Overhaul IRQL library and IRQLTooHigh/IRQLTooLowChecks. (#83)

* Initial work at IRQL-checking * Significant extra IRQL work. * In-progress work * More puttering around with IRQL * Update to CodeQL 2.14.4 Update cpp-all to 0.9.2, cpp-queries to 0.7.4 * Commit more IRQL code. Needs cleanup. * Some cleanup and minor fixes to entry IRQL evaluation. * Replace old Irql high/low checks with new version and update library. Still needs cleanup. * Irql.qll cleanup * Get rid of old prototype version of IrqlTooLow * Update README.md * Clean up file names * Clean up queries. * Update test script for IRQL queries. * Update build-codeql.yaml Signed-off-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com> * Update ported_driver_ca_checks.qls * Test script fixes for IrqlTooHigh/IrqlTooLow --------- Signed-off-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
microsoft · Oct 20, 2023 · 1093495 · 1093495
1 parent b1cc585
commit 1093495
Show file tree

Hide file tree

Showing 19 changed files with 1,344 additions and 427 deletions.
diff --git a/.../experimental/IrqTooHigh/IrqTooHigh.qhelp → ...xperimental/IrqlTooHigh/IrqlTooHigh.qhelp b/.../experimental/IrqTooHigh/IrqTooHigh.qhelp → ...xperimental/IrqlTooHigh/IrqlTooHigh.qhelp
@@ -7,7 +7,7 @@
 	</overview>
 	<recommendation>
 		<p>
-			The driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called.
+			The driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called.  If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.
 		</p>
 	</recommendation>
 	<example>

diff --git a/src/drivers/general/queries/experimental/IrqlTooHigh/IrqlTooHigh.ql b/src/drivers/general/queries/experimental/IrqlTooHigh/IrqlTooHigh.ql
@@ -0,0 +1,40 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @id cpp/drivers/irql-too-high
+ * @name IRQL too high (C28120)
+ * @description A function annotated with IRQL requirements was called at an IRQL too high for the requirements.
+ * @platform Desktop
+ * @security.severity Low
+ * @feature.area Multiple
+ * @impact Exploitable Design
+ * @repro.text The following function call is taking place at an IRQL too high for what the call target is annotated as.
+ * @owner.email sdat@microsoft.com
+ * @opaqueid CQLD-C28120
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       wddst
+ * @scope domainspecific
+ * @query-version v2
+ */
+
+import cpp
+import drivers.libraries.Irql
+
+from FunctionCall call, IrqlRestrictsFunction irqlFunc, ControlFlowNode prior, int irqlRequirement
+where
+  call.getTarget() = irqlFunc and
+  prior = call.getAPredecessor() and
+  (
+    irqlFunc.(IrqlMaxAnnotatedFunction).getIrqlLevel() = irqlRequirement
+    or
+    irqlFunc.(IrqlRequiresAnnotatedFunction).getIrqlLevel() = irqlRequirement
+  ) and
+  irqlRequirement < min(getPotentialExitIrqlAtCfn(prior))
+select call,
+  "$@: IRQL potentially too high at call to $@.  Maximum IRQL for this call: " + irqlRequirement +
+    ", IRQL at preceding node: " + min(getPotentialExitIrqlAtCfn(prior)),
+  call.getControlFlowScope(), call.getControlFlowScope().getQualifiedName(), call,
+  call.getTarget().toString()