Create cve-2017-5123.ql

4B5F5F4B · web-flow · commit 597603a3a6e3 · 2022-03-14T09:44:30.000+08:00
Add query to detect CVE-2017-5123
diff --git a/cpp/ql/src/experimental/Security/CVE/cve-2017-5123.ql b/cpp/ql/src/experimental/Security/CVE/cve-2017-5123.ql
@@ -0,0 +1,49 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+
+
+class WrtieAccessCheckMacro extends Macro{
+    VariableAccess va;
+    WrtieAccessCheckMacro(){
+        this.getName() = ["user_write_access_begin", 
+                          "user_access_begin"] 
+        and
+        va.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
+    }
+
+    VariableAccess getArgument(){
+        result = va
+    }
+}
+
+
+class UnSafePutUserMacro extends Macro{
+    PointerDereferenceExpr writeUserPtr;
+    
+    UnSafePutUserMacro(){
+        this.getName() = "unsafe_put_user" and 
+        writeUserPtr.getEnclosingElement() = this.getAnInvocation().getAnExpandedElement()
+    }
+
+    Expr getUserModePtr(){
+        result = writeUserPtr.getOperand().(AddressOfExpr).getOperand().(FieldAccess).getQualifier()
+    }
+}
+
+class ExploitableUserModePtrParam extends Parameter{
+    ExploitableUserModePtrParam(){
+        not exists(WrtieAccessCheckMacro  writeAccessCheck| 
+            DataFlow::localFlow(DataFlow::parameterNode(this), DataFlow::exprNode(writeAccessCheck.getArgument()))
+        )
+    }
+}
+
+
+from ExploitableUserModePtrParam p,  UnSafePutUserMacro unsafePutUser
+where
+    DataFlow::localFlow(DataFlow::parameterNode(p), DataFlow::exprNode(unsafePutUser.getUserModePtr()))
+select
+    p, unsafePutUser, "potential wrtie user mode ptr without check."
+
+
+
