Create cve-2016-6480.ql

2026-04-30 19:26:02 +02:00 · 2022-03-16 17:49:05 +08:00
parent 597603a3a6
commit baf1c8d76b
1 changed files with 34 additions and 0 deletions
--- a/cpp/ql/src/experimental/Security/CVE/cve-2016-6480.ql
+++ b/cpp/ql/src/experimental/Security/CVE/cve-2016-6480.ql
@@ -0,0 +1,34 @@
+import cpp
+
+class CopyFromUserFunctionCall extends FunctionCall{
+    CopyFromUserFunctionCall(){
+        this.getTarget().getName() = "copy_from_user"
+        and not this.getArgument(1) instanceof AddressOfExpr
+    }
+
+    predicate hasSameArguments(CopyFromUserFunctionCall another){
+        this.getArgument(0).toString() = another.getArgument(0).toString()
+        and this.getArgument(1).toString() = another.getArgument(1).toString()
+    }
+
+}
+
+from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
+where
+    not p1 = p2
+    and p1.hasSameArguments(p2)
+    and exists(IfStmt ifStmt| 
+        p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock()
+        and ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
+    )
+    and not exists(AssignPointerAddExpr assignPtrAdd |
+        p1.getArgument(1).toString() = assignPtrAdd.getLValue().toString()
+        and p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
+    )
+select
+    "first fetch", p1, "double fetch", p2
+
+
+
+
+