Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Irql.qll updates to expand ability to detect function IRQL requirements #153

Merged
merged 17 commits into from
Jan 6, 2025

Conversation

jacob-ronstadt
Copy link
Contributor

@jacob-ronstadt jacob-ronstadt commented Oct 3, 2024

  1. A function can be annotated with multiple When annotations that conditionally apply an IRQL annotation. For example, KeSetEvent has these annotations:

When(Wait==0, IRQL_requires_max(DISPATCH_LEVEL))
When(Wait==1, IRQL_requires_max(APC_LEVEL))
When(Wait==1, __drv_reportError("...")

The current Irql library did see any IRQL annotations for this. Updating the library so that it can parse When annotations for IRQL annotations.

  1. Some functions are not properly annotated, but are used in a way that implies an IRQL requirement. Detection of these functions added to the IRQL library so that IRQL requirements for functions that are not annotated can be tracked by looking at the functions implicit role type based on how it's used.

Checklist for Pull Requests

  • Description is filled out.
  • Only one query or related query group is in this pull request.
  • The version number on changed queries has been increased via the @version comment in the file header.
  • All unit tests have been run: (Test README.md).
  • Commands codeql database create and codeql database analyze have completed successfully.
  • A .qhelp file has been added for any new queries or updated if changes have been made to an existing query.

jacob-ronstadt and others added 3 commits October 3, 2024 09:46
Signed-off-by: Jacob Ronstadt <[email protected]>
…not annotated can be tracked by looking at the the functions implicit role type based on how it's used
@jacob-ronstadt jacob-ronstadt changed the title Irql.qll updates to include conditional SAL annotations for IRQLs Irql.qll updates to expand ability to detect function IRQL requirements Oct 4, 2024
@jacob-ronstadt jacob-ronstadt merged commit 3ef295d into development Jan 6, 2025
7 checks passed
@jacob-ronstadt jacob-ronstadt deleted the jacob-ronstadt/irql_updates branch January 6, 2025 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant