[edk2-devel] [PATCH v4 00/12] Enable New CodeQL Queries
Michael Kubacki
mikuback at linux.microsoft.com
Fri Mar 10 18:42:26 UTC 2023
From: Michael Kubacki <michael.kubacki at microsoft.com>
Adds queries for the following:
1. cpp/conditionallyuninitializedvariable
2. cpp/pointer-overflow-check
3. cpp/overrunning-write
4. cpp/overrunning-write-with-float
5. cpp/very-likely-overrunning-write
These check for vulnerabilities with the following CWEs:
- https://cwe.mitre.org/data/definitions/120.html
- https://cwe.mitre.org/data/definitions/457.html
- https://cwe.mitre.org/data/definitions/676.html
- https://cwe.mitre.org/data/definitions/758.html
- https://cwe.mitre.org/data/definitions/787.html
- https://cwe.mitre.org/data/definitions/805.html
The first part of this patch series contains fixes for CodeQL alerts
across various packages that are produced by the new queries being
enabled.
The second part updates the CodeQL queries.
Note: The changes are currently in the following pull request
https://github.com/tianocore/edk2/pull/4133
NetworkPkg and UefiCpuPkg patches still need a R-b.
v4 series changes:
1. Simplify conditional logic in Patch 1 per Michael Brown's
suggestion.
v3 series changes:
1. Rebased series onto 93a21b4 (current edk2/master)
2. Added v2 Rb tags
V2 series changes:
1. MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c
- Applied SafeUintnAdd() to both variables in the comparison
in ParseAndAddExistingSmbiosTable()
Addresses feedback from: Mike Kinney
2. CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
- Changes:
if (!(Inf & 0x80) && (Asn1Tag != V_ASN1_SEQUENCE)) {
To:
if (((Inf & 0x80) == 0x00) && (Asn1Tag != V_ASN1_SEQUENCE)) {
Addresses feedback from: Mike Kinney
3. MdePkg/Library/BaseLib/String.c
- Removes: #include <Uefi/UefiBaseType.h>
- Changes conditional style in changes to if statement from
ternary for changes made throughout the file
- Updates commit message to describe change in return value
Addresses feedback from: Mike Kinney
4. NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c
- Changes:
if (!EFI_ERROR (Status) && (Data > HTTP_URI_PORT_MAX_NUM)) {
Status = EFI_INVALID_PARAMETER;
goto ON_EXIT;
}
To:
if (EFI_ERROR (Status) || (Data > HTTP_URI_PORT_MAX_NUM)) {
Status = EFI_INVALID_PARAMETER;
goto ON_EXIT;
}
Addresses feedback from: Mike Kinney
5. ShellPkg/Application/Shell/Shell.c
- Initializes CalleeStatus to EFI_SUCCESS in DoStartupScript()
- Restores original if statement logic in DoStartupScript()
Addresses feedback from: Zhichao Gao
6. ShellPkg/Application/Shell/ShellProtocol.c
- Adds additional check for return value from
PARSE_HANDLE_DATABASE_UEFI_DRIVERS() in EfiShellGetDeviceName()
Addresses feedback from: Zhichao Gao
7. Includes up-to-date R-b tags
---
Cc: Bob Feng <bob.c.feng at intel.com>
Cc: Dandan Bi <dandan.bi at intel.com>
Cc: Eric Dong <eric.dong at intel.com>
Cc: Erich McMillan <emcmillan at microsoft.com>
Cc: Guomin Jiang <guomin.jiang at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Jiaxin Wu <jiaxin.wu at intel.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Liming Gao <gaoliming at byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda at linux.intel.com>
Cc: Michael Brown <mcb30 at ipxe.org>
Cc: Michael D Kinney <michael.d.kinney at intel.com>
Cc: Michael Kubacki <mikuback at linux.microsoft.com>
Cc: Rahul Kumar <rahul1.kumar at intel.com>
Cc: Ray Ni <ray.ni at intel.com>
Cc: Sean Brogan <sean.brogan at microsoft.com>
Cc: Siyuan Fu <siyuan.fu at intel.com>
Cc: Star Zeng <star.zeng at intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu at intel.com>
Cc: Yuwei Chen <yuwei.chen at intel.com>
Cc: Zhichao Gao <zhichao.gao at intel.com>
Cc: Zhiguang Liu <zhiguang.liu at intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki at microsoft.com>
Erich McMillan (1):
MdeModulePkg/SmbiosDxe: Fix pointer and buffer overflow CodeQL alerts
Michael Kubacki (11):
BaseTools/PatchCheck.py: Add PCCTS to tab exemption list
BaseTools/VfrCompile: Fix potential buffer overwrites
CryptoPkg: Fix conditionally uninitialized variable
MdeModulePkg: Fix conditionally uninitialized variables
MdePkg: Fix conditionally uninitialized variables
NetworkPkg: Fix conditionally uninitialized variables
PcAtChipsetPkg: Fix conditionally uninitialized variables
ShellPkg: Fix conditionally uninitialized variables
UefiCpuPkg: Fix conditionally uninitialized variables
.github/codeql/edk2.qls: Enable CWE 457, 676, and 758 queries
.github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries
BaseTools/Source/C/VfrCompile/Pccts/antlr/gen.c | 10 ++--
BaseTools/Source/C/VfrCompile/Pccts/antlr/main.c | 4 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 21 ++++---
MdeModulePkg/Bus/Pci/PciBusDxe/PciIo.c | 5 +-
MdeModulePkg/Bus/Pci/UhciDxe/Uhci.c | 24 +++++---
MdeModulePkg/Core/Dxe/Mem/Page.c | 17 +++---
MdeModulePkg/Library/BootMaintenanceManagerUiLib/BootOption.c | 25 ++++----
MdeModulePkg/Library/FileExplorerLib/FileExplorer.c | 5 +-
MdeModulePkg/Universal/BdsDxe/BdsEntry.c | 33 ++++++-----
MdeModulePkg/Universal/DisplayEngineDxe/ProcessOptions.c | 11 ++--
MdeModulePkg/Universal/HiiDatabaseDxe/Font.c | 14 +++--
MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.c | 8 +--
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2 +-
MdePkg/Library/BaseLib/String.c | 40 ++++++++++---
NetworkPkg/Library/DxeHttpLib/DxeHttpLib.c | 2 +-
NetworkPkg/TcpDxe/TcpInput.c | 3 +
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtc.c | 9 ++-
ShellPkg/Application/Shell/Shell.c | 1 +
ShellPkg/Application/Shell/ShellProtocol.c | 60 ++++++++++----------
ShellPkg/Library/UefiShellCommandLib/UefiShellCommandLib.c | 56 +++++++++---------
ShellPkg/Library/UefiShellDebug1CommandsLib/Dblk.c | 18 +++---
ShellPkg/Library/UefiShellDebug1CommandsLib/EfiDecompress.c | 9 ++-
ShellPkg/Library/UefiShellDriver1CommandsLib/Connect.c | 14 +++--
ShellPkg/Library/UefiShellDriver1CommandsLib/Disconnect.c | 17 ++++--
ShellPkg/Library/UefiShellDriver1CommandsLib/DrvDiag.c | 21 +++----
UefiCpuPkg/CpuMpPei/CpuBist.c | 8 ++-
UefiCpuPkg/CpuMpPei/CpuMpPei.c | 8 ++-
UefiCpuPkg/CpuMpPei/CpuPaging.c | 9 ++-
.github/codeql/edk2.qls | 10 ++++
BaseTools/Scripts/PatchCheck.py | 4 +-
30 files changed, 285 insertions(+), 183 deletions(-)
--
2.39.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#101020): https://edk2.groups.io/g/devel/message/101020
Mute This Topic: https://groups.io/mt/97526775/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list