FindEFIVariables stub, QIP

codeql/harden/SmmHarden/codeql-pack.lock.yml

@@ -0,0 +1,12 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/cpp-all:
+    version: 0.5.2
+  codeql/ssa:
+    version: 0.0.10
+  codeql/tutorial:
+    version: 0.0.3
+  codeql/suite-helpers:
+    version: 0.4.1
+compiled: false

codeql/harden/SmmHarden/findEFIVariables.ql

@@ -0,0 +1,42 @@
+import cpp
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+class EFIVarFunction extends Function {
+  EFIVarFunction() {
+    this.hasGlobalOrStdOrBslName("SmmSetVariable") or
+    this.hasGlobalOrStdOrBslName("SmmGetVariable")
+  }
+}
+
+class EFIVarPtrFunction extends PointerFieldAccess {
+  EFIVarPtrFunction() {
+    this.getTarget().hasName("SmmSetVariable") or
+    this.getTarget().hasName("SmmGetVariable")
+  }
+}
+
+predicate callHandlesEFIVariable(Expr e, Call c) {
+  exists(Call x, PointerFieldAccess fa |
+    // in case it is just a normal function call
+    x.getParent() = e and x.getTarget() instanceof EFIVarFunction
+    or
+    // in case the function call is actually a pointer field access, the function name will be the name of the field itself
+    c = x and
+    c instanceof VariableCall and
+    fa instanceof EFIVarPtrFunction and
+    x.getParent() = e and
+    c.(VariableCall).getVariable() = fa.getTarget()
+  )
+}
+
+class EFIVar extends Variable {
+  EFIVar() { exists(Expr e | callHandlesEFIVariable(e, _) and e.(Access).getTarget() = this) }
+}
+
+from Expr e, Call c, Variable v
+where
+  callHandlesEFIVariable(e, c) and
+  e.(Access).getTarget() = v
+select v, "This expression uses EFI variables"

codeql/harden/SmmHarden/qlpack.yml

@@ -0,0 +1,8 @@
+name: codeql/cpp-queries
+groups: 
+  - cpp
+  - queries
+dependencies:
+    codeql/cpp-all: "*"
+    codeql/suite-helpers: "*"
+extractor: cpp