|
1 | 1 | /**
|
2 | 2 | * @name Linux kernel double-fetch vulnerability detection
|
3 |
| - * @description Double-fetch is a very common vulnerability pattern |
4 |
| - * in linux kernel, attacker can exploit double-fetch |
5 |
| - * issues to obatain root privilege. |
6 |
| - * Double-fetch is caused by fetching data from user |
| 3 | + * @description Double-fetch is a very common vulnerability pattern |
| 4 | + * in linux kernel, attacker can exploit double-fetch |
| 5 | + * issues to obatain root privilege. |
| 6 | + * Double-fetch is caused by fetching data from user |
7 | 7 | * mode by calling copy_from_user twice, CVE-2016-6480
|
8 | 8 | * is quite a good example for your information.
|
9 | 9 | * @kind problem
|
|
17 | 17 | import cpp
|
18 | 18 | import semmle.code.cpp.valuenumbering.GlobalValueNumbering
|
19 | 19 |
|
20 |
| -class CopyFromUserFunctionCall extends FunctionCall{ |
21 |
| - CopyFromUserFunctionCall(){ |
22 |
| - this.getTarget().getName() = "copy_from_user" |
23 |
| - and not this.getArgument(1) instanceof AddressOfExpr |
24 |
| - } |
25 |
| - |
26 |
| - |
27 |
| - |
28 |
| - predicate hasSameArguments(CopyFromUserFunctionCall another) { |
29 |
| - globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0)) |
30 |
| - and globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1)) |
31 |
| - } |
| 20 | +class CopyFromUserFunctionCall extends FunctionCall { |
| 21 | + CopyFromUserFunctionCall() { |
| 22 | + this.getTarget().getName() = "copy_from_user" and |
| 23 | + not this.getArgument(1) instanceof AddressOfExpr |
| 24 | + } |
32 | 25 |
|
| 26 | + predicate hasSameArguments(CopyFromUserFunctionCall another) { |
| 27 | + globalValueNumber(this.getArgument(0)) = globalValueNumber(another.getArgument(0)) and |
| 28 | + globalValueNumber(this.getArgument(1)) = globalValueNumber(another.getArgument(1)) |
| 29 | + } |
33 | 30 | }
|
34 | 31 |
|
35 | 32 | from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
|
36 | 33 | where
|
37 |
| - not p1 = p2 |
38 |
| - and p1.hasSameArguments(p2) |
39 |
| - and exists(IfStmt ifStmt| |
40 |
| - p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock() |
41 |
| - and ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock() |
42 |
| - ) |
43 |
| - and not exists(AssignPointerAddExpr assignPtrAdd | |
44 |
| - globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue()) |
45 |
| - and p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock() |
46 |
| - ) |
47 |
| - |
| 34 | + not p1 = p2 and |
| 35 | + p1.hasSameArguments(p2) and |
| 36 | + exists(IfStmt ifStmt | |
| 37 | + p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock() and |
| 38 | + ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock() |
| 39 | + ) and |
| 40 | + not exists(AssignPointerAddExpr assignPtrAdd | |
| 41 | + globalValueNumber(p1.getArgument(1)) = globalValueNumber(assignPtrAdd.getLValue()) and |
| 42 | + p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock() |
| 43 | + ) |
48 | 44 | select p2, "Double fetch vulnerability. First fetch was $@.", p1, p1.toString()
|
49 |
| - |
50 |
| - |
51 |
| - |
52 |
| - |
0 commit comments