Replies: 2 comments 3 replies
-
|
Are you asking about analysing a user-mode codebase together with the kernel, or just about identifying inputs (data passed into a syscall, or copied from user memory, or otherwise passed into the kernel by a user-mode application?) |
Beta Was this translation helpful? Give feedback.
-
|
I am asking about data passed into the kernel. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @shahar99s 👋. Do you have an example of a bug you're trying to identify? |
Beta Was this translation helpful? Give feedback.
-
|
In general, I want to create a codeql query that given an API (e.g. syscalls), it can find a flow of API calls (= arbitrary code that uses the API) that triggers a given case. Specifically, I am looking for a UAF kernel bug caused by a freed pointer that was forgotten to be nulled after being freed. int foo(char* buf)
{
...
free(buf);
buf = NULL;
}
int bar(char* buf)
{
...
free(buf);
}In |
Beta Was this translation helpful? Give feedback.
-
|
I see. Thanks for clarifying! You'll likely want to use our dataflow library for this task. We have no concept of user-mode/kernel-mode code in CodeQL, so you'll have to model that yourself. As a quick protype you could pick any |
Beta Was this translation helpful? Give feedback.
-
First of all, I am a codeql beginner, so sorry if I ask something unclear or even stupid.
I am trying to detect kernel bugs using codeql where the bug is triggered by some syscalls that lead to the bug in the kernel.
I have searched for an article about data flows that identify a kernel bug, caused by a tainted user mode code, but I haven't find anything.
Does a data flow from user to kernel requires a special treat? If so, how is it done?
Beta Was this translation helpful? Give feedback.
All reactions