diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/01_find_data_input.ql b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/01_find_data_input.ql new file mode 100644 index 0000000..a0dec3d --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/01_find_data_input.ql @@ -0,0 +1,15 @@ +import cpp + +class ReadFunctionCall extends FunctionCall { + ReadFunctionCall() { + this.getTarget().getName() = "pread" or + this.getTarget().getName() = "read" or + this.getTarget().getName() = "readv" or + this.getTarget().getName() = "recvfrom" or + this.getTarget().getName() = "recvmsg" or + this.getTarget().getName() = "recv" + } +} + +from ReadFunctionCall call +select call.getFile(), call.getEnclosingFunction(), call diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/02_find_data_pointer_usage.ql b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/02_find_data_pointer_usage.ql new file mode 100644 index 0000000..711a4dd --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/02_find_data_pointer_usage.ql @@ -0,0 +1,16 @@ +import cpp + +class RawMessageFieldAccess extends FieldAccess { + RawMessageFieldAccess() { + this.getTarget().getName() = "pszRawMsg" + } +} + +class RawMsgAccessFunction extends Function { + RawMsgAccessFunction() { + any(RawMessageFieldAccess access).getEnclosingFunction() = this + } +} + +from RawMsgAccessFunction access +select access.getFile(), access \ No newline at end of file diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/03_find_data_pointer_usage_extended.ql b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/03_find_data_pointer_usage_extended.ql new file mode 100644 index 0000000..e7b4077 --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/03_find_data_pointer_usage_extended.ql @@ -0,0 +1,24 @@ +import cpp + +class RawMessageFieldAccess extends FieldAccess { + RawMessageFieldAccess() { + this.getTarget().getName() = "pszRawMsg" + } +} + +class RawMsgAccessFunction extends Function { + RawMsgAccessFunction() { + any(RawMessageFieldAccess access).getEnclosingFunction() = this + or + exists( + FunctionCall call | + call.getEnclosingFunction() = this and ( + call.getTarget().getName() = "getMSG" or + call.getTarget().getName() = "getRawMsg" + ) + ) + } +} + +from RawMsgAccessFunction access +select access.getFile(), access \ No newline at end of file diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/04_find_parsers.ql b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/04_find_parsers.ql new file mode 100644 index 0000000..b4d7018 --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/04_find_parsers.ql @@ -0,0 +1,11 @@ +import cpp + +class ParseFunction extends Function { + ParseFunction() { + this.getName() = "parse" or + this.getName() = "parse2" + } +} + +from ParseFunction parse +select parse.getFile(), parse \ No newline at end of file diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/05_find_tainted_iterations.ql b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/05_find_tainted_iterations.ql new file mode 100644 index 0000000..da5e577 --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/05_find_tainted_iterations.ql @@ -0,0 +1,16 @@ +import cpp +import semmle.code.cpp.dataflow.DataFlow +import semmle.code.cpp.dataflow.TaintTracking + +class RawMessageFieldAccess extends FieldAccess { + RawMessageFieldAccess() { + this.getTarget().getName() = "pszRawMsg" + } +} + +from DataFlow::Node source, DataFlow::Node sink, RawMessageFieldAccess access, WhileStmt loop +where + TaintTracking::localTaint(source, sink) and + source.asExpr() = access and + sink.asExpr() = loop.getCondition().getAChild*() +select "Loop iterates data from:", source, sink diff --git a/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/README.md b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/README.md new file mode 100644 index 0000000..4c853f4 --- /dev/null +++ b/CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/README.md @@ -0,0 +1,9 @@ +# Bug Hunting with CodeQL, an rsyslog Case Study + +This repo contains the CodeQL queries used in the [Bug Hunting with CodeQL, an rsyslog Case Study](https://securitylab.github.com/research/bug-hunting-codeql-rsyslog) blog post. + +- [Discovering program input](01_find_data_input.ql) +- [Data flow exploration](02_find_data_pointer_usage.ql) +- [Data flow exploration (extended)](03_find_data_pointer_usage_extended.ql) +- [Finding data parsers](04_find_parsers.ql) +- [Finding tainted loops](05_find_tainted_iterations.ql)