Replies: 2 comments 3 replies
-
|
Are you asking about analysing a user-mode codebase together with the kernel, or just about identifying inputs (data passed into a syscall, or copied from user memory, or otherwise passed into the kernel by a user-mode application?) |
Beta Was this translation helpful? Give feedback.
-
|
I am asking about data passed into the kernel. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @shahar99s 👋. Do you have an example of a bug you're trying to identify? |
Beta Was this translation helpful? Give feedback.
-
|
In general, I want to create a codeql query that given an API (e.g. syscalls), it can find a flow of API calls (= arbitrary code that uses the API) that triggers a given case. Specifically, I am looking for a UAF kernel bug caused by a freed pointer that was forgotten to be nulled after being freed. int foo(char* buf)
{
...
free(buf);
buf = NULL;
}
int bar(char* buf)
{
...
free(buf);
}In |
Beta Was this translation helpful? Give feedback.
-
|
I see. Thanks for clarifying! You'll likely want to use our dataflow library for this task. We have no concept of user-mode/kernel-mode code in CodeQL, so you'll have to model that yourself. As a quick protype you could pick any |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
First of all, I am a codeql beginner, so sorry if I ask something unclear or even stupid.
I am trying to detect kernel bugs using codeql where the bug is triggered by some syscalls that lead to the bug in the kernel.
I have searched for an article about data flows that identify a kernel bug, caused by a tainted user mode code, but I haven't find anything.
Does a data flow from user to kernel requires a special treat? If so, how is it done?
Beta Was this translation helpful? Give feedback.
All reactions