26:18:28 | &b1 | semmle.label | &b1 | diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs index 83317aa13d1f..05a099e903fb 100644 --- a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs +++ b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs @@ -827,3 +827,33 @@ pub fn test_lifetimes_example_good() { println!(" val = {dereferenced_ptr}"); } + +// --- generic calls --- + +trait Processor { + fn process(ptr: *const i64) -> i64; +} + +struct MyProcessor { +} + +impl Processor for MyProcessor { + fn process(ptr: *const i64) -> i64 { + unsafe { + return *ptr; // good + } + } +} + +fn generic_caller() -> i64 +{ + let local_value: i64 = 10; + let ptr = &local_value as *const i64; + + return T::process(ptr); +} + +pub fn test_generic() { + let result = generic_caller::(); + println!(" result = {result}"); +} diff --git a/rust/ql/test/query-tests/security/CWE-825/main.rs b/rust/ql/test/query-tests/security/CWE-825/main.rs index d15f595e13c0..09a3d279c216 100644 --- a/rust/ql/test/query-tests/security/CWE-825/main.rs +++ b/rust/ql/test/query-tests/security/CWE-825/main.rs @@ -209,4 +209,7 @@ fn main() { println!("test_lifetimes_example_good:"); test_lifetimes_example_good(); + + println!("test_generic:"); + test_generic(); }