Merge pull request #91 from microsoft/development

RI of development branch to main (11/21/23).

.github/workflows/build-codeql.yaml

@@ -32,7 +32,7 @@ jobs:
       with:
         owner: "github"
         repo: "codeql-cli-binaries"
-        tag: "v2.11.5"
+        tag: "v2.15.1"
         file: "codeql-win64.zip"
 
     - name: Unzip CodeQL CLI

README.md

@@ -6,7 +6,7 @@ This repository contains open-source components for supplemental use in developi
 
 | Branch to use            | CodeQL CLI version |
 |--------------------------|--------------------|
-| main                     | 2.11.5             |
+| main                     | 2.15.1             |
 
 ### For Windows Hardware Compatibility Program Use
 
@@ -17,7 +17,7 @@ This repository contains open-source components for supplemental use in developi
 | Windows 11               | WHCP_21H2     | 2.4.6              |
 | Windows 11, version 22H2 | WHCP_22H2     | 2.6.3              |
 
-For general use, use the `main` branch along with [version 2.11.5 of the CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases/tag/v2.11.5).
+For general use, use the `main` branch along with [version 2.15.1 of the CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.1).
 
 ## Quickstart
 
@@ -30,7 +30,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
 
     For the WHCP Program, use the CodeQL CLI version in accordance with the table above and Windows release you are certifying for: [version 2.4.6](https://github.com/github/codeql-cli-binaries/releases/tag/v2.4.6) or [version 2.6.3](https://github.com/github/codeql-cli-binaries/releases/tag/v2.6.3).
 
-    For general use with the `main` branch, use [CodeQL CLI version 2.11.5](https://github.com/github/codeql-cli-binaries/releases/tag/v2.11.5).
+    For general use with the `main` branch, use [CodeQL CLI version 2.15.1](https://github.com/github/codeql-cli-binaries/releases/tag/v2.15.1).
     
 
 1. Clone and install the Windows Driver Developer Supplemental Tools repository which contains the CodeQL queries specific for drivers:
@@ -40,7 +40,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
     D:\codeql-home\>git clone https://github.com/microsoft/Windows-Driver-Developer-Supplemental-Tools.git --recurse-submodules
     ```
    
-   For MAIN BRANCH use:
+   For MAIN AND DEVELOPMENT BRANCHES use:
    
    ```
     D:\codeql-home\>git clone https://github.com/microsoft/Windows-Driver-Developer-Supplemental-Tools.git
@@ -56,8 +56,8 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
 1. Verify CodeQL is installed correctly by checking the version:
     ```
     D:\codeql-home\codeql>codeql --version
-    CodeQL command-line toolchain release 2.11.5.
-    Copyright (C) 2019-2022 GitHub, Inc.
+    CodeQL command-line toolchain release 2.15.1.
+    Copyright (C) 2019-2023 GitHub, Inc.
     Unpacked in: D:\codeql-home\codeql
         Analysis results depend critically on separately distributed query and
         extractor modules. To list modules that are visible to the toolchain,
@@ -68,7 +68,7 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
 
    For WHCP BRANCHES: Skip this step.
 
-   For MAIN BRANCH use:
+   For MAIN AND DEVELOPMENT BRANCHES use:
 
    ```
     D:\codeql-home\codeql>codeql pack install D:\codeql-home\Windows-Driver-Developer-Supplemental-Tools\src
@@ -77,11 +77,11 @@ For general use, use the `main` branch along with [version 2.11.5 of the CodeQL
 1. Build your CodeQL database:
 
     ```
-    D:\codeql-home\codeql>codeql database create <path to new database> --language=cpp --source=<driver parent directory> --command=<build command or path to build file>
+    D:\codeql-home\codeql>codeql database create <path to new database> --language=cpp --source-root=<driver parent directory> --command=<build command or path to build file>
     ```
-    Single driver example: `codeql database create D:\DriverDatabase --language=cpp --source=D:\Drivers\SingleDriver --command="msbuild /t:rebuild D:\Drivers\SingleDriver\SingleDriver.sln"`
+    Single driver example: `codeql database create D:\DriverDatabase --language=cpp --source-root=D:\Drivers\SingleDriver --command="msbuild /t:rebuild D:\Drivers\SingleDriver\SingleDriver.sln"`
     
-    Multiple drivers example: `codeql database create D:\SampleDriversDatabase --language=cpp --source=D:\AllMyDrivers\SampleDrivers --command=D:\AllMyDrivers\SampleDrivers\BuildAllSampleDrivers.cmd`
+    Multiple drivers example: `codeql database create D:\SampleDriversDatabase --language=cpp --source-root=D:\AllMyDrivers\SampleDrivers --command=D:\AllMyDrivers\SampleDrivers\BuildAllSampleDrivers.cmd`
 
     _(Parameters: path for your new database, language, driver source directory, build command.)_
 

src/codeql-pack.lock.yml

@@ -2,11 +2,19 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.6
-  codeql/ssa:
-    version: 0.0.7
+    version: 0.10.1
   codeql/cpp-queries:
-    version: 0.4.6
+    version: 0.8.1
+  codeql/dataflow:
+    version: 0.1.1
+  codeql/ssa:
+    version: 0.2.1
   codeql/suite-helpers:
-    version: 0.3.6
+    version: 0.7.1
+  codeql/tutorial:
+    version: 0.2.1
+  codeql/typetracking:
+    version: 0.2.1
+  codeql/util:
+    version: 0.2.1
 compiled: false

src/drivers/general/queries/IrqlNotSaved/IrqlNotSaved.ql

@@ -22,23 +22,8 @@
 
 import cpp
 import drivers.libraries.Irql
-import semmle.code.cpp.dataflow.DataFlow
-import semmle.code.cpp.dataflow.DataFlow2
-
-/**
- * A function that has at least one parameter annotated with "\_IRQL\_save\_".
- */
-class IrqlSaveFunction extends Function {
-  Parameter p;
-  int irqlIndex;
-
-  IrqlSaveFunction() {
-    p = this.getParameter(irqlIndex) and
-    p instanceof IrqlSaveParameter
-  }
-
-  int getIrqlIndex() { result = irqlIndex }
-}
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.DataFlow2
 
 /**
  * A data-flow configuration describing flow from an
@@ -55,7 +40,12 @@ class IrqlFlowConfiguration extends DataFlow::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(FunctionCall fc, FundamentalIrqlSaveFunction fisf |
       fc.getTarget() = fisf and
-      sink.asExpr() = fc.getArgument(fisf.getIrqlIndex())
+      (
+        sink.asExpr() =
+          fc.getArgument(fisf.(IrqlSavesGlobalAnnotatedFunction).getIrqlParameterSlot())
+        or
+        sink.asExpr() = fc.getArgument(fisf.(IrqlSavesToParameterFunction).getIrqlParameterSlot())
+      )
     )
   }
 }
@@ -65,17 +55,25 @@ class IrqlFlowConfiguration extends DataFlow::Configuration {
  * by the Windows OS itself.  This is in general in a Windows Kits header.  For
  * extra clarity and internal use, we also list the exact header files.
  */
-class FundamentalIrqlSaveFunction extends IrqlSaveFunction {
+class FundamentalIrqlSaveFunction extends IrqlSavesFunction {
   FundamentalIrqlSaveFunction() {
-    this.getFile().getAbsolutePath().matches("%Windows Kits%.h") or
-    this.getFile()
-        .getBaseName()
-        .matches(["wdm.h", "wdfsync.h", "ntifs.h", "ndis.h", "video.h", "wdfinterrupt.h"])
+    (
+      this.getFile().getAbsolutePath().matches("%Windows Kits%.h")
+      or
+      this.getFile()
+          .getBaseName()
+          .matches(["wdm.h", "wdfsync.h", "ntifs.h", "ndis.h", "video.h", "wdfinterrupt.h"])
+    ) and
+    (
+      this instanceof IrqlSavesToParameterFunction or
+      this instanceof IrqlSavesViaReturnFunction or
+      this instanceof IrqlSavesGlobalAnnotatedFunction
+    )
   }
 }
 
 /**
- * A simple data flow from any IrqlSaveParameter to another variable.
+ * A simple data flow from any IrqlSaveParameter.
  */
 class IrqlSaveParameterFlowConfiguration extends DataFlow2::Configuration {
   IrqlSaveParameterFlowConfiguration() { this = "IrqlSaveParameterFlowConfiguration" }
@@ -84,7 +82,7 @@ class IrqlSaveParameterFlowConfiguration extends DataFlow2::Configuration {
     source.asParameter() instanceof IrqlSaveParameter
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof VariableAccess }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DataFlow::Node }
 }
 
 /**
@@ -97,29 +95,15 @@ class IrqlAssignmentFlowConfiguration extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof FunctionCall and
-    source
-        .asExpr()
-        .(FunctionCall)
-        .getTarget()
-        .getName()
-        .matches([
-            "KeRaiseIrqlToDpcLevel", "KfRaiseIrql", "KfAcquireSpinLock",
-            "KeAcquireSpinLockAtDpcLevel", "KeAcquireSpinLock", "KeAcquireSpinLockRaiseToDpc"
-          ])
+    source.asExpr().(FunctionCall).getTarget() instanceof FundamentalIrqlSaveFunction and
+    source.asExpr().(FunctionCall).getTarget() instanceof IrqlSavesViaReturnFunction
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    // Either we're sinking to a direct reference of a parameter, or...
-    sink.asExpr().(VariableAccess).getTarget() instanceof IrqlSaveParameter
-    or
-    // We a dereferenced pointer to the variable.
-    sink.asPartialDefinition()
-        .(PointerDereferenceExpr)
-        .getOperand()
-        .(AddressOfExpr)
-        .getOperand()
-        .(VariableAccess)
-        .getTarget() instanceof IrqlSaveVariableFlowedTo
+    exists(Assignment a |
+      a.getLValue().getAChild*().(VariableAccess).getTarget() instanceof IrqlSaveVariableFlowedTo and
+      a.getRValue() = sink.asExpr()
+    )
   }
 }
 
@@ -132,11 +116,14 @@ class IrqlSaveVariableFlowedTo extends Variable {
 
   IrqlSaveVariableFlowedTo() {
     exists(
-      IrqlSaveParameterFlowConfiguration difca, DataFlow::Node parameter, DataFlow::Node access
+      IrqlSaveParameterFlowConfiguration ispfc, DataFlow::Node parameter, DataFlow::Node assignment
     |
-      access.asExpr().(VariableAccess).getTarget() = this and
+      (
+        this.getAnAssignedValue() = assignment.asExpr() or
+        this = assignment.asParameter()
+      ) and
       parameter.asParameter() = isp and
-      difca.hasFlow(parameter, access)
+      ispfc.hasFlow(parameter, assignment)
     )
     or
     this = isp
@@ -150,26 +137,19 @@ where
   // Exclude OS functions
   not isp.getFunction() instanceof FundamentalIrqlSaveFunction and
   /*
-   * Case one: does the IrqlSaveParameter (or an alias of it) have the IRQL assigned to it
-   * directly by calling, for example, KeRaiseIrql?
+   *     Case one: does the IrqlSaveParameter (or an alias of it) have the IRQL assigned to it
+   *    directly by calling, for example, KeRaiseIrql?
    */
 
   not exists(
-    DataFlow::Node node, IrqlSaveVariableFlowedTo isvft, IrqlAssignmentFlowConfiguration difc
+    DataFlow::Node node, IrqlSaveVariableFlowedTo isvft, IrqlAssignmentFlowConfiguration iafc
   |
     isvft.getSaveParameter() = isp and
-    (
-      node.asExpr().(VariableAccess).getTarget() = isvft
-      or
-      node.asPartialDefinition()
-          .(PointerDereferenceExpr)
-          .getOperand()
-          .(AddressOfExpr)
-          .getOperand()
-          .(VariableAccess)
-          .getTarget() = isvft
+    exists(Assignment a |
+      a.getLValue().getAChild*().(VariableAccess).getTarget() = isvft and
+      a.getRValue() = node.asExpr()
     ) and
-    difc.hasFlow(_, node)
+    iafc.hasFlow(_, node)
   ) and
   // Case two: is the IrqlSaveParameter passed into an OS function that will save a value to it?
   not exists(DataFlow::Node node, IrqlFlowConfiguration ifc |