Skip to content

Commit 6a6cd61

Browse files
authored
automated using CodeQL for VSCode extension
1 parent f2728f5 commit 6a6cd61

File tree

1 file changed

+23
-31
lines changed

1 file changed

+23
-31
lines changed
Lines changed: 23 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
/**
22
* @name Linux kernel double-fetch vulnerability detection
3-
* @description Double-fetch is a very common vulnerability pattern
4-
* in linux kernel, attacker can exploit double-fetch
5-
* issues to obatain root privilege.
6-
* Double-fetch is caused by fetching data from user
3+
* @description Double-fetch is a very common vulnerability pattern
4+
* in linux kernel, attacker can exploit double-fetch
5+
* issues to obatain root privilege.
6+
* Double-fetch is caused by fetching data from user
77
* mode by calling copy_from_user twice, CVE-2016-6480
88
* is quite a good example for your information.
99
* @kind problem
@@ -17,36 +17,28 @@
1717
import cpp
1818
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
1919

20-
class CopyFromUserFunctionCall extends FunctionCall{
21-
CopyFromUserFunctionCall(){
22-
this.getTarget().getName() = "copy_from_user"
23-
and not this.getArgument(1) instanceof AddressOfExpr
24-
}
25-
26-
27-
28-
predicate hasSameArguments(CopyFromUserFunctionCall another) {
29-
globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0))
30-
and globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1))
31-
}
20+
class CopyFromUserFunctionCall extends FunctionCall {
21+
CopyFromUserFunctionCall() {
22+
this.getTarget().getName() = "copy_from_user" and
23+
not this.getArgument(1) instanceof AddressOfExpr
24+
}
3225

26+
predicate hasSameArguments(CopyFromUserFunctionCall another) {
27+
globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0)) and
28+
globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1))
29+
}
3330
}
3431

3532
from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
3633
where
37-
not p1 = p2
38-
and p1.hasSameArguments(p2)
39-
and exists(IfStmt ifStmt|
40-
p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock()
41-
and ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
42-
)
43-
and not exists(AssignPointerAddExpr assignPtrAdd |
44-
globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue())
45-
and p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
46-
)
47-
34+
not p1 = p2 and
35+
p1.hasSameArguments(p2) and
36+
exists(IfStmt ifStmt |
37+
p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock() and
38+
ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
39+
) and
40+
not exists(AssignPointerAddExpr assignPtrAdd |
41+
globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue()) and
42+
p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
43+
)
4844
select p2, "Double fetch vulnerability. First fetch was $@.", p1, p1.toString()
49-
50-
51-
52-

0 commit comments

Comments
 (0)