use-after-free.yaml

rules:
  - id: raptor-use-after-free
    metadata:
      author: Marco Ivaldi <raptor@0xdeadbeef.info>
      references:
        - https://cwe.mitre.org/data/definitions/416
        - https://github.com/struct/mms
        - https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
        - https://docs.microsoft.com/en-us/cpp/sanitizers/asan-error-examples
      confidence: MEDIUM
      # NOTE: C++ delete and delete[] operators are not covered.
      # NOTE: realloc() is not covered.
      # NOTE: see also cpp.use-after-free.*.
    message: >-
      The use of previously-freed memory can have any number of adverse
      consequences, ranging from the corruption of valid data to the
      execution of arbitrary code, depending on the instantiation and
      timing of the flaw. The simplest way data corruption may occur
      involves the system's reuse of the freed memory.
    severity: ERROR
    languages:
      - c
      - cpp
    patterns:
      - pattern-either:
        # generic use after free
        - pattern: $PTR->$MEM
        - pattern: $PTR[$POS]
        - pattern: (*$PTR)
        # use after free in return
        - pattern: return $PTR;
        # use after free in function calls
        - patterns:
          - pattern-either:
            - pattern: $FUN(..., <... $PTR ...>, ...)
            - pattern: $FUN(..., <... $PTR->$MEM ...>, ...)
            - pattern: $FUN(..., <... $PTR[$POS] ...>, ...)
            - pattern: $FUN(..., <... (*$PTR) ...>, ...)
            - pattern: $PTR->$FUN(...)
          # filter out double free instances
          - metavariable-pattern:
              metavariable: $FUN
              patterns:
                - pattern-not: free
      - pattern-inside: free($PTR); ...
      - pattern-not-inside: |
          free($PTR);
          ...
          $PTR = $EXPR; 
          ...