From 5dec732ae5fc56e7c75651a7fc231fadda22f60d Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Sun, 19 Feb 2023 21:15:12 -0800 Subject: [PATCH] findEFIVariables: Added metadata, fixed logic by matching on the call and not the expr --- codeql/harden/SmmHarden/findEFIVariables.ql | 35 ++++++++++++++------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/codeql/harden/SmmHarden/findEFIVariables.ql b/codeql/harden/SmmHarden/findEFIVariables.ql index e0911d0..b2d93d0 100644 --- a/codeql/harden/SmmHarden/findEFIVariables.ql +++ b/codeql/harden/SmmHarden/findEFIVariables.ql @@ -1,3 +1,16 @@ +/** + * @name Find uses of EFI variables + * @description Finds all uses of EFI variables in a C/C++ codebase. + * @kind problem + * @problem.severity warning + * @id cpp/find-uses-of-efi-variables + * @tags security + * efi + * external interface + * @precision low + * @queryLanguages cpp + */ + import cpp import semmle.code.cpp.security.FlowSources import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis @@ -18,25 +31,23 @@ class EFIVarPtrFunction extends PointerFieldAccess { } predicate callHandlesEFIVariable(Expr e, Call c) { - exists(Call x, PointerFieldAccess fa | + exists(Call x | // in case it is just a normal function call - x.getParent() = e and x.getTarget() instanceof EFIVarFunction - or + (x = c and x.getParent() = e and x.getTarget() instanceof EFIVarFunction) + ) + or + exists(VariableCall vc, PointerFieldAccess fa | // in case the function call is actually a pointer field access, the function name will be the name of the field itself - c = x and - c instanceof VariableCall and + c = vc and + vc.getParent() = e and fa instanceof EFIVarPtrFunction and - x.getParent() = e and - c.(VariableCall).getVariable() = fa.getTarget() + vc.getVariable() = fa.getTarget() ) } class EFIVar extends Variable { - EFIVar() { exists(Expr e | callHandlesEFIVariable(e, _) and e.(Access).getTarget() = this) } + EFIVar() { exists(Call c | callHandlesEFIVariable(_, c) and c.getAnArgument().(Access).getTarget() = this) } } -from Expr e, Call c, Variable v -where - callHandlesEFIVariable(e, c) and - e.(Access).getTarget() = v +from EFIVar v select v, "This expression uses EFI variables"