Skip to content

Commit

Permalink
NullPointerCharacterAssignment: CodeQL port of C28730 (#146)
Browse files Browse the repository at this point in the history 
codeql port of C28730
  • Loading branch information
@jacob-ronstadt
jacob-ronstadt committed Aug 23, 2024
1 parent c2febb9 commit c8369c9
Show file tree
Hide file tree
Showing 5 changed files with 398 additions and 0 deletions.
46 changes: 46 additions & 0 deletions ...ivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.qhelp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
Possible assignment of '\\0' directly to a pointer
</p>
</overview>
<recommendation>
<p>
This warning indicates a probable typographical error: a null character is being assigned to a pointer; it is probably the case that the character is intended as a string terminator and should be assigned to the memory where the pointer is pointing.
</p>
</recommendation>
<example>
<p>
Example of incorrect assignment of '\0' to a pointer
</p>
<sample language="c"> <![CDATA[
char a[8];
char *p = a;
char x = 0;
char y = '0';
p = '\0'; // should be *p = '\0';
}]]>
</sample>
<p>
Example of correct assignment of '\0' to where the pointer is pointing
</p>
<sample language="c"> <![CDATA[
char a[8];
char *p = a;
*p = '\0'; // correct!
}]]>
</sample>
</example>
<semmleNotes>
<p>
</p>
</semmleNotes>
<references>
<li>
<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28730-possible-null-character-assignment">
Warning C28730
</a>
</li>
</references>
</qhelp>
30 changes: 30 additions & 0 deletions src/drivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.ql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/**
* @id cpp/drivers/null-character-pointer-assignment
* @kind problem
* @name Null Character Pointer Assignment
* @description Possible assignment of '\\0' directly to a pointer
* @platform Desktop
* @feature.area Multiple
* @impact Insecure Coding Practice
* @repro.text
* @owner.email: [email protected]
* @opaqueid CQLD-C28730
* @problem.severity warning
* @precision medium
* @tags correctness
* @scope domainspecific
* @query-version v1
*/


import cpp

from CharLiteral s, Assignment a
where
s.getCharacter() = "\\0" and
a.getRValue() = s and
a.getLValue().getType().getName().matches("% *")

select a,"Possible assignment of '\\0' directly to a pointer"
274 changes: 274 additions & 0 deletions ...ivers/general/queries/NullCharacterPointerAssignment/NullCharacterPointerAssignment.sarif
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,274 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "CodeQL",
"organization": "GitHub",
"semanticVersion": "2.17.6",
"notifications": [
{
"id": "cpp/baseline/expected-extracted-files",
"name": "cpp/baseline/expected-extracted-files",
"shortDescription": {
"text": "Expected extracted files"
},
"fullDescription": {
"text": "Files appearing in the source archive that are expected to be extracted."
},
"defaultConfiguration": {
"enabled": true
},
"properties": {
"tags": [
"expected-extracted-files",
"telemetry"
]
}
},
{
"id": "cpp/extractor/summary",
"name": "cpp/extractor/summary",
"shortDescription": {
"text": "C++ extractor telemetry"
},
"fullDescription": {
"text": "C++ extractor telemetry"
},
"defaultConfiguration": {
"enabled": true
}
}
],
"rules": [
{
"id": "cpp/drivers/null-character-pointer-assignment",
"name": "cpp/drivers/null-character-pointer-assignment",
"shortDescription": {
"text": "Null Character Pointer Assignment"
},
"fullDescription": {
"text": "Possible assignment of '\\\\0' directly to a pointer"
},
"defaultConfiguration": {
"enabled": true,
"level": "warning"
},
"properties": {
"tags": [
"correctness"
],
"description": "Possible assignment of '\\\\0' directly to a pointer",
"feature.area": "Multiple",
"id": "cpp/drivers/null-character-pointer-assignment",
"impact": "Insecure Coding Practice",
"kind": "problem",
"name": "Null Character Pointer Assignment",
"opaqueid": "CQLD-C28730",
"owner.email:": "[email protected]",
"platform": "Desktop",
"precision": "medium",
"problem.severity": "warning",
"query-version": "v1",
"repro.text": "",
"scope": "domainspecific"
}
}
]
},
"extensions": [
{
"name": "microsoft/windows-drivers",
"semanticVersion": "1.1.0+2034189b0eace12539d3b51ced8d39b9cc9717f0",
"locations": [
{
"uri": "file:///C:/codeql-home/WDDST/src/",
"description": {
"text": "The QL pack root directory."
}
},
{
"uri": "file:///C:/codeql-home/WDDST/src/qlpack.yml",
"description": {
"text": "The QL pack definition file."
}
}
]
}
]
},
"invocations": [
{
"toolExecutionNotifications": [
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "driver/driver_snippet.c",
"uriBaseId": "%SRCROOT%",
"index": 0
}
}
}
],
"message": {
"text": ""
},
"level": "none",
"descriptor": {
"id": "cpp/baseline/expected-extracted-files",
"index": 0
},
"properties": {
"formattedMessage": {
"text": ""
}
}
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "driver/fail_driver1.h",
"uriBaseId": "%SRCROOT%",
"index": 1
}
}
}
],
"message": {
"text": ""
},
"level": "none",
"descriptor": {
"id": "cpp/baseline/expected-extracted-files",
"index": 0
},
"properties": {
"formattedMessage": {
"text": ""
}
}
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "driver/fail_driver1.c",
"uriBaseId": "%SRCROOT%",
"index": 2
}
}
}
],
"message": {
"text": ""
},
"level": "none",
"descriptor": {
"id": "cpp/baseline/expected-extracted-files",
"index": 0
},
"properties": {
"formattedMessage": {
"text": ""
}
}
},
{
"message": {
"text": "Internal telemetry for the C++ extractor.\n\nNo action needed.",
"markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed."
},
"level": "note",
"timeUtc": "2024-08-17T05:27:20.110+00:00",
"descriptor": {
"id": "cpp/extractor/summary",
"index": 1
},
"properties": {
"attributes": {
"cache-hits": 0,
"cache-misses": 1,
"extractor-failures": 1,
"extractor-successes": 0,
"trap-caching": "disabled"
},
"visibility": {
"statusPage": false,
"telemetry": true
}
}
}
],
"executionSuccessful": true
}
],
"artifacts": [
{
"location": {
"uri": "driver/driver_snippet.c",
"uriBaseId": "%SRCROOT%",
"index": 0
}
},
{
"location": {
"uri": "driver/fail_driver1.h",
"uriBaseId": "%SRCROOT%",
"index": 1
}
},
{
"location": {
"uri": "driver/fail_driver1.c",
"uriBaseId": "%SRCROOT%",
"index": 2
}
}
],
"results": [
{
"ruleId": "cpp/drivers/null-character-pointer-assignment",
"ruleIndex": 0,
"rule": {
"id": "cpp/drivers/null-character-pointer-assignment",
"index": 0
},
"message": {
"text": "Possible assignment of '\\0' directly to a pointer"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "driver/driver_snippet.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 18,
"startColumn": 5,
"endColumn": 13
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "3c26f4ab5be28a11:1",
"primaryLocationStartColumnFingerprint": "0"
}
}
],
"columnKind": "utf16CodeUnits",
"properties": {
"semmle.formatSpecifier": "sarifv2.1.0"
}
}
]
}
27 changes: 27 additions & 0 deletions src/drivers/general/queries/NullCharacterPointerAssignment/driver_snippet.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.

// Macros to enable or disable a code section that may or may not conflict with this test.
#define SET_DISPATCH 1

// Template function. Not used for this test.
void top_level_call()
{
}
void test_bad()
{
char a[8];
char *p = a;
char x = 0;
char y = '0';

p = '\0'; // should be *p = '\0';
}

void test_good()
{
char a[8];
char *p = a;
*p = '\0'; // correct!
}
// TODO add tests for query
Loading

0 comments on commit c8369c9

Please sign in to comment.