-
Notifications
You must be signed in to change notification settings - Fork 282
Expand file tree
/
Copy path04_safe_malloc.ql
More file actions
34 lines (31 loc) · 1.14 KB
/
04_safe_malloc.ql
File metadata and controls
34 lines (31 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/**
* @name kzalloc only
* @description If the copy_from_user is preceded by a kzalloc of the correct
* size, then it is safe. To demonstrate, find only those results.
*/
import cpp
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import semmle.code.cpp.dataflow.DataFlow
// Let's see if we can detect this pattern:
//
// ```
// buf = kzalloc(size, GFP_KERNEL);
// ...
// copy_from_user(buf, usrptr, size);
// ```
//
// In the next query, we'll use `safe_malloc` to filter those
// calls out, because they are safe.
predicate safe_malloc(FunctionCall allocCall, FunctionCall copy_from_user) {
exists(DataFlow::Node source, DataFlow::Node sink |
allocCall.getTarget().getName() = "kzalloc" and
copy_from_user.getTarget().getName() = "copy_from_user" and
source.asExpr() = allocCall and
sink.asExpr() = copy_from_user.getArgument(0) and
DataFlow::localFlow(source, sink) and
globalValueNumber(allocCall.getArgument(0)) = globalValueNumber(copy_from_user.getArgument(2))
)
}
from FunctionCall allocCall, FunctionCall copy_from_user
where safe_malloc(allocCall, copy_from_user)
select allocCall, copy_from_user