From 016fa7ef2bc0bfdc403ad2edeb7486221097f6a4 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Sat, 18 Feb 2023 11:25:22 -0800
Subject: [PATCH] FindEFIVariables stub, QIP

---
 codeql/harden/SmmHarden/codeql-pack.lock.yml | 12 ++++++
 codeql/harden/SmmHarden/findEFIVariables.ql  | 42 ++++++++++++++++++++
 codeql/harden/SmmHarden/qlpack.yml           |  8 ++++
 3 files changed, 62 insertions(+)
 create mode 100644 codeql/harden/SmmHarden/codeql-pack.lock.yml
 create mode 100644 codeql/harden/SmmHarden/findEFIVariables.ql
 create mode 100644 codeql/harden/SmmHarden/qlpack.yml

diff --git a/codeql/harden/SmmHarden/codeql-pack.lock.yml b/codeql/harden/SmmHarden/codeql-pack.lock.yml
new file mode 100644
index 0000000..acaa69e
--- /dev/null
+++ b/codeql/harden/SmmHarden/codeql-pack.lock.yml
@@ -0,0 +1,12 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/cpp-all:
+    version: 0.5.2
+  codeql/ssa:
+    version: 0.0.10
+  codeql/tutorial:
+    version: 0.0.3
+  codeql/suite-helpers:
+    version: 0.4.1
+compiled: false
diff --git a/codeql/harden/SmmHarden/findEFIVariables.ql b/codeql/harden/SmmHarden/findEFIVariables.ql
new file mode 100644
index 0000000..e0911d0
--- /dev/null
+++ b/codeql/harden/SmmHarden/findEFIVariables.ql
@@ -0,0 +1,42 @@
+import cpp
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+class EFIVarFunction extends Function {
+  EFIVarFunction() {
+    this.hasGlobalOrStdOrBslName("SmmSetVariable") or
+    this.hasGlobalOrStdOrBslName("SmmGetVariable")
+  }
+}
+
+class EFIVarPtrFunction extends PointerFieldAccess {
+  EFIVarPtrFunction() {
+    this.getTarget().hasName("SmmSetVariable") or
+    this.getTarget().hasName("SmmGetVariable")
+  }
+}
+
+predicate callHandlesEFIVariable(Expr e, Call c) {
+  exists(Call x, PointerFieldAccess fa |
+    // in case it is just a normal function call
+    x.getParent() = e and x.getTarget() instanceof EFIVarFunction
+    or
+    // in case the function call is actually a pointer field access, the function name will be the name of the field itself
+    c = x and
+    c instanceof VariableCall and
+    fa instanceof EFIVarPtrFunction and
+    x.getParent() = e and
+    c.(VariableCall).getVariable() = fa.getTarget()
+  )
+}
+
+class EFIVar extends Variable {
+  EFIVar() { exists(Expr e | callHandlesEFIVariable(e, _) and e.(Access).getTarget() = this) }
+}
+
+from Expr e, Call c, Variable v
+where
+  callHandlesEFIVariable(e, c) and
+  e.(Access).getTarget() = v
+select v, "This expression uses EFI variables"
diff --git a/codeql/harden/SmmHarden/qlpack.yml b/codeql/harden/SmmHarden/qlpack.yml
new file mode 100644
index 0000000..82663e8
--- /dev/null
+++ b/codeql/harden/SmmHarden/qlpack.yml
@@ -0,0 +1,8 @@
+name: codeql/cpp-queries
+groups: 
+  - cpp
+  - queries
+dependencies:
+    codeql/cpp-all: "*"
+    codeql/suite-helpers: "*"
+extractor: cpp