Skip to content

Commit 9eb68b3

Browse files
jacob-ronstadtjacob-ronstadt
authored
IrqlCancelRoutine: CodeQL port of c28144 (#162)
* CodeQL port of C28144 * updates from review
1 parent 528c675 commit 9eb68b3

File tree

6 files changed

+420
-2
lines changed

6 files changed

+420
-2
lines changed

src/drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.qhelp

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
2+
<qhelp>
3+
<overview>
4+
<p>
5+
Within a cancel routine, at the point of exit, the IRQL in Irp->CancelIrql should be the current IRQL.
6+
</p>
7+
</overview>
8+
<recommendation>
9+
<p>
10+
When the driver's Cancel routine exits, the value of the Irp->CancelIrql member is not the current IRQL.
11+
Typically, this error occurs when the driver does not call IoReleaseCancelSpinLock with the IRQL that was supplied by
12+
the most recent call to IoAcquireCancelSpinLock.
13+
</p>
14+
</recommendation>
15+
<example>
16+
<p>
17+
The following example shows an incorrect use of IoReleaseCncelSpinLock within a cancel routine
18+
</p>
19+
<sample language="c"> <![CDATA[
20+
IoReleaseCancelSpinLock(PASSIVE_LEVEL);
21+
}]]>
22+
</sample>
23+
<p>
24+
Correct use of IoReleaseCncelSpinLock within a cancel routine
25+
</p>
26+
<sample language="c"> <![CDATA[
27+
IoReleaseCancelSpinLock(Irp->CancelIrql);
28+
}]]>
29+
</sample>
30+
</example>
31+
<semmleNotes>
32+
<p>
33+
</p>
34+
</semmleNotes>
35+
<references>
36+
<li>
37+
<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28144-cancelirql-should-be-current-irql">
38+
C28144
39+
</a>
40+
</li>
41+
</references>
42+
</qhelp>

src/drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.ql

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
// Copyright (c) Microsoft Corporation.
2+
// Licensed under the MIT license.
3+
/**
4+
* @id cpp/drivers/irql-cancel-routine
5+
* @kind problem
6+
* @name Irql Cancel Routine
7+
* @description Within a cancel routine, at the point of exit, the IRQL in Irp->CancelIrql should be the current IRQL.
8+
* @platform Desktop
9+
* @feature.area Multiple
10+
* @impact Insecure Coding Practice
11+
* @repro.text When the driver's Cancel routine exits, the value of the Irp->CancelIrql member is not the current IRQL.
12+
* Typically, this error occurs when the driver does not call IoReleaseCancelSpinLock with the IRQL that was supplied by
13+
* the most recent call to IoAcquireCancelSpinLock.
14+
* @owner.email: [email protected]
15+
* @opaqueid CQLD-C28144
16+
* @problem.severity warning
17+
* @precision medium
18+
* @tags correctness
19+
* @scope domainspecific
20+
* @query-version v1
21+
*/
22+
23+
import cpp
24+
import drivers.libraries.Irql
25+
26+
from Function f, FunctionCall fc
27+
where
28+
(
29+
f.(RoleTypeFunction).getRoleTypeString().matches("DRIVER_CANCEL") or
30+
f.(ImplicitRoleTypeFunction).getExpectedRoleTypeString().matches("DRIVER_CANCEL")
31+
) and
32+
fc.getEnclosingFunction() = f and
33+
fc.getTarget().getName() = "IoReleaseCancelSpinLock" and
34+
(
35+
not fc.getArgument(0).(PointerFieldAccess).getQualifier() = f.getParameter(1).getAnAccess() or
36+
not fc.getArgument(0).(PointerFieldAccess).getTarget().getName() = "CancelIrql"
37+
)
38+
select fc, "IoReleaseCancelSpinLock inside a cancel routine needs to be called with Irp->CancelIrql"

src/drivers/general/queries/IrqlCancelRoutine/IrqlCancelRoutine.sarif

Lines changed: 312 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,312 @@
1+
{
2+
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
3+
"version": "2.1.0",
4+
"runs": [
5+
{
6+
"tool": {
7+
"driver": {
8+
"name": "CodeQL",
9+
"organization": "GitHub",
10+
"semanticVersion": "2.19.3",
11+
"notifications": [
12+
{
13+
"id": "cpp/baseline/expected-extracted-files",
14+
"name": "cpp/baseline/expected-extracted-files",
15+
"shortDescription": {
16+
"text": "Expected extracted files"
17+
},
18+
"fullDescription": {
19+
"text": "Files appearing in the source archive that are expected to be extracted."
20+
},
21+
"defaultConfiguration": {
22+
"enabled": true
23+
},
24+
"properties": {
25+
"tags": [
26+
"expected-extracted-files",
27+
"telemetry"
28+
]
29+
}
30+
},
31+
{
32+
"id": "cpp/extractor/summary",
33+
"name": "cpp/extractor/summary",
34+
"shortDescription": {
35+
"text": "C++ extractor telemetry"
36+
},
37+
"fullDescription": {
38+
"text": "C++ extractor telemetry"
39+
},
40+
"defaultConfiguration": {
41+
"enabled": true
42+
}
43+
}
44+
],
45+
"rules": [
46+
{
47+
"id": "cpp/drivers/irql-cancel-routine",
48+
"name": "cpp/drivers/irql-cancel-routine",
49+
"shortDescription": {
50+
"text": "Irql Cancel Routine"
51+
},
52+
"fullDescription": {
53+
"text": "Within a cancel routine, at the point of exit, the IRQL in Irp->CancelIrql should be the current IRQL."
54+
},
55+
"defaultConfiguration": {
56+
"enabled": true,
57+
"level": "warning"
58+
},
59+
"properties": {
60+
"tags": [
61+
"correctness"
62+
],
63+
"description": "Within a cancel routine, at the point of exit, the IRQL in Irp->CancelIrql should be the current IRQL.",
64+
"feature.area": "Multiple",
65+
"id": "cpp/drivers/irql-cancel-routine",
66+
"impact": "Insecure Coding Practice",
67+
"kind": "problem",
68+
"name": "Irql Cancel Routine",
69+
"opaqueid": "CQLD-C28144",
70+
"owner.email:": "[email protected]",
71+
"platform": "Desktop",
72+
"precision": "medium",
73+
"problem.severity": "warning",
74+
"query-version": "v1",
75+
"repro.text": "When the driver's Cancel routine exits, the value of the Irp->CancelIrql member is not the current IRQL. \n Typically, this error occurs when the driver does not call IoReleaseCancelSpinLock with the IRQL that was supplied by \n the most recent call to IoAcquireCancelSpinLock.",
76+
"scope": "domainspecific"
77+
}
78+
}
79+
]
80+
},
81+
"extensions": [
82+
{
83+
"name": "microsoft/windows-drivers",
84+
"semanticVersion": "1.3.0+2a7c167ba9555b452f626258191b4709647a936f",
85+
"locations": [
86+
{
87+
"uri": "file:///C:/codeql-home/WDDST/src/",
88+
"description": {
89+
"text": "The QL pack root directory."
90+
},
91+
"properties": {
92+
"tags": [
93+
"CodeQL/LocalPackRoot"
94+
]
95+
}
96+
},
97+
{
98+
"uri": "file:///C:/codeql-home/WDDST/src/qlpack.yml",
99+
"description": {
100+
"text": "The QL pack definition file."
101+
},
102+
"properties": {
103+
"tags": [
104+
"CodeQL/LocalPackDefinitionFile"
105+
]
106+
}
107+
}
108+
]
109+
},
110+
{
111+
"name": "codeql/cpp-all",
112+
"semanticVersion": "3.1.0+d42788844f7ec0a6b9832140313cc2318e513987",
113+
"locations": [
114+
{
115+
"uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/",
116+
"description": {
117+
"text": "The QL pack root directory."
118+
},
119+
"properties": {
120+
"tags": [
121+
"CodeQL/LocalPackRoot"
122+
]
123+
}
124+
},
125+
{
126+
"uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/qlpack.yml",
127+
"description": {
128+
"text": "The QL pack definition file."
129+
},
130+
"properties": {
131+
"tags": [
132+
"CodeQL/LocalPackDefinitionFile"
133+
]
134+
}
135+
}
136+
]
137+
}
138+
]
139+
},
140+
"invocations": [
141+
{
142+
"toolExecutionNotifications": [
143+
{
144+
"locations": [
145+
{
146+
"physicalLocation": {
147+
"artifactLocation": {
148+
"uri": "driver/driver_snippet.c",
149+
"uriBaseId": "%SRCROOT%",
150+
"index": 1
151+
}
152+
}
153+
}
154+
],
155+
"message": {
156+
"text": ""
157+
},
158+
"level": "none",
159+
"descriptor": {
160+
"id": "cpp/baseline/expected-extracted-files",
161+
"index": 0
162+
},
163+
"properties": {
164+
"formattedMessage": {
165+
"text": ""
166+
}
167+
}
168+
},
169+
{
170+
"locations": [
171+
{
172+
"physicalLocation": {
173+
"artifactLocation": {
174+
"uri": "driver/fail_driver1.h",
175+
"uriBaseId": "%SRCROOT%",
176+
"index": 2
177+
}
178+
}
179+
}
180+
],
181+
"message": {
182+
"text": ""
183+
},
184+
"level": "none",
185+
"descriptor": {
186+
"id": "cpp/baseline/expected-extracted-files",
187+
"index": 0
188+
},
189+
"properties": {
190+
"formattedMessage": {
191+
"text": ""
192+
}
193+
}
194+
},
195+
{
196+
"locations": [
197+
{
198+
"physicalLocation": {
199+
"artifactLocation": {
200+
"uri": "driver/fail_driver1.c",
201+
"uriBaseId": "%SRCROOT%",
202+
"index": 0
203+
}
204+
}
205+
}
206+
],
207+
"message": {
208+
"text": ""
209+
},
210+
"level": "none",
211+
"descriptor": {
212+
"id": "cpp/baseline/expected-extracted-files",
213+
"index": 0
214+
},
215+
"properties": {
216+
"formattedMessage": {
217+
"text": ""
218+
}
219+
}
220+
},
221+
{
222+
"message": {
223+
"text": "Internal telemetry for the C++ extractor.\n\nNo action needed.",
224+
"markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed."
225+
},
226+
"level": "note",
227+
"timeUtc": "2025-01-17T07:55:40.432830800Z",
228+
"descriptor": {
229+
"id": "cpp/extractor/summary",
230+
"index": 1
231+
},
232+
"properties": {
233+
"attributes": {
234+
"cache-hits": 0,
235+
"cache-misses": 1,
236+
"extractor-failures": 1,
237+
"extractor-successes": 0,
238+
"trap-caching": "disabled"
239+
},
240+
"visibility": {
241+
"statusPage": false,
242+
"telemetry": true
243+
}
244+
}
245+
}
246+
],
247+
"executionSuccessful": true
248+
}
249+
],
250+
"artifacts": [
251+
{
252+
"location": {
253+
"uri": "driver/fail_driver1.c",
254+
"uriBaseId": "%SRCROOT%",
255+
"index": 0
256+
}
257+
},
258+
{
259+
"location": {
260+
"uri": "driver/driver_snippet.c",
261+
"uriBaseId": "%SRCROOT%",
262+
"index": 1
263+
}
264+
},
265+
{
266+
"location": {
267+
"uri": "driver/fail_driver1.h",
268+
"uriBaseId": "%SRCROOT%",
269+
"index": 2
270+
}
271+
}
272+
],
273+
"results": [
274+
{
275+
"ruleId": "cpp/drivers/irql-cancel-routine",
276+
"ruleIndex": 0,
277+
"rule": {
278+
"id": "cpp/drivers/irql-cancel-routine",
279+
"index": 0
280+
},
281+
"message": {
282+
"text": "IoReleaseCancelSpinLock inside a cancel routine needs to be called with Irp->CancelIrql"
283+
},
284+
"locations": [
285+
{
286+
"physicalLocation": {
287+
"artifactLocation": {
288+
"uri": "driver/fail_driver1.c",
289+
"uriBaseId": "%SRCROOT%",
290+
"index": 0
291+
},
292+
"region": {
293+
"startLine": 207,
294+
"startColumn": 5,
295+
"endColumn": 28
296+
}
297+
}
298+
}
299+
],
300+
"partialFingerprints": {
301+
"primaryLocationLineHash": "cb9584c3c973d221:1",
302+
"primaryLocationStartColumnFingerprint": "0"
303+
}
304+
}
305+
],
306+
"columnKind": "utf16CodeUnits",
307+
"properties": {
308+
"semmle.formatSpecifier": "sarifv2.1.0"
309+
}
310+
}
311+
]
312+
}

0 commit comments

Comments
 (0)