Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 833ef9d

Browse files
bdrodesbdrodes
committed
Further reorg of libraries and predicates to allow for more reusable and consistent libraries.
1 parent 967526b commit 833ef9d

4 files changed

Lines changed: 30 additions & 43 deletions

File tree

cpp/ql/src/Critical/DoubleFree.ql

Lines changed: 1 addition & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -22,29 +22,10 @@ import DoubleFree::PathGraph
2222
*/
2323
predicate isFree(DataFlow::Node n, Expr e) { isFree(_, n, e, _) }
2424

25-
/**
26-
* `dealloc1` is a deallocation expression and `e` is an expression such
27-
* that is deallocated by a deallocation expression, and the `(dealloc1, e)` pair
28-
* should be excluded by the `FlowFromFree` library.
29-
*
30-
* Note that `e` is not necessarily the expression deallocated by `dealloc1`. It will
31-
* be bound to the second deallocation as identified by the `FlowFromFree` library.
32-
*/
33-
bindingset[dealloc1, e]
34-
predicate isExcludeFreePair(DeallocationExpr dealloc1, Expr e) {
35-
exists(DeallocationExpr dealloc2 | isFree(_, _, e, dealloc2) |
36-
dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
37-
// From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
38-
// "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
39-
// to release the memory that was allocated for the MDL structure."
40-
isExFreePoolCall(dealloc2, _)
41-
)
42-
}
43-
4425
module DoubleFreeParam implements FlowFromFreeParamSig {
4526
predicate isSink = isFree/2;
4627

47-
predicate isExcluded = isExcludeFreePair/2;
28+
predicate isExcluded = isExcludedMmFreePageFromMdl/2;
4829

4930
predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
5031
}

cpp/ql/src/Critical/FlowAfterFree.qll

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,3 +143,22 @@ predicate defaultSourceSinkIsRelated(DataFlow::Node source, DataFlow::Node sink)
143143
strictlyPostDominates(b2, i2, b1, i1)
144144
)
145145
}
146+
147+
/**
148+
* `dealloc1` is a deallocation expression, `e` is an expression that dereferences a
149+
* pointer, and the `(dealloc1, e)` pair should be excluded by the `FlowFromFree` library.
150+
*
151+
* Note that `e` is not necessarily the expression deallocated by `dealloc1`. It will
152+
* be bound to the second deallocation as identified by the `FlowFromFree` library.
153+
*
154+
* From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
155+
* "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
156+
* to release the memory that was allocated for the MDL structure."
157+
*/
158+
bindingset[dealloc1, e]
159+
predicate isExcludedMmFreePageFromMdl(DeallocationExpr dealloc1, Expr e) {
160+
exists(DeallocationExpr dealloc2 | isFree(_, _, e, dealloc2) |
161+
dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
162+
isExFreePoolCall(dealloc2, _)
163+
)
164+
}

cpp/ql/src/Critical/UseAfterFree.ql

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,16 @@ import FlowAfterFree
1818
import UseAfterFree
1919
import UseAfterFreeTrace::PathGraph
2020

21+
module UseAfterFreeParam implements FlowFromFreeParamSig {
22+
predicate isSink = isUse/2;
23+
24+
predicate isExcluded = isExcludedMmFreePageFromMdl/2;
25+
26+
predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
27+
}
28+
29+
import UseAfterFreeParam
30+
2131
module UseAfterFreeTrace = FlowFromFree<UseAfterFreeParam>;
2232

2333
from UseAfterFreeTrace::PathNode source, UseAfterFreeTrace::PathNode sink, DeallocationExpr dealloc

cpp/ql/src/Critical/UseAfterFree.qll

Lines changed: 0 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -144,26 +144,3 @@ module IsUse {
144144
}
145145

146146
import IsUse
147-
148-
/**
149-
* `dealloc1` is a deallocation expression, `e` is an expression that dereferences a
150-
* pointer, and the `(dealloc1, e)` pair should be excluded by the `FlowFromFree` library.
151-
*/
152-
bindingset[dealloc1, e]
153-
predicate isExcludeFreeUsePair(DeallocationExpr dealloc1, Expr e) {
154-
// From https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-mmfreepagesfrommdl:
155-
// "After calling MmFreePagesFromMdl, the caller must also call ExFreePool
156-
// to release the memory that was allocated for the MDL structure."
157-
dealloc1.(FunctionCall).getTarget().hasGlobalName("MmFreePagesFromMdl") and
158-
isExFreePoolCall(_, e)
159-
}
160-
161-
module UseAfterFreeParam implements FlowFromFreeParamSig {
162-
predicate isSink = isUse/2;
163-
164-
predicate isExcluded = isExcludeFreeUsePair/2;
165-
166-
predicate sourceSinkIsRelated = defaultSourceSinkIsRelated/2;
167-
}
168-
169-
import UseAfterFreeParam

0 commit comments

Comments
 (0)