update auto-detect

Author: icy17

codeql-script/auto_detect.py

@@ -81,6 +81,108 @@ def if_big(database_path):
     else:
         return False
 
+# ql_code: orig parameter-value-check.ql
+# target_api: api used
+# target_index: api parameter index.
+def gen_parameter_check_ql(ql_code, target_api, target_index)
+{
+    target_api_str = 'fc.getTarget().hasName("' + target_api + '")'
+    target_index_str = 'result = fc.getArgument(' + str(target_index) + ')'
+    ql_code = ql_code.replace('fc.getTarget().hasName("SSL_CTX_set_options")', target_api_str)
+    ql_code = ql_code.replace('result = fc.getArgument(0) ', target_index_str)
+    return ql_code
+}
+
+def gen_missing_free_ql(ql_code, target_api, target_index, free_list)
+{
+    ql_code = ql_code.replace('Target_Malloc', target_api)
+    ql_code = ql_code.replace('Target_INDEX', target_index)
+    free_str = 'fc.getTarget().hasName("free")'
+    for free_api in free_list:
+        free_str = free_str + '\nor fc.getTarget().hasName("' + free_api + '")'
+
+    ql_code = ql_code.replace('fc.getTarget().hasName("free")', free_str)
+    return ql_code
+}   
+
+def gen_missing_malloc_ql(ql_code, target_api, target_index, malloc_dict_list)
+{
+    ql_code = ql_code.replace('Target_Free', target_api)
+    ql_code = ql_code.replace('Target_INDEX', target_index)
+    malloc_str = '(fc.getTarget().hasName("malloc_with_parameter") and e = fc)'
+    malloc_str2 = 'fc.getTarget().hasName("malloc")'
+    for malloc_item in malloc_dict_list:
+        malloc_api = malloc_item['api']
+        malloc_index = malloc_item['index']
+        
+        malloc_str = malloc_str + '\n or (fc.getTarget().hasName("' + malloc_api + '") and e = fc.getArgument(' + str(malloc_index) + '))'
+        malloc_str2 = malloc_str2 + '\n or fc.getTarget().hasName("' + malloc_api + '")'
+    ql_code = ql_code.replace('(fc.getTarget().hasName("malloc_with_parameter") and e = fc)', malloc_str)
+    ql_code = ql_code.replace('fc.getTarget().hasName("malloc")', malloc_str2)
+    ql_code = ql_code.replace('malloc_with_parameter', 'malloc')
+    return ql_code
+}
+
+def gen_double_free_ql(ql_code, target_api, target_index, malloc_dict_list)
+{
+    ql_code = ql_code.replace('Target_Free', target_api)
+    ql_code = ql_code.replace('Target_INDEX', target_index)
+    malloc_str = '(fc.getTarget().hasName("malloc_with_parameter") and e = fc)'
+    malloc_str2 = 'fc.getTarget().hasName("malloc")'
+    for malloc_item in malloc_dict_list:
+        malloc_api = malloc_item['api']
+        malloc_index = malloc_item['index']
+        
+        malloc_str = malloc_str + '\n or (fc.getTarget().hasName("' + malloc_api + '") and e = fc.getArgument(' + str(malloc_index) + '))'
+        malloc_str2 = malloc_str2 + '\n or fc.getTarget().hasName("' + malloc_api + '")'
+    ql_code = ql_code.replace('(fc.getTarget().hasName("malloc_with_parameter") and e = fc)', malloc_str)
+    ql_code = ql_code.replace('fc.getTarget().hasName("malloc")', malloc_str2)
+    ql_code = ql_code.replace('malloc_with_parameter', 'malloc')
+    return ql_code
+}
+
+def gen_uaf_ql(ql_code, target_api, target_index, malloc_dict_list, free_list)
+{
+    ql_code = ql_code.replace('Target_API', target_api)
+    ql_code = ql_code.replace('Target_INDEX', target_index)
+    malloc_str = '(fc.getTarget().hasName("malloc_with_parameter") and e = fc)'
+    malloc_str2 = 'fc.getTarget().hasName("malloc")'
+    for malloc_item in malloc_dict_list:
+        malloc_api = malloc_item['api']
+        malloc_index = malloc_item['index']
+        
+        malloc_str = malloc_str + '\n or (fc.getTarget().hasName("' + malloc_api + '") and e = fc.getArgument(' + str(malloc_index) + '))'
+        malloc_str2 = malloc_str2 + '\n or fc.getTarget().hasName("' + malloc_api + '")'
+    ql_code = ql_code.replace('(fc.getTarget().hasName("malloc_with_parameter") and e = fc)', malloc_str)
+    ql_code = ql_code.replace('fc.getTarget().hasName("malloc")', malloc_str2)
+    ql_code = ql_code.replace('malloc_with_parameter', 'malloc')
+    
+    free_str = 'fc.getTarget().hasName("free")'
+    for free_api in free_list:
+        free_str = free_str + '\n or fc.getTarget().hasName("' + free_api + '")'
+    ql_code = ql_code.replace('fc.getTarget().hasName("free")', free_str)
+    return ql_code
+    
+}
+
+def gen_uninitialize_ql(ql_code, target_api, target_index, initialize_dict_list)
+{
+    ql_code = ql_code.replace('Target_API', target_api)
+    ql_code = ql_code.replace('Target_INDEX', target_index)
+    malloc_str = '(fc.getTarget().hasName("initialize_expr") and e = fc.getArgument(0))'
+    malloc_str2 = 'fc.getTarget().hasName("initialize")'
+    for malloc_item in initialize_dict_list:
+        malloc_api = malloc_item['api']
+        malloc_index = malloc_item['index']
+        
+        malloc_str = malloc_str + '\n or (fc.getTarget().hasName("' + malloc_api + '") and e = fc.getArgument(' + str(malloc_index) + '))'
+        malloc_str2 = malloc_str2 + '\n or fc.getTarget().hasName("' + malloc_api + '")'
+    ql_code = ql_code.replace('(fc.getTarget().hasName("initialize_expr") and e = fc.getArgument(0))', malloc_str)
+    ql_code = ql_code.replace('fc.getTarget().hasName("initialize")', malloc_str2)
+    return ql_code
+
+}
+
 def gen_ql_code(ql_dir, big_flag, database):
     ql_path = ql_dir + '/'
     ql_name = database['malloc_api'] + '-' + database['free_api'] + '.ql'
@@ -210,6 +312,8 @@ def sort_by_size(database_list, database_dir):
     # exit(1)
     return out_list
 
+
+
 if __name__ == '__main__':
     # in_list = 'list'
     # #in Ubuntu 18.04(vmware)

codeql-script/auto_find.py

@@ -136,8 +136,8 @@ def get_api_list(in_path, lib):
     output_path = out_dir + '/findres'
     filter_list = []
     api_path = api_dir + '/'
-    # libs = ['openssl', 'libpcap', 'libxml2', 'sqlite3']
-    libs = ['libpcap']
+    libs = ['openssl', 'libpcap', 'libxml2', 'sqlite3']
+    # libs = ['libpcap']
     # libs = ['ffmpeg', 'ldap', 'libpcap','libexpat','libmysql','libgnutls', 'libevent', 'zlib','libzip', 'libdbus']
     # if not os.path.exists(output_dir):
     #     os.mkdir(output_dir)

codeql-script/auto_gen_ql.py

@@ -0,0 +1,2 @@
+import os
+import json

ql-code/double-free.ql

@@ -21,9 +21,7 @@ Expr getMallocExpr(FunctionCall fc)
         result = e
         and
         (
-            (fc.getTarget().hasName("malloc") and e = fc)
-        or
-        (fc.getTarget().hasName("initialize_api") and e = fc.getArgument(0))
+            (fc.getTarget().hasName("malloc_with_parameter") and e = fc)
         // TODO-addMallocHere
         )
     )
@@ -32,27 +30,26 @@ Expr getMallocExpr(FunctionCall fc)
 Expr getFreeExpr(FunctionCall fc)
 {
 
-        result = fc.getArgument(0)
+        result = fc.getArgument(Target_INDEX)
         and
         (
-            fc.getTarget().hasName("free")
-        or
-         fc.getTarget().hasName("target")
+            fc.getTarget().hasName("Target_Free")
+        // or
+        //  fc.getTarget().hasName("target")
         // TODO-addFreeHere
         )
 }
  predicate isSourceFC(FunctionCall fc)
  {
- fc.getTarget().hasName("initialize_api")
- or 
+
  fc.getTarget().hasName("malloc")
  }
 
  predicate isSinkFC(FunctionCall fc)
  {
- fc.getTarget().hasName("free")
- or
- fc.getTarget().hasName("target")
+ fc.getTarget().hasName("Target_Free")
+//  or
+//  fc.getTarget().hasName("target")
  }
  DataFlow::Node getSinkNode(FunctionCall fc)
  {

ql-code/free-missing-malloc.ql

@@ -21,7 +21,7 @@ Expr getMallocExpr(FunctionCall fc)
         result = e
         and
         (
-            (fc.getTarget().hasName("malloc") and e = fc)
+            (fc.getTarget().hasName("malloc_with_parameter") and e = fc)
         // or
         // (fc.getTarget().hasName("new_malloc") and e = fc.getArgument(0))
         // TODO-addMallocHere
@@ -32,10 +32,10 @@ Expr getMallocExpr(FunctionCall fc)
 Expr getFreeExpr(FunctionCall fc)
 {
 
-        result = fc.getArgument(0)
+        result = fc.getArgument(Target_INDEX)
         and
         (
-            fc.getTarget().hasName("free")
+            fc.getTarget().hasName("Target_Free")
         // or
         //  fc.getTarget().hasName("new_free")
         // TODO-addFreeHere
@@ -50,7 +50,7 @@ Expr getFreeExpr(FunctionCall fc)
 
  predicate isSinkFC(FunctionCall fc)
  {
- fc.getTarget().hasName("free")
+ fc.getTarget().hasName("Target_Free")
 //  or
 //  fc.getTarget().hasName("new_free")
  }

ql-code/malloc-missing-free.ql

@@ -21,7 +21,7 @@ Expr getMallocExpr(FunctionCall fc)
         result = e
         and
         (
-            (fc.getTarget().hasName("malloc") and e = fc)
+            (fc.getTarget().hasName("Target_Malloc") and e = fc.getArgument(Target_INDEX))
         // or
         // (fc.getTarget().hasName("new_malloc") and e = fc.getArgument(0))
         // TODO-addMallocHere
@@ -55,7 +55,7 @@ Expr getFreeExpr(FunctionCall fc)
  {
 //  fc.getTarget().hasName("new_malloc")
 //  or 
- fc.getTarget().hasName("malloc")
+ fc.getTarget().hasName("Target_Malloc")
  }
 
  predicate isSinkFC(FunctionCall fc)

ql-code/parameter-value-check.ql

@@ -15,15 +15,18 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.controlflow.Guards
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
+string target_api = "SSL_CTX_set_options"
+int target_index = 0
 
 Expr getSinkExpr(FunctionCall fc)
 {
-result = fc.getArgument(0) 
+result = fc.getArgument(target_index) 
 }
 
 predicate isSinkFC(FunctionCall fc)
 {
-fc.getTarget().hasName("SSL_CTX_set_options")
+
+fc.getTarget().hasName(target_api)
 }
 DataFlow::Node getSinkNode(FunctionCall fc)
 {
@@ -48,27 +51,9 @@ class ParameterConfiguration extends DataFlow::Configuration {
     }
   }
 
+
+
 //   if every path after target exists node
-BasicBlock getLeakBBAfter(ControlFlowNode target) {
-    not exists(ControlFlowNode node | 
-       node = getAfterNode()
-       and
-       target.getASuccessor*() = node
-       and not
-       exists(BasicBlock bb | 
-           not bb.getANode() = node
-           and bb = target.getASuccessor*()
-           and exists(ExitBasicBlock exit | 
-               bb.getASuccessor*() = exit)
-           and target.getASuccessor*() = bb
-           and not bb.getAPredecessor*() = node.getBasicBlock()
-           and not bb.getASuccessor*() = node.getBasicBlock()
-           and result = bb
-        )
-       )
-   
-   
-}
 
 Expr getCheckExpr(FunctionCall fc)
 {

ql-code/uninitialize.ql

@@ -22,19 +22,19 @@
          result = e
          and
          (
-             (fc.getTarget().hasName("strlen") and e = fc.getArgument(0))
-         or
-         (fc.getTarget().hasName("test_init") and e = fc.getArgument(0))
+             (fc.getTarget().hasName("initialize_expr") and e = fc.getArgument(0))
+        //  or
+        //  (fc.getTarget().hasName("test_init") and e = fc.getArgument(0))
          // TODO-addMallocHere
          )
      )
  }
 
  predicate isSourceFC(FunctionCall fc)
  {
- fc.getTarget().hasName("test_init")
- or 
- fc.getTarget().hasName("strlen")
+ fc.getTarget().hasName("initialize")
+//  or 
+//  fc.getTarget().hasName("strlen")
  }
 
  DataFlow::Node getSourceNode(FunctionCall fc)
@@ -46,12 +46,14 @@
 
  Expr getSinkExpr(FunctionCall fc)
  {
- result = fc.getArgument(0) 
+    isSinkFC(fc)
+    and
+ result = fc.getArgument(Target_INDEX) 
  }
 
  predicate isSinkFC(FunctionCall fc)
  {
- fc.getTarget().hasName("target")
+ fc.getTarget().hasName("Target_API")
  }
  DataFlow::Node getSinkNode(FunctionCall fc)
  {

ql-code/use-after-free.ql

@@ -21,7 +21,7 @@ Expr getMallocExpr(FunctionCall fc)
         result = e
         and
         (
-            (fc.getTarget().hasName("malloc") and e = fc)
+            (fc.getTarget().hasName("malloc_parameter") and e = fc)
         // or
         // (fc.getTarget().hasName("new_malloc") and e = fc.getArgument(0))
         // TODO-addMallocHere
@@ -41,11 +41,11 @@ FunctionCall getFreeClass()
 Expr getFreeExpr(FunctionCall fc)
 {
 
-        result = fc.getArgument(0)
+        result = fc.getArgument(Target_INDEX)
         and
         (
             // TODO-Target-change
-            fc.getTarget().hasName("target")
+            fc.getTarget().hasName("Target_API")
         // or
         //  fc.getTarget().hasName("new_free")
 
@@ -61,7 +61,7 @@ Expr getFreeExpr(FunctionCall fc)
 
  predicate isSinkFC(FunctionCall fc)
  {
- fc.getTarget().hasName("target")
+ fc.getTarget().hasName("Target_API")
 //  or
 //  fc.getTarget().hasName("new_free")
  }