IrqlFunctionNotAnnotated: codeql port of c28167 (#160)

codeql port of c28167

Author: jacob-ronstadt

src/drivers/general/queries/IrqlFunctionNotAnnotated/IrqlFunctionNotAnnotated.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+		The function changes the IRQL and does not restore the IRQL before it exits. It should be annotated to reflect the change or the IRQL should be restored.
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			This warning indicates that the following conditions are true: 
+			1. The function changes the IRQL at which the driver is running. 
+			2. There is at least one path through a function that does not, by function exit, restore the IRQL to the original IRQL that the driver was running at function entry.
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			Function which potentially raises the IRQL level but is not annotated to reflect the change.
+		</p>
+		<sample language="c"> <![CDATA[
+		void fail1(PKIRQL oldIrql)
+		{
+
+			if (oldIrql == PASSIVE_LEVEL)
+			{
+				KeLowerIrql(*oldIrql);
+			}
+			else
+			{
+				KeRaiseIrql(DISPATCH_LEVEL, oldIrql); // Function exits at DISPATCH_LEVEL
+			}
+		}
+		}]]>
+		
+	</example>
+	<semmleNotes>
+		<p>
+		</p>
+	</semmleNotes>
+	<references>
+		<li>
+			<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28167-function-changes-irql-without-restore">
+				C28167
+			</a>
+		</li>
+	</references>
+</qhelp>

src/drivers/general/queries/IrqlFunctionNotAnnotated/IrqlFunctionNotAnnotated.ql

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @id cpp/drivers/irql-function-not-annotated
+ * @kind problem
+ * @name Irql Function Not Annotated
+ * @description The function changes the IRQL and does not restore the IRQL before it exits. It should be annotated to reflect the change or the IRQL should be restored.
+ * @platform Desktop
+ * @feature.area Multiple
+ * @impact Insecure Coding Practice
+ * @repro.text This warning occurs when an IRQL annotation on a function is required, but one doesn't exist.
+ * @owner.email: [email protected]
+ * @opaqueid CQLD-C28167
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ * @scope domainspecific
+ * @query-version v1
+ */
+
+import cpp
+import drivers.libraries.Irql
+
+from
+  Function f, int irqlLevelEntry, int irqlLevelExit, ControlFlowNode exitCfn,
+  ControlFlowNode entryCfn
+where
+  not f instanceof IrqlChangesFunction and
+  exists(FunctionCall fc |
+    fc.getTarget() instanceof IrqlChangesFunction and fc.getEnclosingFunction() = f
+  ) and
+  exitCfn = f.getControlFlowScope() and
+  entryCfn = f.getBlock() and
+  irqlLevelEntry = getPotentialExitIrqlAtCfn(entryCfn) and
+  irqlLevelExit = getPotentialExitIrqlAtCfn(exitCfn) and
+  irqlLevelEntry != irqlLevelExit 
+select f, "Function potentially changes the IRQL without restoring it to the original level, however, the function is not annotated to reflect such a change."