IrqlLoweredImproperly: Codeql port of c28141 (#157)

* CodeQL port of C28141

* update sarif file

Author: jacob-ronstadt

src/drivers/general/queries/IrqlLoweredImproperly/IrqlLoweredImproperly.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+		The argument causes the IRQ Level to be set below the current IRQL, and this function cannot be used for that purpose
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+		A function call that lowers the IRQL at which a caller is executing is being used inappropriately. Typically, the function call lowers the IRQL as part of a more general routine or is intended to raise the caller's IRQL.		
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			The following code example elicits this warning.
+		</p>
+		<sample language="c"> <![CDATA[
+			KeRaiseIrql(DISPATCH_LEVEL, &OldIrql);
+			KeRaiseIrql(PASSIVE_LEVEL, &OldIrql);
+		}]]>
+		</sample>
+		<p>
+			The following code example avoids this warning.
+		</p>
+		<sample language="c"> <![CDATA[
+			KeRaiseIrql(DISPATCH_LEVEL, &OldIrql);
+			KeLowerIrql(OldIrql);
+		}]]>
+		</sample>
+	</example>
+	<semmleNotes>
+		<p>
+		</p>
+	</semmleNotes>
+	<references>
+		<li>
+			<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28141-argument-lowers-irq-level">
+				C28141
+			</a>
+		</li>
+	</references>
+</qhelp>

src/drivers/general/queries/IrqlLoweredImproperly/IrqlLoweredImproperly.ql

@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @id cpp/drivers/irql-lowered-improperly
+ * @kind problem
+ * @name IRQL Lowered Improperly
+ * @description A function being called changes the IRQL to below the current IRQL, and the function is not intended for that purpose.
+ * @platform Desktop
+ * @feature.area Multiple
+ * @impact Insecure Coding Practice
+ * @repro.text
+ * @owner.email: [email protected]
+ * @opaqueid CQLD-C28141
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ * @scope domainspecific
+ * @query-version v1
+ */
+
+import cpp
+import drivers.libraries.Irql
+
+from KeRaiseIrqlCall call, ControlFlowNode prior, int irqlRequirement
+where
+  prior = call.getAPredecessor() and
+  irqlRequirement = call.getIrqlLevel() and
+  irqlRequirement != -1 and
+  irqlRequirement < min(getPotentialExitIrqlAtCfn(prior))
+select call,"$@: The function being called changes the IRQL to below the current IRQL, and the function is not intended for that purpose.",
+ call, call.toString()