Understand syscalls better.

geoffw0 · geoffw0 · commit 2bcf7e17c8d2 · 2022-05-26T14:01:09.000+01:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql b/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
@@ -22,15 +22,18 @@ import semmle.code.cpp.dataflow.DataFlow
  */
 class SystemCallFunction extends Function {
   SystemCallFunction() {
-    this.getName().matches("SYSC\\_%")
+    exists(MacroInvocation m |
+      m.getMacro().getName().matches("SYSCALL\\_DEFINE%") and
+      this = m.getEnclosingFunction()
+    )
   }
 }
 
 /**
  * A value that comes from a Linux system call (sources).
  */
-class SystemParameterSource extends DataFlow::Node {
-  SystemParameterSource() {
+class SystemCallSource extends DataFlow::Node {
+  SystemCallSource() {
     exists(FunctionCall fc |
       fc.getTarget() instanceof SystemCallFunction and
       (
@@ -72,7 +75,7 @@ class UnSafePutUserMacro extends Macro {
   }
 }
 
-class ExploitableUserModePtrParam extends SystemParameterSource {
+class ExploitableUserModePtrParam extends SystemCallSource {
   ExploitableUserModePtrParam() {
     exists(UnSafePutUserMacro unsafePutUser |
       DataFlow::localFlow(this, DataFlow::exprNode(unsafePutUser.getUserModePtr()))
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/NoCheckBeforeUnsafePutUser.expected
@@ -1,3 +1,3 @@
-| test.cpp:16:22:16:23 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:16:22:16:23 | ref arg & ... | ref arg & ... |
-| test.cpp:37:22:37:23 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:37:22:37:23 | ref arg & ... | ref arg & ... |
-| test.cpp:65:22:65:28 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:65:22:65:28 | ref arg & ... | ref arg & ... |
+| test.cpp:20:21:20:22 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:20:21:20:22 | ref arg & ... | ref arg & ... |
+| test.cpp:41:21:41:22 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:41:21:41:22 | ref arg & ... | ref arg & ... |
+| test.cpp:69:21:69:27 | ref arg & ... | unsafe_put_user write user-mode pointer $@ without check. | test.cpp:69:21:69:27 | ref arg & ... | ref arg & ... |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser/test.cpp
@@ -1,7 +1,11 @@
 
 typedef unsigned long size_t;
 
-void SYSC_SOMESYSTEMCALL(void *param);
+#define SYSCALL_DEFINE(name, ...) \
+	void do_sys_##name(); \
+	void sys_##name(...) { do_sys_##name(); } \
+	void do_sys_##name()
+SYSCALL_DEFINE(somesystemcall, void *param) {};
 
 bool user_access_begin_impl(const void *where, size_t sz);
 void user_access_end_impl();
@@ -13,14 +17,14 @@ void unsafe_put_user_impl(int what, const void *where, size_t sz);
 
 void test1(int p)
 {
-	SYSC_SOMESYSTEMCALL(&p);
+	sys_somesystemcall(&p);
 
 	unsafe_put_user(123, &p); // BAD
 }
 
 void test2(int p)
 {
-	SYSC_SOMESYSTEMCALL(&p);
+	sys_somesystemcall(&p);
 
 	if (user_access_begin(&p, sizeof(p)))
 	{
@@ -34,7 +38,7 @@ void test3()
 {
 	int v;
 
-	SYSC_SOMESYSTEMCALL(&v);
+	sys_somesystemcall(&v);
 
 	unsafe_put_user(123, &v); // BAD
 }
@@ -43,7 +47,7 @@ void test4()
 {
 	int v;
 
-	SYSC_SOMESYSTEMCALL(&v);
+	sys_somesystemcall(&v);
 
 	if (user_access_begin(&v, sizeof(v)))
 	{
@@ -62,7 +66,7 @@ void test5()
 {
 	data myData;
 
-	SYSC_SOMESYSTEMCALL(&myData);
+	sys_somesystemcall(&myData);
 
 	unsafe_put_user(123, &(myData.x)); // BAD
 }
@@ -71,7 +75,7 @@ void test6()
 {
 	data myData;
 
-	SYSC_SOMESYSTEMCALL(&myData);
+	sys_somesystemcall(&myData);
 
 	if (user_access_begin(&myData, sizeof(myData)))
 	{

Original file line number	Diff line number	Diff line change
`@@ -22,15 +22,18 @@ import semmle.code.cpp.dataflow.DataFlow`
`22`	`22`	`*/`
`23`	`23`	`class SystemCallFunction extends Function {`
`24`	`24`	`SystemCallFunction() {`
`25`		`- this.getName().matches("SYSC\\_%")`
	`25`	`+ exists(MacroInvocation m \|`
	`26`	`+ m.getMacro().getName().matches("SYSCALL\\_DEFINE%") and`
	`27`	`+ this = m.getEnclosingFunction()`
	`28`	`+ )`
`26`	`29`	`}`
`27`	`30`	`}`
`28`	`31`
`29`	`32`	`/**`
`30`	`33`	`* A value that comes from a Linux system call (sources).`
`31`	`34`	`*/`
`32`		`-class SystemParameterSource extends DataFlow::Node {`
`33`		`- SystemParameterSource() {`
	`35`	`+class SystemCallSource extends DataFlow::Node {`
	`36`	`+ SystemCallSource() {`
`34`	`37`	`exists(FunctionCall fc \|`
`35`	`38`	`fc.getTarget() instanceof SystemCallFunction and`
`36`	`39`	`(`
`@@ -72,7 +75,7 @@ class UnSafePutUserMacro extends Macro {`
`72`	`75`	`}`
`73`	`76`	`}`
`74`	`77`
`75`		`-class ExploitableUserModePtrParam extends SystemParameterSource {`
	`78`	`+class ExploitableUserModePtrParam extends SystemCallSource {`
`76`	`79`	`ExploitableUserModePtrParam() {`
`77`	`80`	`exists(UnSafePutUserMacro unsafePutUser \|`
`78`	`81`	`DataFlow::localFlow(this, DataFlow::exprNode(unsafePutUser.getUserModePtr()))`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,11 @@`
`1`	`1`
`2`	`2`	`typedef unsigned long size_t;`
`3`	`3`
`4`		`-void SYSC_SOMESYSTEMCALL(void *param);`
	`4`	`+#define SYSCALL_DEFINE(name, ...) \`
	`5`	`+ void do_sys_##name(); \`
	`6`	`+ void sys_##name(...) { do_sys_##name(); } \`
	`7`	`+ void do_sys_##name()`
	`8`	`+SYSCALL_DEFINE(somesystemcall, void *param) {};`
`5`	`9`
`6`	`10`	`bool user_access_begin_impl(const void *where, size_t sz);`
`7`	`11`	`void user_access_end_impl();`
`@@ -13,14 +17,14 @@ void unsafe_put_user_impl(int what, const void *where, size_t sz);`
`13`	`17`
`14`	`18`	`void test1(int p)`
`15`	`19`	`{`
`16`		`- SYSC_SOMESYSTEMCALL(&p);`
	`20`	`+ sys_somesystemcall(&p);`
`17`	`21`
`18`	`22`	`unsafe_put_user(123, &p); // BAD`
`19`	`23`	`}`
`20`	`24`
`21`	`25`	`void test2(int p)`
`22`	`26`	`{`
`23`		`- SYSC_SOMESYSTEMCALL(&p);`
	`27`	`+ sys_somesystemcall(&p);`
`24`	`28`
`25`	`29`	`if (user_access_begin(&p, sizeof(p)))`
`26`	`30`	`{`
`@@ -34,7 +38,7 @@ void test3()`
`34`	`38`	`{`
`35`	`39`	`int v;`
`36`	`40`
`37`		`- SYSC_SOMESYSTEMCALL(&v);`
	`41`	`+ sys_somesystemcall(&v);`
`38`	`42`
`39`	`43`	`unsafe_put_user(123, &v); // BAD`
`40`	`44`	`}`
`@@ -43,7 +47,7 @@ void test4()`
`43`	`47`	`{`
`44`	`48`	`int v;`
`45`	`49`
`46`		`- SYSC_SOMESYSTEMCALL(&v);`
	`50`	`+ sys_somesystemcall(&v);`
`47`	`51`
`48`	`52`	`if (user_access_begin(&v, sizeof(v)))`
`49`	`53`	`{`
`@@ -62,7 +66,7 @@ void test5()`
`62`	`66`	`{`
`63`	`67`	`data myData;`
`64`	`68`
`65`		`- SYSC_SOMESYSTEMCALL(&myData);`
	`69`	`+ sys_somesystemcall(&myData);`
`66`	`70`
`67`	`71`	`unsafe_put_user(123, &(myData.x)); // BAD`
`68`	`72`	`}`
`@@ -71,7 +75,7 @@ void test6()`
`71`	`75`	`{`
`72`	`76`	`data myData;`
`73`	`77`
`74`		`- SYSC_SOMESYSTEMCALL(&myData);`
	`78`	`+ sys_somesystemcall(&myData);`
`75`	`79`
`76`	`80`	`if (user_access_begin(&myData, sizeof(myData)))`
`77`	`81`	`{`