UAF not flagged

[tardigrade-9]

I borrowed the query from UseAfterFree.ql present in CodeQL repo and modified to include a custom free function, but the query is not flagging UAF.

import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.ir.IR
import semmle.code.cpp.security.flowafterfree.FlowAfterFree
import semmle.code.cpp.security.flowafterfree.UseAfterFree
import UseAfterFreeTrace::PathGraph

module UseAfterFreeParam implements FlowFromFreeParamSig {
  predicate isSink = isUse/2;

  predicate isExcluded = isExcludedMmFreePageFromMdl/2;

  predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
}

import UseAfterFreeParam

module UseAfterFreeTrace = FlowFromFree<UseAfterFreeParam>;

class FreeAddrInfo extends DeallocationExpr,FunctionCall {

    FreeAddrInfo() {
        this.getTarget().hasGlobalName("freeaddrinfo")
    }

    override Expr getFreedExpr(){
        result = this.getArgument(0)
    }
}

from UseAfterFreeTrace::PathNode source, UseAfterFreeTrace::PathNode sink, FreeAddrInfo dealloc
where
  UseAfterFreeTrace::flowPath(source, sink) and
  isFree(source.getNode(), _, _, dealloc)
select sink.getNode(), source, sink, "Memory may have been previously freed by $@.", dealloc,
  dealloc.toString()

I'm trying to analyse https://nvd.nist.gov/vuln/detail/CVE-2021-38383

[Malikrehman00107]

Verify that freeaddrinfo is correctly identified and matches the signature expected by the UseAfterFree query. Ensure that the function call this.getTarget().hasGlobalName("freeaddrinfo") correctly identifies the freeaddrinfo function.

[mbg]

Hi @tardigrade-9 👋

Sorry for the late reply, your question seems to have fallen through the cracks last month.

Do you have a minimal code example where you would expect your query to find a result, but it doesn't?

Have you checked (e.g. by using the quick eval feature in the VSCode extension) that FreeAddrInfo can find the call to freeaddrinfo in your test database?