Skip to content

Add CodeQL sanitizers for Buffer pool operations to eliminate false positives #4739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add CodeQL sanitizers for Buffer pool operations to eliminate false positives #4739

Copilot wants to merge 1 commit into from
+186 −0

Conversation

Copy link

Copilot AI commented Dec 17, 2025
edited
Loading

CodeQL reports false positives when Buffers are reused from the pool. A Buffer receives tainted data, gets returned to the pool via buf_pool_release() (which calls buf_reset()memset()), then later buf_pool_get() returns it. CodeQL incorrectly flags the reused Buffer as still tainted.

Changes

Custom CodeQL query pack (.github/codeql-custom-queries/):

  • CustomSanitizers.qll - Defines BufferPoolSanitizer class recognizing these functions clear taint:
    • buf_reset(buf) - clears with memset
    • buf_pool_release(&buf) - calls buf_reset internally
    • memset(ptr, 0, size) - explicit zeroing
    • buf_pool_get() - returns sanitized buffer
  • TaintWithBufferSanitizers.ql - Taint tracking query using the sanitizers
  • qlpack.yml - Query pack definition
  • README.md - Documents the false positive pattern

CodeQL configuration:

  • Updated .github/codeql.yml to include custom query pack

The GitHub Actions workflow automatically picks up these queries on next run.

class BufferPoolSanitizer extends DataFlow::Node {
  BufferPoolSanitizer() {
    exists(FunctionCall call |
      call.getTarget().getName() = "buf_pool_release" and
      this.asExpr() = call.getArgument(0)
    )
    or
    exists(FunctionCall call |
      call.getTarget().getName() = "buf_pool_get" and
      this.asExpr() = call
    )
    // ... other sanitizers
  }
}
Original prompt

Some of the issues that CodeQL is finding are false-positives,
such as https://github.com/neomutt/neomutt/security/code-scanning/1205
Steps:

  1. A function gets a Buffer from the Buffer Pool - buf_pool_get()
  2. It reads into that Buffer from an untrusted, e.g. user config
  3. It returns the Buffer to the Pool - buf_pool_release()
  4. Later another function, gets that same Buffer from the Pool
  5. CodeQL believes the Buffer is tainted.
    This is a false-positive.
    When the original function calls buf_pool_release() the memory is wiped by memset() in buf_reset()
    Tasks:
  6. Create a CodeQL query file that marks a Buffer's memory as NOT tainted after buf_reset() / memset()
  7. Add this query to the CodeQL GitHub Action -- https://github.com/neomutt/neomutt/blob/main/.github/workflows/codeql.yml

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Add CodeQL query to mark buffer as not tainted Add CodeQL sanitizers for Buffer pool operations to eliminate false positives Dec 17, 2025
Copilot AI requested a review from flatcap December 17, 2025 03:55
@flatcap flatcap force-pushed the copilot/add-codeql-query-for-buffer branch from 3508513 to 02a10a7 Compare December 17, 2025 12:27
@flatcap flatcap marked this pull request as ready for review December 17, 2025 12:29
@flatcap flatcap force-pushed the copilot/add-codeql-query-for-buffer branch from 02a10a7 to 2493e1e Compare December 22, 2025 11:17
@flatcap flatcap force-pushed the copilot/add-codeql-query-for-buffer branch from 2493e1e to 2fffa7a Compare January 4, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flatcap flatcap Awaiting requested review from flatcap

At least 1 approving review is required to merge this pull request.

Assignees

@flatcap flatcap

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flatcap