Merge pull request #138 from microsoft/development

RI of development branch to main (03/29/24)

Author: NateD-MSFT

.github/workflows/build-codeql.yaml

@@ -1,7 +1,7 @@
 # Continuous integration action for the CodeQL components of this repo.
 # This downloads the CodeQL CLI and then builds all the queries in the "windows-drivers" folder.
 
-name: Build Windows CodeQL queries
+name: Build and Publish Windows CodeQL queries
 
 on:
   # Triggers the workflow on push or pull request events but only for the main and development branches
@@ -14,19 +14,22 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  build-publish:
     runs-on: windows-latest
-
+    permissions:
+      contents: read
+      packages: write
     steps:
     - name: Enable long git paths
       shell: cmd
       run: git config --global core.longpaths true
 
     - name: Clone self (windows-driver-developer-supplemental-tools)
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         path: .
-        
+        fetch-depth: 0
+
     - name: Download CodeQL CLI
       uses: i3h/download-release-asset@v1.2.0
       with:
@@ -53,7 +56,7 @@ jobs:
       run: .\codeql-cli\codeql.exe version
 
     - name: Setup Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: 3.11
 
@@ -66,6 +69,7 @@ jobs:
 
     - name: Run test script
       shell: pwsh
+      continue-on-error: true # Allow script to return non-zero exit code
       env:
         CONNECTION_STRING: ${{ secrets.CONNECTION_STRING }}
         ACCOUNT_KEY: ${{ secrets.ACCOUNT_KEY }}
@@ -91,4 +95,39 @@ jobs:
       shell: cmd
       run: .\codeql-cli\codeql.cmd query compile --check-only .\src
 
-   
+    - name: Check for changes to qlpack
+      shell: pwsh
+      run: 
+        $qlpack_diff = git diff HEAD~1:src/qlpack.yml src/qlpack.yml;
+        $rec_diff = git diff HEAD~1:src/windows-driver-suites/windows_recommended_partial.qls src/windows-driver-suites/windows_recommended_partial.qls;
+        $mf_diff = git diff HEAD~1:src/windows-driver-suites/windows_mustfix_partial.qls src/windows-driver-suites/windows_mustfix_partial.qls;
+        if (!$qlpack_diff -and ($rec_diff -or $mf_diff)) { "Query suite file updated without updating qlpack version"; exit 1 }
+
+        $last_qlpack_commit = git log -n 1 --pretty=format:%H -- src/qlpack.yml;
+        $qlpack_changes =git show $last_qlpack_commit -- .\src\qlpack.yml;
+      
+        $last_mf_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_mustfix_partial.qls;
+        $last_rec_commit = git log -n 1 --pretty=format:%H -- src/windows-driver-suites/windows_recommended_partial.qls;
+        $commits_since_qlpack_change = [int](git rev-list --count HEAD...$last_qlpack_commit);
+        $commits_since_mf_change = [int](git rev-list --count HEAD...$last_mf_commit);
+        $commits_since_rec_change = [int](git rev-list --count HEAD...$last_rec_commit);
+
+        if ($commits_since_qlpack_change -gt $commits_since_mf_change) { "Mustfix query suite file modified without updating version"; exit 1 }; 
+        if ($commits_since_qlpack_change -gt $commits_since_rec_change) {"Recommended query suite file modified without updating version"; exit 1 };
+
+        try{$old_qlpack_version = [version]($qlpack_changes -match "-version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 }
+        try{$new_qlpack_version = [version]($qlpack_changes -match "\+version").Substring(10);} catch {"Changed qlpack.yml without updating version"; exit 1 }
+        if ($new_qlpack_version -gt $old_qlpack_version) { exit 0 } else { "qlpack.yml version not incremented"; exit 1 }
+
+    - name: Publish New CodeQL Pack
+      shell: pwsh
+      env:
+        GITHUB_TOKEN:  ${{ secrets.GITHUB_TOKEN }}
+
+      run: 
+        $build = git rev-parse --short HEAD;
+        $version =( Select-String .\src\qlpack.yml -Pattern "version").line;
+        $new_ver = "$version-alpha+$build";
+        (Get-Content .\src\qlpack.yml).Replace($version, $new_ver) | Set-Content .\src\qlpack.yml;
+        .\codeql-cli\codeql.cmd pack publish --allow-prerelease ./src;
+    

.gitignore

@@ -8,6 +8,8 @@ Debug/*
 
 src/drivers/test/**/driver/Debug/*
 src/drivers/test/**/driver/x64/*
+src/drivers/test/**/x64/*
+src/drivers/test/**/Debug/*
 src/drivers/test/TestDB/*
 src/drivers/test/working/*
 src/drivers/test/AnalysisFiles/*

README.md

@@ -4,20 +4,20 @@ This repository contains open-source components for supplemental use in developi
 
 ### For General Use
 
-|  CodeQL CLI version      | microsoft/windows-drivers qlpack version  |Associated Repo Branch|
-|--------------------------|-------------------------------------------|------------------------|
-| 2.15.4                   | latest                                     |main |
+|  CodeQL CLI version      | microsoft/windows-drivers qlpack version | codeql/cpp-queries version  |Associated Repo Branch|
+|--------------------------|-------------------------------------------|------------------------|------------------------|
+| 2.15.4                   | latest                                    | latest |main |
 
 ### For Windows Hardware Compatibility Program Use
 
 ### Windows Hardware Compatibility Program Release Version Matrix
-| Release                  | CodeQL CLI version | microsoft/windows-drivers qlpack version|Associated Repo Branch|
-|--------------------------|--------------------|-----------------------------------------|----------------------|
-| Windows Server 2022      | [2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)|WHCP_21H2  |
-| Windows 11               | [2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)|WHCP_21H2|
-| Windows 11, version 22H2 | [2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)|WHCP_22H2|
-| Windows 11, version 23H2 | [2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)|WHCP_22H2|
-| Windows 11, version 24H2 | [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)		        |  1.1.0 |  WHCP_24H2 |
+| Release                  | CodeQL CLI version | microsoft/windows-drivers qlpack version| codeql/cpp-queries version | Associated Repo Branch|
+|--------------------------|--------------------|-----------------------------------------|----------------------|-----------------------------|
+| Windows Server 2022      | [2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)| 0.9.0 (If using codeql 2.15.4) | WHCP_21H2|
+| Windows 11               | [2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)| 0.9.0 (If using codeql 2.15.4)|WHCP_21H2|
+| Windows 11, version 22H2 | [2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)| 0.9.0 (If using codeql 2.15.4)|WHCP_22H2|
+| Windows 11, version 23H2 | [2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3) or [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)|  1.0.13 (If using codeql 2.15.4)| 0.9.0 (If using codeql 2.15.4)|WHCP_22H2|
+| Windows 11, version 24H2 | [2.15.4](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.4)		        |  1.1.0 | 0.9.0  |  WHCP_24H2 |
 
 
 
@@ -69,14 +69,18 @@ This repository contains open-source components for supplemental use in developi
     
     **Note:** It is no longer necessary to clone the Windows-Driver-Developer-Supplemental-Tools repo to use the queries for certification.
     
-	Download the correct version of the microsoft/windows-drivers pack from the Windows Hardware Compatibility Program Release Version Matrix:
-    ```
+	Download the correct version of the CodeQL packs from the Windows Hardware Compatibility Program Release Version Matrix:
+	```
     codeql pack download microsoft/windows-drivers@<version>
 	```
+    
+	```
+    codeql pack download codeql/cpp-queries@<version>
+	```
 
-	CodeQL will install the microsoft/windows-drivers pack to the default directory `C:\Users\<current user>\.codeql\packages\microsoft\windows-drivers\<downloaded version>\`. Do not change this directory or move the installed pack.
+	CodeQL will install the packs to the default directory `C:\Users\<current user>\.codeql\packages\microsoft\windows-drivers\<downloaded version>\`. Do not change this directory or move the installed pack.
 	
-    For examples, if using WHCP_24H2, run the following command to download query pack:
+    For examples, if using WHCP_24H2, run the following command to download query the microsoft/windows-drivers pack:
 
     ```
     codeql pack download microsoft/windows-drivers@1.1.0

src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.ql

@@ -2,15 +2,15 @@
 // Licensed under the MIT license.
 /**
  * @id cpp/drivers/irql-too-high
- * @name IRQL too high (C28120)
+ * @name IRQL too high (C28121)
  * @description A function annotated with IRQL requirements was called at an IRQL too high for the requirements.
  * @platform Desktop
  * @security.severity Low
  * @feature.area Multiple
  * @impact Exploitable Design
  * @repro.text The following function call is taking place at an IRQL too high for what the call target is annotated as.
  * @owner.email sdat@microsoft.com
- * @opaqueid CQLD-C28120
+ * @opaqueid CQLD-C28121
  * @kind problem
  * @problem.severity warning
  * @precision medium

src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.sarif

@@ -6,7 +6,7 @@
       "driver" : {
         "name" : "CodeQL",
         "organization" : "GitHub",
-        "semanticVersion" : "2.14.4",
+        "semanticVersion" : "2.15.4",
         "notifications" : [ {
           "id" : "cpp/baseline/expected-extracted-files",
           "name" : "cpp/baseline/expected-extracted-files",
@@ -27,7 +27,7 @@
           "id" : "cpp/drivers/irql-too-high",
           "name" : "cpp/drivers/irql-too-high",
           "shortDescription" : {
-            "text" : "IRQL too high (C28120)"
+            "text" : "IRQL too high (C28121)"
           },
           "fullDescription" : {
             "text" : "A function annotated with IRQL requirements was called at an IRQL too high for the requirements."
@@ -43,8 +43,8 @@
             "id" : "cpp/drivers/irql-too-high",
             "impact" : "Exploitable Design",
             "kind" : "problem",
-            "name" : "IRQL too high (C28120)",
-            "opaqueid" : "CQLD-C28120",
+            "name" : "IRQL too high (C28121)",
+            "opaqueid" : "CQLD-C28121",
             "owner.email" : "sdat@microsoft.com",
             "platform" : "Desktop",
             "precision" : "medium",
@@ -58,7 +58,7 @@
       },
       "extensions" : [ {
         "name" : "microsoft/windows-drivers",
-        "semanticVersion" : "0.2.0+4842fd4116871d3b47eede85c2c4497b43c34d57",
+        "semanticVersion" : "1.1.0+2affc3c634804dac7504a483a378cc9ba22a0f0b",
         "locations" : [ {
           "uri" : "file:///C:/codeql-home/Windows-Driver-Developer-Supplemental-Tools/src/",
           "description" : {

src/drivers/general/queries/IrqlTooLow/IrqlTooLow.ql

@@ -2,15 +2,15 @@
 // Licensed under the MIT license.
 /**
  * @id cpp/drivers/irql-too-low
- * @name IRQL too low (C28121)
+ * @name IRQL too low (C28120)
  * @description A function annotated with IRQL requirements was called at an IRQL too low for the requirements.
  * @platform Desktop
  * @security.severity Low
  * @feature.area Multiple
  * @impact Exploitable Design
  * @repro.text The following function call is taking place at an IRQL too low for what the call target is annotated as.
  * @owner.email sdat@microsoft.com
- * @opaqueid CQLD-C28121
+ * @opaqueid CQLD-C28120
  * @kind problem
  * @problem.severity warning
  * @precision medium

src/drivers/general/queries/IrqlTooLow/IrqlTooLow.sarif

@@ -6,7 +6,7 @@
       "driver" : {
         "name" : "CodeQL",
         "organization" : "GitHub",
-        "semanticVersion" : "2.14.4",
+        "semanticVersion" : "2.15.4",
         "notifications" : [ {
           "id" : "cpp/baseline/expected-extracted-files",
           "name" : "cpp/baseline/expected-extracted-files",
@@ -27,7 +27,7 @@
           "id" : "cpp/drivers/irql-too-low",
           "name" : "cpp/drivers/irql-too-low",
           "shortDescription" : {
-            "text" : "IRQL too low (C28121)"
+            "text" : "IRQL too low (C28120)"
           },
           "fullDescription" : {
             "text" : "A function annotated with IRQL requirements was called at an IRQL too low for the requirements."
@@ -43,8 +43,8 @@
             "id" : "cpp/drivers/irql-too-low",
             "impact" : "Exploitable Design",
             "kind" : "problem",
-            "name" : "IRQL too low (C28121)",
-            "opaqueid" : "CQLD-C28121",
+            "name" : "IRQL too low (C28120)",
+            "opaqueid" : "CQLD-C28120",
             "owner.email" : "sdat@microsoft.com",
             "platform" : "Desktop",
             "precision" : "medium",
@@ -58,7 +58,7 @@
       },
       "extensions" : [ {
         "name" : "microsoft/windows-drivers",
-        "semanticVersion" : "0.2.0+4842fd4116871d3b47eede85c2c4497b43c34d57",
+        "semanticVersion" : "1.1.0+2affc3c634804dac7504a483a378cc9ba22a0f0b",
         "locations" : [ {
           "uri" : "file:///C:/codeql-home/Windows-Driver-Developer-Supplemental-Tools/src/",
           "description" : {

src/drivers/general/queries/MultithreadedAVCondition/MultithreadedAVCondition.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			This warning indicates that a thread has potential to access deleted objects if preempted. Unlike the Code Analysis version of this query, this query does not currently verify the use of any synchronization mechanisms, so it may produce false positives.
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			There should be no access to a reference-counted object after the reference count is at zero
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			In this example, m_cRef is a member of this. A thread T1 executes the if condition, decrements m_cRef to 1, and is then preempted. Another thread T2 executes the if condition, decrements m_cRef to 0, executes the if body (where this is deleted), and returns NULL.		
+		</p>
+			<sample language="c"><![CDATA[
+			ULONG Release_bad()
+			{
+				if (0 == InterlockedDecrement(&m_cRef))
+				{
+					delete this;
+					return NULL;
+				}
+				/* this.m_cRef isn't thread safe */
+				return m_cRef;
+			}
+			]]>
+		</sample>
+		<p>
+			The following code does not reference any heap memory after the object is deleted.
+		</p>
+		<sample language="c"><![CDATA[
+		ULONG CObject::Release()
+		{
+			ASSERT(0 != m_cRef);
+			ULONG cRef = InterlockedDecrement(&m_cRef);
+			if (0 == cRef)
+			{
+				delete this;
+				return NULL;
+			}
+			return cRef;
+		}
+		]]>
+		</sample>
+	</example>
+	<references>
+		<li>
+			<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28616-multithreaded-av-condition">
+				Warning C28616
+			</a>
+		</li>
+	</references>
+</qhelp>

src/drivers/general/queries/MultithreadedAVCondition/MultithreadedAVCondition.ql

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @id cpp/drivers/multithreaded-av-condition
+ * @name Multithreaded Access Violation Condition
+ * @description This warning indicates that a thread has potential to access deleted objects if preempted.
+ * @platform Desktop
+ * @security.severity Medium
+ * @feature.area Multiple
+ * @impact Exploitable Design
+ * @repro.text There should be no access to a reference-counted object after the reference count is at zero
+ * @owner.email sdat@microsoft.com
+ * @opaqueid CQLD-C28616
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       wddst
+ * @scope domainspecific
+ * @query-version v1
+ */
+
+import cpp
+import semmle.code.cpp.ir.IR
+
+from BasicBlock delBlock, BasicBlock useBlock, ThisExpr t, PointerFieldAccess p
+where
+  exists(DeleteExpr del | del.getExpr() = t) and
+  t.getEnclosingDeclaration() = p.getQualifier().getEnclosingDeclaration() and
+  p.getEnclosingDeclaration() = t.getEnclosingDeclaration() and
+  delBlock = t.getBasicBlock() and
+  useBlock = p.getBasicBlock() and
+  not useBlock.contains(delBlock) and
+  not delBlock.contains(useBlock) and
+  not delBlock.getAPredecessor*() = useBlock and
+  delBlock.getAPredecessor*() = useBlock.getAPredecessor*()
+select p, "Possible Multithreaded Access Violation. Object deleted $@ but member $@ referenced", t, "here", p, p.toString()