Skip to content

Commit a55920b

Browse files
authored
Merge pull request #91 from microsoft/development
RI of development branch to main (11/21/23).
2 parents 163198f + 0976a3c commit a55920b

58 files changed

Lines changed: 4685 additions & 671 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/build-codeql.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
with:
3333
owner: "github"
3434
repo: "codeql-cli-binaries"
35-
tag: "v2.11.5"
35+
tag: "v2.15.1"
3636
file: "codeql-win64.zip"
3737

3838
- name: Unzip CodeQL CLI

README.md

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ This repository contains open-source components for supplemental use in developi
66

77
| Branch to use | CodeQL CLI version |
88
|--------------------------|--------------------|
9-
| main | 2.11.5 |
9+
| main | 2.15.1 |
1010

1111
### For Windows Hardware Compatibility Program Use
1212

@@ -17,7 +17,7 @@ This repository contains open-source components for supplemental use in developi
1717
| Windows 11 | WHCP_21H2 | 2.4.6 |
1818
| Windows 11, version 22H2 | WHCP_22H2 | 2.6.3 |
1919

20-
For general use, use the `main` branch along with [version 2.11.5 of the CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases/tag/v2.11.5).
20+
For general use, use the `main` branch along with [version 2.15.1 of the CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.1).
2121

2222
## Quickstart
2323

@@ -30,7 +30,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
3030
3131
For the WHCP Program, use the CodeQL CLI version in accordance with the table above and Windows release you are certifying for: [version 2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [version 2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3).
3232
33-
For general use with the `main` branch, use [CodeQL CLI version 2.11.5](https://github.com/github/codeql-cli-binaries/releases/tag/v2.11.5).
33+
For general use with the `main` branch, use [CodeQL CLI version 2.15.1](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.1).
3434
3535
3636
1. Clone and install the Windows Driver Developer Supplemental Tools repository which contains the CodeQL queries specific for drivers:
@@ -40,7 +40,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
4040
D:\codeql-home\>git clone https://github.com/microsoft/Windows-Driver-Developer-Supplemental-Tools.git --recurse-submodules
4141
```
4242
43-
For MAIN BRANCH use:
43+
For MAIN AND DEVELOPMENT BRANCHES use:
4444
4545
```
4646
D:\codeql-home\>git clone https://github.com/microsoft/Windows-Driver-Developer-Supplemental-Tools.git
@@ -56,8 +56,8 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
5656
1. Verify CodeQL is installed correctly by checking the version:
5757
```
5858
D:\codeql-home\codeql>codeql --version
59-
CodeQL command-line toolchain release 2.11.5.
60-
Copyright (C) 2019-2022 GitHub, Inc.
59+
CodeQL command-line toolchain release 2.15.1.
60+
Copyright (C) 2019-2023 GitHub, Inc.
6161
Unpacked in: D:\codeql-home\codeql
6262
Analysis results depend critically on separately distributed query and
6363
extractor modules. To list modules that are visible to the toolchain,
@@ -68,7 +68,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
6868
6969
For WHCP BRANCHES: Skip this step.
7070
71-
For MAIN BRANCH use:
71+
For MAIN AND DEVELOPMENT BRANCHES use:
7272
7373
```
7474
D:\codeql-home\codeql>codeql pack install D:\codeql-home\Windows-Driver-Developer-Supplemental-Tools\src
@@ -77,11 +77,11 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
7777
1. Build your CodeQL database:
7878
7979
```
80-
D:\codeql-home\codeql>codeql database create <path to new database> --language=cpp --source=<driver parent directory> --command=<build command or path to build file>
80+
D:\codeql-home\codeql>codeql database create <path to new database> --language=cpp --source-root=<driver parent directory> --command=<build command or path to build file>
8181
```
82-
Single driver example: `codeql database create D:\DriverDatabase --language=cpp --source=D:\Drivers\SingleDriver --command="msbuild /t:rebuild D:\Drivers\SingleDriver\SingleDriver.sln"`
82+
Single driver example: `codeql database create D:\DriverDatabase --language=cpp --source-root=D:\Drivers\SingleDriver --command="msbuild /t:rebuild D:\Drivers\SingleDriver\SingleDriver.sln"`
8383
84-
Multiple drivers example: `codeql database create D:\SampleDriversDatabase --language=cpp --source=D:\AllMyDrivers\SampleDrivers --command=D:\AllMyDrivers\SampleDrivers\BuildAllSampleDrivers.cmd`
84+
Multiple drivers example: `codeql database create D:\SampleDriversDatabase --language=cpp --source-root=D:\AllMyDrivers\SampleDrivers --command=D:\AllMyDrivers\SampleDrivers\BuildAllSampleDrivers.cmd`
8585
8686
_(Parameters: path for your new database, language, driver source directory, build command.)_
8787

src/codeql-pack.lock.yml

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,19 @@
22
lockVersion: 1.0.0
33
dependencies:
44
codeql/cpp-all:
5-
version: 0.4.6
6-
codeql/ssa:
7-
version: 0.0.7
5+
version: 0.10.1
86
codeql/cpp-queries:
9-
version: 0.4.6
7+
version: 0.8.1
8+
codeql/dataflow:
9+
version: 0.1.1
10+
codeql/ssa:
11+
version: 0.2.1
1012
codeql/suite-helpers:
11-
version: 0.3.6
13+
version: 0.7.1
14+
codeql/tutorial:
15+
version: 0.2.1
16+
codeql/typetracking:
17+
version: 0.2.1
18+
codeql/util:
19+
version: 0.2.1
1220
compiled: false

src/drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql

Lines changed: 42 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -22,23 +22,8 @@
2222

2323
import cpp
2424
import drivers.libraries.Irql
25-
import semmle.code.cpp.dataflow.DataFlow
26-
import semmle.code.cpp.dataflow.DataFlow2
27-
28-
/**
29-
* A function that has at least one parameter annotated with "\_IRQL\_save\_".
30-
*/
31-
class IrqlSaveFunction extends Function {
32-
Parameter p;
33-
int irqlIndex;
34-
35-
IrqlSaveFunction() {
36-
p = this.getParameter(irqlIndex) and
37-
p instanceof IrqlSaveParameter
38-
}
39-
40-
int getIrqlIndex() { result = irqlIndex }
41-
}
25+
import semmle.code.cpp.dataflow.new.DataFlow
26+
import semmle.code.cpp.dataflow.new.DataFlow2
4227

4328
/**
4429
* A data-flow configuration describing flow from an
@@ -55,7 +40,12 @@ class IrqlFlowConfiguration extends DataFlow::Configuration {
5540
override predicate isSink(DataFlow::Node sink) {
5641
exists(FunctionCall fc, FundamentalIrqlSaveFunction fisf |
5742
fc.getTarget() = fisf and
58-
sink.asExpr() = fc.getArgument(fisf.getIrqlIndex())
43+
(
44+
sink.asExpr() =
45+
fc.getArgument(fisf.(IrqlSavesGlobalAnnotatedFunction).getIrqlParameterSlot())
46+
or
47+
sink.asExpr() = fc.getArgument(fisf.(IrqlSavesToParameterFunction).getIrqlParameterSlot())
48+
)
5949
)
6050
}
6151
}
@@ -65,17 +55,25 @@ class IrqlFlowConfiguration extends DataFlow::Configuration {
6555
* by the Windows OS itself. This is in general in a Windows Kits header. For
6656
* extra clarity and internal use, we also list the exact header files.
6757
*/
68-
class FundamentalIrqlSaveFunction extends IrqlSaveFunction {
58+
class FundamentalIrqlSaveFunction extends IrqlSavesFunction {
6959
FundamentalIrqlSaveFunction() {
70-
this.getFile().getAbsolutePath().matches("%Windows Kits%.h") or
71-
this.getFile()
72-
.getBaseName()
73-
.matches(["wdm.h", "wdfsync.h", "ntifs.h", "ndis.h", "video.h", "wdfinterrupt.h"])
60+
(
61+
this.getFile().getAbsolutePath().matches("%Windows Kits%.h")
62+
or
63+
this.getFile()
64+
.getBaseName()
65+
.matches(["wdm.h", "wdfsync.h", "ntifs.h", "ndis.h", "video.h", "wdfinterrupt.h"])
66+
) and
67+
(
68+
this instanceof IrqlSavesToParameterFunction or
69+
this instanceof IrqlSavesViaReturnFunction or
70+
this instanceof IrqlSavesGlobalAnnotatedFunction
71+
)
7472
}
7573
}
7674

7775
/**
78-
* A simple data flow from any IrqlSaveParameter to another variable.
76+
* A simple data flow from any IrqlSaveParameter.
7977
*/
8078
class IrqlSaveParameterFlowConfiguration extends DataFlow2::Configuration {
8179
IrqlSaveParameterFlowConfiguration() { this = "IrqlSaveParameterFlowConfiguration" }
@@ -84,7 +82,7 @@ class IrqlSaveParameterFlowConfiguration extends DataFlow2::Configuration {
8482
source.asParameter() instanceof IrqlSaveParameter
8583
}
8684

87-
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof VariableAccess }
85+
override predicate isSink(DataFlow::Node sink) { sink instanceof DataFlow::Node }
8886
}
8987

9088
/**
@@ -97,29 +95,15 @@ class IrqlAssignmentFlowConfiguration extends DataFlow::Configuration {
9795

9896
override predicate isSource(DataFlow::Node source) {
9997
source.asExpr() instanceof FunctionCall and
100-
source
101-
.asExpr()
102-
.(FunctionCall)
103-
.getTarget()
104-
.getName()
105-
.matches([
106-
"KeRaiseIrqlToDpcLevel", "KfRaiseIrql", "KfAcquireSpinLock",
107-
"KeAcquireSpinLockAtDpcLevel", "KeAcquireSpinLock", "KeAcquireSpinLockRaiseToDpc"
108-
])
98+
source.asExpr().(FunctionCall).getTarget() instanceof FundamentalIrqlSaveFunction and
99+
source.asExpr().(FunctionCall).getTarget() instanceof IrqlSavesViaReturnFunction
109100
}
110101

111102
override predicate isSink(DataFlow::Node sink) {
112-
// Either we're sinking to a direct reference of a parameter, or...
113-
sink.asExpr().(VariableAccess).getTarget() instanceof IrqlSaveParameter
114-
or
115-
// We a dereferenced pointer to the variable.
116-
sink.asPartialDefinition()
117-
.(PointerDereferenceExpr)
118-
.getOperand()
119-
.(AddressOfExpr)
120-
.getOperand()
121-
.(VariableAccess)
122-
.getTarget() instanceof IrqlSaveVariableFlowedTo
103+
exists(Assignment a |
104+
a.getLValue().getAChild*().(VariableAccess).getTarget() instanceof IrqlSaveVariableFlowedTo and
105+
a.getRValue() = sink.asExpr()
106+
)
123107
}
124108
}
125109

@@ -132,11 +116,14 @@ class IrqlSaveVariableFlowedTo extends Variable {
132116

133117
IrqlSaveVariableFlowedTo() {
134118
exists(
135-
IrqlSaveParameterFlowConfiguration difca, DataFlow::Node parameter, DataFlow::Node access
119+
IrqlSaveParameterFlowConfiguration ispfc, DataFlow::Node parameter, DataFlow::Node assignment
136120
|
137-
access.asExpr().(VariableAccess).getTarget() = this and
121+
(
122+
this.getAnAssignedValue() = assignment.asExpr() or
123+
this = assignment.asParameter()
124+
) and
138125
parameter.asParameter() = isp and
139-
difca.hasFlow(parameter, access)
126+
ispfc.hasFlow(parameter, assignment)
140127
)
141128
or
142129
this = isp
@@ -150,26 +137,19 @@ where
150137
// Exclude OS functions
151138
not isp.getFunction() instanceof FundamentalIrqlSaveFunction and
152139
/*
153-
* Case one: does the IrqlSaveParameter (or an alias of it) have the IRQL assigned to it
154-
* directly by calling, for example, KeRaiseIrql?
140+
* Case one: does the IrqlSaveParameter (or an alias of it) have the IRQL assigned to it
141+
* directly by calling, for example, KeRaiseIrql?
155142
*/
156143

157144
not exists(
158-
DataFlow::Node node, IrqlSaveVariableFlowedTo isvft, IrqlAssignmentFlowConfiguration difc
145+
DataFlow::Node node, IrqlSaveVariableFlowedTo isvft, IrqlAssignmentFlowConfiguration iafc
159146
|
160147
isvft.getSaveParameter() = isp and
161-
(
162-
node.asExpr().(VariableAccess).getTarget() = isvft
163-
or
164-
node.asPartialDefinition()
165-
.(PointerDereferenceExpr)
166-
.getOperand()
167-
.(AddressOfExpr)
168-
.getOperand()
169-
.(VariableAccess)
170-
.getTarget() = isvft
148+
exists(Assignment a |
149+
a.getLValue().getAChild*().(VariableAccess).getTarget() = isvft and
150+
a.getRValue() = node.asExpr()
171151
) and
172-
difc.hasFlow(_, node)
152+
iafc.hasFlow(_, node)
173153
) and
174154
// Case two: is the IrqlSaveParameter passed into an OS function that will save a value to it?
175155
not exists(DataFlow::Node node, IrqlFlowConfiguration ifc |

0 commit comments

Comments
 (0)