Probable UseAfterFree (Windows Driver CodeQL Query)

Overview

This CodeQL query has lower precision than the high-precision UseAfterFree CodeQL query. It detects some additional scenarios, but also has a higher rate of false positives.

A UseAfterFree defect occurs when an allocated memory block is used after it has been freed (also known as a "dangling pointer").

Behavior in such cases is undefined and in practice may have unintended consequences including memory corruption, use of incorrect values, or arbitrary code execution.

Recommendation

Set pointers to NULL immediately after they are freed.

Example

In the following example, pSomePointer is freed only if Status value was not zero, and before dereferencing pSomePointer to call Method, Status is checked again. Unfortunately Status was changed between the two references to pSomePointer, which allows for the possibility that the call to pSomePointer->Method() is being performed over a previously freed pointer.

NTSTATUS Status = x();

if (Status != 0)
{
    // Release pSomePointer if the call to x() failed

    ExFreePool(pSomePointer);
}

Status = y();

if (Status == 0)
{
    // Because Status may no longer be the same value than it was before the pointer was released,
    // this code may be using pSomePointer after it was freed, potentially executing arbitrary code.

    Status = pSomePointer->Method();
}

In the corrected example, pSomePointer is set to NULL immediately after being freed, and the condition to check if it is safe to call pSomePointer->Method() checks for this additional condition to prevent the possible bug.

NTSTATUS Status = x();

if (Status != 0)
{
    // Release pSomePointer if the call to x() failed

    ExFreePool(pSomePointer);

    // Setting pSomePointer to NULL after being freed
    pSomePointer = NULL;
}

Status = y();

// If pSomePointer was freed above, its value must have been set to NULL
if (Status == 0 && pSomePointer != NULL)
{
    Status = pSomePointer->Method();
}

Additional Details

This query can be found in the Microsoft GitHub CodeQL repository. See the CodeQL and the Static Tools Logo Test page for details on how Windows Driver developers can download and run CodeQL.