New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CPP][Questions]No effective API to qeury macro used in function parameter declaration #8497
Comments
|
Hi @4B5F5F4B, This is indeed an annoying issue. Finding the macro uses is easy (using import cpp
pragma[inline]
predicate isBefore(Location l1, Location l2) {
l1.getFile() = l2.getFile() and
(
l1.getEndLine() < l2.getStartLine()
or
l1.getEndLine() = l2.getStartLine() and
l1.getEndColumn() < l2.getStartColumn()
)
}
predicate isUserParameter(Parameter p) {
exists(MacroInvocation m |
p =
min(Parameter q, TypeMention tm |
q.getType().stripType() = tm.getMentionedType() and
m.getMacroName() = "__user" and
isBefore(tm.getLocation(), m.getLocation()) and
isBefore(m.getLocation(), q.getLocation())
|
q order by q.getIndex()
)
)
}
from Parameter p
where isUserParameter(p)
select p, "This parameter is annotated with '__user'."The idea is that we want, given a parameter Let's start by getting the location of the type Then we want to find the location of the parameter name. Luckily, this is easy. We can just use the location of the (Note that the I hope that helps! |
Hello @MathiasVP , First of all I should thank you for your reply and solution. I can't agree with you more that there is no good way other than hacking via Location, which is quite clearly demonstrated by your code. I'm inspired by your code a lot, thank you. But frankly speaking, too much Location comparison will make it incredibly slow for large codebase like Linux kernel :( Thank you for your help again. |
I agree :( This solution is really pushing the limits of what you're meant to do with locations. It's not really the |
|
Unfortunately these queries do not match all For example it doesn't match on
static __always_inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
if (likely(check_copy_size(to, n, false)))
n = _copy_from_user(to, from, n);
return n;
}
static __always_inline unsigned long __must_check
copy_to_user(void __user *to, const void *from, unsigned long n)
{
if (likely(check_copy_size(from, n, true)))
n = _copy_to_user(to, from, n);
return n;
} |
Hello all,
Recently I'm interested in writing queries to detect common vulnerability pattern specific for Linux kernel codebase. I find that
__usermarco is used to indicate parameter is user mode pointer, for exampleI want to write a query to get all user mode pointer defined in function parameter declaration, I tried to find avaliable API defined in
Marco/MacroAccess/MarcoInovation/Function/Function/FunctionDeclarationEntry/ParameterDeclarationEntry, but I can not find one can be used for my purpose.I have no way but to query macro used in function parameter declaration by combining
MacroAccessandLocation, the following code may be work, but it prone to be false positive and ugly:(So I hope you guys can be kind enougth to help me find a more effective way to query specific macro in function parameter declaration, thank you:)
The text was updated successfully, but these errors were encountered: