Skip to content

Instantly share code, notes, and snippets.

@joanbono

joanbono/UBoot_CodeQL.md

Last active April 13, 2020 14:07
Show Gist options
  • Save joanbono/3291bb03b830d5372af8720fde0c0d44 to your computer and use it in GitHub Desktop.
Save joanbono/3291bb03b830d5372af8720fde0c0d44 to your computer and use it in GitHub Desktop.
Download ZIP
U-Boot CodeQL Solutions
Raw
UBoot_CodeQL.md

3 - Function definitions

import cpp

from Function f
where f.getName() = "strlen"
select f, "a function named strlen"

4 - memcpy definitions

import cpp

from Function f
where f.getName() = "memcpy"
select f, "memcpy function found"

5 - Macro Definitions

import cpp

from Macro m
where 
    m.hasName("ntohs") or 
    m.hasName("ntohl") or 
    m.hasName("ntohll")
select m, "ntohs macro"

6 - memcpy calls

import cpp

from FunctionCall fc, Function f
where 
    fc.getTarget() = f and 
    f.getName() = "memcpy"
select fc, "from parent memcpy"

7 - Macro invocations

import cpp

from MacroInvocation mi
where 
    mi.getMacro().hasName("ntohs") or
    mi.getMacro().hasName("ntohl") or
    mi.getMacro().hasName("ntohll")  
select mi, "ntohs macro"

8 - Macro expressions

import cpp

from MacroInvocation mi
where 
    mi.getMacro().hasName("ntohs") or
    mi.getMacro().hasName("ntohl") or
    mi.getMacro().hasName("ntohll")
select mi.getExpr()

9 - Class NetworkByteSwap

import cpp

class NetworkByteSwap extends Expr {
  NetworkByteSwap () {
    exists( MacroInvocation mi |
        (mi.getMacro().hasName("ntohs") or
        mi.getMacro().hasName("ntohl") or
        mi.getMacro().hasName("ntohll")) and
        this = mi.getExpr()
    )
  } 
}

from NetworkByteSwap n
select n, "Network byte swap"

10 - Taint tracking

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
 
class NetworkByteSwap extends Expr {
  NetworkByteSwap () {
    exists( MacroInvocation mi |
        (mi.getMacro().hasName("ntohs") or
        mi.getMacro().hasName("ntohl") or
        mi.getMacro().hasName("ntohll")) and
        this = mi.getExpr()
    )
  } 
}
 
class Config extends TaintTracking::Configuration {
  Config() { this = "NetworkToMemFuncLength" }

  override predicate isSource(DataFlow::Node source) {
    // source has to be called as Expr type because 
    // Class NetworkByteSwap is Expr type and 
    // has to be the same.
    // source type is DataFlow::Node originally
    source.asExpr() instanceof NetworkByteSwap
  }
  override predicate isSink(DataFlow::Node sink) {
    exists( FunctionCall fc |
        fc.getTarget().getName() = "memcpy" and
        // Here I'm taking last argument of memcpy
        // and saving it in sink.asExpr().
        // Ref: http://www.cplusplus.com/reference/cstring/memcpy
        // Memcpy has 3 arguments: memcpy(destination, source, bytes to copy)
        sink.asExpr() = fc.getArgument(fc.getNumberOfArguments()-1)
    )  
  }
}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Network byte swap flows to memcpy"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment