hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor some code, and add access_ok cases

Browse Source
This commit is contained in:
4B5F5F4B
2022-03-30 12:25:32 +08:00
committed by GitHub
parent 9358b824c0
commit 9ab773422a
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
View File

@@ -21,7 +21,7 @@ class WriteAccessCheckMacro extends Macro {
VariableAccess va;
WriteAccessCheckMacro() {
this.getName() = ["user_write_access_begin", "user_access_begin"] and
this.getName() = ["user_write_access_begin", "user_access_begin", "access_ok"] and
va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
}
@@ -37,7 +37,8 @@ class UnSafePutUserMacro extends Macro {
}
Expr getUserModePtr() {
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier() or
result = writeUserPtr.getOperand()
}
}
@@ -46,11 +47,12 @@ class ExploitableUserModePtrParam extends Parameter {
not exists(WriteAccessCheckMacro writeAccessCheck |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(writeAccessCheck.getArgument()))
) and
exists(UnSafePutUserMacro unsafePutUser |
DataFlow::localFlow(DataFlow::parameterNode(this),
DataFlow::exprNode(unsafePutUser.getUserModePtr()))
)
}
}
from ExploitableUserModePtrParam p, UnSafePutUserMacro unsafePutUser
where
DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
from ExploitableUserModePtrParam p
select p, "unsafe_put_user write user-mode pointer $@ without check.", p, p.toString()