From nobody Mon Sep 16 19:39:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+101836+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101836+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.microsoft.com ARC-Seal: i=1; a=rsa-sha256; t=1679691019; cv=none; d=zohomail.com; s=zohoarc; b=OPsOtN5v9YhytgARPCfjnTpGXg0Yj+BsWITzwXipWgE1gEhCVi7FafXxLkbqQ7MVphQ7jwqtqUrpOXe6clL5CPgJ0DDZcg0lGFP/hvCqsII1EAk+XQQPMZ3oJUdih+KZPQuvuQY7pgGd8kMtypBNDysTT1/L3YkP5S8395lAmWA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1679691019; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lgFuWTyUg1jwcNOvgAxNZH7eDWa+djX7KREMKle+rlU=; b=nf9wzI/yJzbUGZELfyN6UqxQ0SAxlzVwA2XGKuwikyhmbcKVkFzrRJ5/pia3qfqJDhqrHhxk7SZ0iMFWgJ6LSO9RviJd0I0IvTnDYNCJU/8FDkHEvLyACJ0xX/3cYGt/smAn35kB3+Ijg4byQ40QQtnwUQfPiMXQuvn8BP9zLCM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+101836+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1679691019612665.2532204141337; Fri, 24 Mar 2023 13:50:19 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ur53YY1788612xu5g8w1jC3T; Fri, 24 Mar 2023 13:50:19 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.8342.1679691016690080771 for ; Fri, 24 Mar 2023 13:50:16 -0700 X-Received: from localhost.localdomain (unknown [47.201.8.94]) by linux.microsoft.com (Postfix) with ESMTPSA id C668520FC455; Fri, 24 Mar 2023 13:50:15 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C668520FC455 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Sean Brogan , Michael Kubacki , Michael D Kinney Subject: [edk2-devel] [PATCH v6 12/12] .github/codeql/edk2.qls: Enable CWE 120, 787, and 805 queries Date: Fri, 24 Mar 2023 16:48:38 -0400 Message-Id: <20230324204838.1485-13-mikuback@linux.microsoft.com> In-Reply-To: <20230324204838.1485-1-mikuback@linux.microsoft.com> References: <20230324204838.1485-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com X-Gm-Message-State: h3ncU9zhEe22EHzeMKSrP9uCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1679691019; bh=kSen3wqS6JJWSJBmNelpOAp7/eOJ3HnZGARNwWZC3VY=; h=Cc:Date:From:Reply-To:Subject:To; b=ANhodw8+7OEd1TWv361v1Fm+HpIjCJDl3Vbk0Z2KwPwCnYhC9YWlsXoUpssnGrQ+byS VgqyQO8rB7fj0ugCWR44QY2pLbnRQUsMzGDPiWs4kS79mXX+iw4BBDozTWUryC2MgafG2 xrV68YWXnjiKq7TifQGmFarOmMPyMraGtpo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1679691021677100005 Content-Type: text/plain; charset="utf-8" From: Michael Kubacki As recommended by CodeQL this change replaces cpp/potential-buffer-overflow with cpp/overrunning-write-with-float and cpp/overrunning-write. Enables: 1. cpp/overrunning-write - @name Likely overrunning write - @description Buffer write operations that do not control the length data written may overflow - @kind problem - @problem.severity error - @security-severity 9.3 - @precision high - @id cpp/very-likely-overrunning-write - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 2. cpp/overrunning-write-with-float - @name Potentially overrunning write with float to string conversion - @description Buffer write operations that do not control the length of data written may overflow when floating point inputs take extreme values. - @kind problem - @problem.severity error - @security-severity 9.3 - @precision medium - @id cpp/overrunning-write-with-float - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 3. cpp/very-likely-overrunning-write - @name Likely overrunning write - @description Buffer write operations that do not control the length of data written may overflow - @kind problem - @problem.severity error - @security-severity 9.3 - @precision high - @id cpp/very-likely-overrunning-write - @tags reliability - security - external/cwe/cwe-120 - external/cwe/cwe-787 - external/cwe/cwe-805 - CWEs: - https://cwe.mitre.org/data/definitions/120.html - https://cwe.mitre.org/data/definitions/787.html - https://cwe.mitre.org/data/definitions/805.html Cc: Sean Brogan Cc: Michael Kubacki Cc: Michael D Kinney Signed-off-by: Michael Kubacki Reviewed-by: Michael D Kinney --- .github/codeql/edk2.qls | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/codeql/edk2.qls b/.github/codeql/edk2.qls index dc2d87764e93..9bea9ba01f24 100644 --- a/.github/codeql/edk2.qls +++ b/.github/codeql/edk2.qls @@ -14,8 +14,11 @@ id: cpp/infinite-loop-with-unsatisfiable-exit-condition - include: id: cpp/overflow-buffer +- include: + id: cpp/overrunning-write +- include: + id: cpp/overrunning-write-with-float - include: id: cpp/pointer-overflow-check - include: - id: cpp/potential-buffer-overflow - + id: cpp/very-likely-overrunning-write --=20 2.40.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#101836): https://edk2.groups.io/g/devel/message/101836 Mute This Topic: https://groups.io/mt/97832914/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-