-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
DriverEntrySaveBuffer: Port of c28131 (#122)
* C28131 * updates to ql * update id and move out of experimental * add query to ported ca checks suite * update to also check for local pointers to structs --------- Signed-off-by: Jacob Ronstadt <[email protected]>
- Loading branch information
1 parent
ef48413
commit 53bb6fe
Showing
6 changed files
with
499 additions
and
0 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
src/drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.qhelp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> | ||
| <qhelp> | ||
| <overview> | ||
| <p> | ||
| The DriverEntry routine should save a copy of the argument, not the pointer, because the I/O Manager frees the buffer | ||
| </p> | ||
| </overview> | ||
| <recommendation> | ||
| <p> | ||
| The driver's DriverEntry routine is saving a copy of the pointer to the buffer instead of saving a copy of the buffer. Because the buffer is freed when the DriverEntry routine returns, the pointer to the buffer will soon be invalid. | ||
| </p> | ||
| </recommendation> | ||
| <example> | ||
| <sample src="driver_snippet.c" /> | ||
| </example> | ||
| <references> | ||
| <li> | ||
| <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28131-driverentry-saving-pointer-to-buffer"> | ||
| C28131 | ||
| </a> | ||
| </li> | ||
| </references> | ||
| </qhelp> |
41 changes: 41 additions & 0 deletions
41
src/drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| // Copyright (c) Microsoft Corporation. | ||
| // Licensed under the MIT license. | ||
| /** | ||
| * @id cpp/drivers/driver-entry-save-buffer | ||
| * @name Driver Entry Save Buffer | ||
| * @description C28131: The DriverEntry routine should save a copy of the argument, not the pointer, because the I/O Manager frees the buffer | ||
| * @platform Desktop | ||
| * @security.severity Medium | ||
| * @feature.area Multiple | ||
| * @impact Exploitable Design | ||
| * @repro.text | ||
| * @owner.email [email protected] | ||
| * @opaqueid CQLD-C28131 | ||
| * @kind problem | ||
| * @problem.severity warning | ||
| * @precision medium | ||
| * @tags correctness | ||
| * wddst | ||
| * @scope domainspecific | ||
| * @query-version v1 | ||
| */ | ||
|
|
||
| import cpp | ||
|
|
||
| from VariableAccess va | ||
| where | ||
| va.getParent() instanceof AssignExpr and | ||
| exists(Parameter p | p.getAnAccess() = va and p.getFunction().getName().matches("DriverEntry%")) and | ||
| ( | ||
| exists(GlobalVariable gv | | ||
| gv = va.getParent().(AssignExpr).getLValue().(VariableAccess).getTarget() | ||
| ) | ||
| or | ||
| exists(FieldAccess fa | | ||
| fa.getTarget() = va.getParent().(AssignExpr).getLValue().(VariableAccess).getTarget() and | ||
| fa.getQualifier().(VariableAccess).getTarget() instanceof LocalVariable | ||
| ) | ||
| ) | ||
| select va, | ||
| "The DriverEntry routine should save a copy of the argument $@, not the pointer, because the I/O Manager frees the buffer", | ||
| va, va.toString() |
Oops, something went wrong.