-
Notifications
You must be signed in to change notification settings - Fork 0
/
q-linux.py
81 lines (71 loc) · 1.99 KB
/
q-linux.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from joern.all import JoernSteps
from py2neo.packages.httpstream import http
http.socket_timeout = 9999
j = JoernSteps()
j.setGraphDbURL('http://localhost:7474/db/data/')
j.connectToDatabase()
### The below query can detect linux bugs
query = """
getFunctionASTsByName('*_write*')
.getArguments('(copy_from_user OR memcpy)','2')
.sideEffect{paramName = 'c(ou)?nt';}
.filter{it.code.matches(paramName)}
.unsanitized(
{it._().or(
_().isCheck('.*'+paramName+'.*'),
_().codeContains('.*alloc.*'+paramName+'.*'),
_().codeContains('.*min.*')
)}
)
.param('.*c(ou)?nt.*')
.locations()
.unique()
.sort()
"""
query2 = """
getArguments('memcpy', '2')
.filter{ !it.argToCall().toList()[0].code.matches('.*(sizeof|min).*') }
.sideEffect{ argument = it.code; }
.sideEffect{ dstId = it.statements().toList()[0].id; }
.filter{ it.id != dstId }
.locations()
.unique()
.sort()
"""
#query = """
#getCallsTo('.*n2s.*')
#.statements()
#.out("REACHES")
#.match{it.code.contains('.*memcpy.*')}
#.locations()
#"""
#query = """
#getCallsTo('n2s').ithArguments("1")
#.statements()
#.out("REACHES")
#.match{ it.type == "CallExpression" && it.code.startsWith("memcpy")}.ithArguments("2")
#.locations()
#"""
#query = """
#getFunctionASTsByName('*_write*')
#.getArguments('(copy_from_user OR memcpy)', '2')
#.sideEffect{ paramName = 'c(ou)?nt'; }
#.filter{ it.code.matches(paramName) }
#.unsanitized( { it._().or( _().isCheck('.*' + paramName + '.*'), _().codeContains('.*alloc.*' + paramName + '.*'), _().codeContains('.*min.*') )} )
#.param( '.*c(ou)?nt.*' )
#.locations()
#"""
#query = """
#getCallsTo("malloc").ithArguments("0")
#.sideEffect{cnt = it.code }
#.match{ it.type =="AdditiveExpression"}.statements()
#.out("REACHES")
#.match{ it.type == "CallExpression" && it.code.startsWith("memcpy")}.ithArguments("2")
#.filter{it.code != cnt }
#.match{it.type == "AdditiveExpression"}
#"""
print "[+] Running query!"
results = j.runGremlinQuery(query)
print "[+] Number of results: " + str(len(results))
for r in results:
print r