Create cve-2016-6480.ql

4B5F5F4B · web-flow · commit baf1c8d76b49 · 2022-03-16T17:49:05.000+08:00
diff --git a/cpp/ql/src/experimental/Security/CVE/cve-2016-6480.ql b/cpp/ql/src/experimental/Security/CVE/cve-2016-6480.ql
@@ -0,0 +1,34 @@
+import cpp
+
+class CopyFromUserFunctionCall extends FunctionCall{
+    CopyFromUserFunctionCall(){
+        this.getTarget().getName() = "copy_from_user"
+        and not this.getArgument(1) instanceof AddressOfExpr
+    }
+
+    predicate hasSameArguments(CopyFromUserFunctionCall another){
+        this.getArgument(0).toString() = another.getArgument(0).toString()
+        and this.getArgument(1).toString() = another.getArgument(1).toString()
+    }
+
+}
+
+from CopyFromUserFunctionCall p1, CopyFromUserFunctionCall p2
+where
+    not p1 = p2
+    and p1.hasSameArguments(p2)
+    and exists(IfStmt ifStmt| 
+        p1.getBasicBlock().getAFalseSuccessor*() = ifStmt.getBasicBlock()
+        and ifStmt.getBasicBlock().getAFalseSuccessor*() = p2.getBasicBlock()
+    )
+    and not exists(AssignPointerAddExpr assignPtrAdd |
+        p1.getArgument(1).toString() = assignPtrAdd.getLValue().toString()
+        and p1.getBasicBlock().getAFalseSuccessor*() = assignPtrAdd.getBasicBlock()
+    )
+select
+    "first fetch", p1, "double fetch", p2
+
+
+
+
+
