Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add KeSetEventIrql and KeSetEventPaged queries and update IRQL library. #90

Merged
merged 82 commits into from
Nov 21, 2023
Merged

Add KeSetEventIrql and KeSetEventPaged queries and update IRQL library. #90

merged 82 commits into from
Nov 21, 2023

Conversation

NateD-MSFT
Copy link
Contributor

@NateD-MSFT NateD-MSFT commented Nov 21, 2023
edited by JakobL-MSFT
Loading

This PR adds the following queries:

  • KeSetEventIrql: A query that uses our IRQL library to look for calls to KeSetEvent when the IRQL is too high.
  • KeSetEventPaged: A more focused version of the above that uses our paged code library to look for calls to KeSetEvent in paged segments.

We also make the following updates to our IRQL library:

  • Use = instead of .matches() for string comparisons for perf and correctness reasons
  • Add missing variations of IRQL annotation names
  • Refactor our logic for determining expected entry IRQLs for functions, and take into account paged functions in this analysis
  • Increase caching in Irql.qll
  • Create an IrqlDebug.qll library that provides info on why a given CFN has the exit IRQL it does

Note that because we previously squash merged the IRQL work this was based off of into development, early commits in this PR are redundant. f11a56a2c2 onwards are relevant to this PR.

Checklist for Pull Requests

  • Description is filled out.
  • Only one query or related query group is in this pull request.
  • The version number on changed queries has been increased via the @version comment in the file header.
  • All unit tests have been run: (Test README.md).
  • Commands codeql database create and codeql database analyze have completed successfully.
  • A .qhelp file has been added for any new queries or updated if changes have been made to an existing query.

NateD-MSFT and others added 30 commits March 20, 2023 17:46
@NateD-MSFT
Initial work at IRQL-checking
7c51892
@NateD-MSFT
Significant extra IRQL work.
40d0a8c
@NateD-MSFT
Merge branch 'main' into nated-msft/c28124-c28150
c7e73e9
@NateD-MSFT
Merge pull request #80 from microsoft/development
163198f 
RI of development branch to main.
@NateD-MSFT
Merge branch 'development' into nated-msft/c28124-c28150
a79ab5b
@NateD-MSFT
In-progress work
8f96a77
@NateD-MSFT
More puttering around with IRQL
7479c24
@NateD-MSFT
Update to CodeQL 2.14.4
9d96c89 
Update cpp-all to 0.9.2, cpp-queries to 0.7.4
@NateD-MSFT
Merge branch 'nated-msft/codeql-2144-update' into nated-msft/c28124-c…
24dc7df 
…28150
@NateD-MSFT
Commit more IRQL code. Needs cleanup.
1cbca7e
@NateD-MSFT
Some cleanup and minor fixes to entry IRQL evaluation.
564d095
@NateD-MSFT
Replace old Irql high/low checks with new version and update library.
6861e39 
Still needs cleanup.
@NateD-MSFT
Irql.qll cleanup
80a70de
@NateD-MSFT
Get rid of old prototype version of IrqlTooLow
ebb570d
@NateD-MSFT
Update README.md
ee4b80c
@NateD-MSFT
Merge branch 'nated-msft/codeql-2144-update' into nated-msft/c28124-c…
890e8e6 
…28150
@NateD-MSFT
Clean up file names
e1ddb6a
@NateD-MSFT
Clean up queries.
6dd4a61
@NateD-MSFT
Update test script for IRQL queries.
c9dc15e
@NateD-MSFT
Update build-codeql.yaml
d964175 
Signed-off-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
@NateD-MSFT
Update ported_driver_ca_checks.qls
9aaa8ff
@NateD-MSFT
Merge branch 'nated-msft/codeql-2144-update' into nated-msft/c28120-c…
5d5adaa 
…28121
@NateD-MSFT
Add IrqlSetTooHigh/IrqlSetTooLow queries.
bb06b89
@NateD-MSFT
Bugfix for IrqlTooHigh/IrqlTooLow
4842fd4 
The changes to Irql.qll needed for IrqlSetTooHigh, etc. means we are more likely to see IRQL evaluations that return -1.  Update queries to exclude those numbers.
@NateD-MSFT
Fix test issues for several IRQL checks.
d27b6cd
@jacob-ronstadt
WIP unit tests for IrqlSetTooHigh and IrqlSetTooLow queries
23ec263
@jacob-ronstadt
WIP unit tests for IrqlSetTooHigh and IrqlSetTooLow queries
b8256c9
@jacob-ronstadt
WIP more tests and comments
ed5d9d5
@jacob-ronstadt
bug fixes
48a157a
@jacob-ronstadt
WIP updates to tests
671cd9c
jacob-ronstadt and others added 24 commits October 20, 2023 12:39
@jacob-ronstadt @NateD-MSFT
Update src/drivers/general/queries/experimental/IrqlSetTooHigh/driver…
5d1f42e 
…_snippet.c

Co-authored-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com>
@jacob-ronstadt @NateD-MSFT
Update src/drivers/general/queries/experimental/IrqlSetTooHigh/driver…
b43719f 
…_snippet.c

Co-authored-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com>
@jacob-ronstadt @NateD-MSFT
Update src/drivers/general/queries/experimental/IrqlSetTooHigh/driver…
1d52536 
…_snippet.c

Co-authored-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com>
@jacob-ronstadt @NateD-MSFT
Update src/drivers/general/queries/experimental/IrqlSetTooHigh/driver…
6f065ac 
…_snippet.c

Co-authored-by: NateD-MSFT <34494373+NateD-MSFT@users.noreply.github.com>
Signed-off-by: Jacob Ronstadt <147542405+jacob-ronstadt@users.noreply.github.com>
@jacob-ronstadt
Merge pull request #86 from microsoft/jacob-ronstadt/IrqlSet_tests
be14ce4 
Add tests for IrqlSetTooLow and IrqlSetTooHigh
@jacob-ronstadt
Merge branch 'nated-msft/c28124-c28150' into jacob-ronstadt/KeSetEvent
bf0c3bd
@jacob-ronstadt
WIP: query to find improper use of KeSetEvent
e4b2d30
@jacob-ronstadt
WIP: query to find improper use of KeSetEvent
2e9837c
@NateD-MSFT
Fix IrqlNotSaved with the new library.
079028b
@NateD-MSFT
Update InitNotUsed with new DataFlow and a fix.
51234e2 
Removes a false positive in our unit tests.
@NateD-MSFT
Merge branch 'development' into nated-msft/c28124-c28150
c693c14
@NateD-MSFT
Update ported_driver_ca_checks.qls
47edb0e
@jacob-ronstadt @NateD-MSFT
WIP: query to find improper use of KeSetEvent
f11a56a
@jacob-ronstadt @NateD-MSFT
WIP: query to find improper use of KeSetEvent
1b67db6
@NateD-MSFT
Merge branch 'jacob-ronstadt/KeSetEvent' of https://github.com/micros…
dfb3191 
…oft/Windows-Driver-Developer-Supplemental-Tools into jacob-ronstadt/KeSetEvent
@NateD-MSFT
Merge branch 'development' into jacob-ronstadt/KeSetEvent
586abc7
@NateD-MSFT
Merge branch 'development' into jacob-ronstadt/KeSetEvent
caf7da4
@NateD-MSFT
Merge branch 'development' into jacob-ronstadt/KeSetEvent
223c7a2
@NateD-MSFT
Refactor KeSetEvent query to run significantly faster.
234ee9b
@NateD-MSFT
Create KeSetEventIrql and KeSetEventPaged queries.
e36c9a2 
Also make various updates + fixes to the IRQL model.
@NateD-MSFT
Fix typo in debug library.
d5ef12a
@NateD-MSFT
Improve string matching for IRQL
a2269f7 
The previous .matches() clauses were using "_" as wildcards rather than as literal underscores.  While this didn't affect our results directly because of other restrictions we provide, it had some performance penalty.  Rather than try and escape all the underscores (which would require lots of ugly double backslashes) we just switch to the = syntax where possible, which is similarly performant.
@NateD-MSFT
Remove test predicate left in by accident.
8904aa7
@NateD-MSFT
Cleanup imports and move KeSetEventPaged out of experimental
0c0aeb4
@NateD-MSFT NateD-MSFT merged commit c4bf4f8 into development Nov 21, 2023
2 checks passed
@NateD-MSFT NateD-MSFT mentioned this pull request Nov 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JakobL-MSFT JakobL-MSFT JakobL-MSFT approved these changes

@jacob-ronstadt jacob-ronstadt Awaiting requested review from jacob-ronstadt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NateD-MSFT @JakobL-MSFT @jacob-ronstadt