hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

modify arguments check logic

Browse Source 
As far as I can tell, root cause of double-fetech issue is read from the same user mode memory twice, so it makes sense that only check whether user mode pointer is same or not
This commit is contained in:
Paul1nh0
2022-03-23 11:20:08 +08:00
committed by GitHub
parent 6a6cd61d83
commit 5a1dc61d9d
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
View File

@@ -23,8 +23,10 @@ class CopyFromUserFunctionCall extends FunctionCall {
not this.getArgument(1) instanceof AddressOfExpr
}
predicate hasSameArguments(CopyFromUserFunctionCall another) {
globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0)) and
//root cause of double-fetech issue is read from
//the same user mode memory twice, so it makes
//sense that only check user mode pointer
predicate readFromSameUserModePointer(CopyFromUserFunctionCall another) {
globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1))
}
}
@@ -32,7 +34,7 @@ class CopyFromUserFunctionCall extends FunctionCall {
from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
where
not p1 = p2 and
p1.hasSameArguments(p2) and
p1.readFromSameUserModePointer(p2) and
exists(IfStmt ifStmt |
p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock() and
ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()