Merge pull request #107 from joernio/claudiu/ghidra-simp

Add MainArgsToStrcpy ghidra query
joernio · Sep 19, 2021 · 702efe8 · 702efe8
2 parents 1413525 + 0b7118d
commit 702efe8
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 0 deletions.
diff --git a/src/main/scala/io/joern/scanners/ghidra/MainArgsToStrcpy.scala b/src/main/scala/io/joern/scanners/ghidra/MainArgsToStrcpy.scala
@@ -0,0 +1,32 @@
+package io.joern.scanners.ghidra
+
+import io.joern.scanners._
+import io.shiftleft.console._
+import io.shiftleft.macros.QueryMacros._
+import io.shiftleft.semanticcpg.language._
+import io.shiftleft.dataflowengineoss.language._
+import io.shiftleft.dataflowengineoss.queryengine.EngineContext
+
+object MainArgsToStrcpy extends QueryBundle {
+
+  implicit val resolver: ICallResolver = NoResolve
+
+  @q
+  def mainArgsToStrcpy()(implicit context: EngineContext): Query =
+    Query.make(
+      name = "main-args-to-strcpy",
+      author = Crew.claudiu,
+      title = "`main` fn arguments used in strcpy source buffer",
+      description =
+        """
+        |User-input ends up in source buffer argument of strcpy, which might overflow the destination buffer.
+        |""".stripMargin,
+      score = 4,
+      withStrRep({ cpg =>
+        def source = cpg.method.fullName("main").parameter
+        def sink = cpg.call.methodFullName("strcpy").argument
+        sink.reachableBy(source).l
+      }),
+      tags = List(QueryTags.badfn)
+    )
+}
diff --git a/src/test/resources/testbinaries/buf1.c b/src/test/resources/testbinaries/buf1.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <string.h>
+
+// gcc -fno-stack-protector -z execstack -no-pie -o buf1 buf1.c
+int main(int argc, char *argv[]) {
+  if (argc == 1) {
+    printf("Program executed with no arguments.\n");
+    return 0;
+  }
+  char c[6];
+  strcpy(c, argv[1]);
+  printf("First argument is: %s\n", c);
+  return 0;
+}
diff --git a/src/test/resources/testbinaries/buf1.exe b/src/test/resources/testbinaries/buf1.exe
diff --git a/src/test/scala/io/joern/scanners/ghidra/MainArgsToStrcpyTests.scala b/src/test/scala/io/joern/scanners/ghidra/MainArgsToStrcpyTests.scala
@@ -0,0 +1,14 @@
+package io.joern.scanners.ghidra
+
+import io.joern.suites.GhidraQueryTestSuite
+
+class MainArgsToStrcpyTests extends GhidraQueryTestSuite {
+  override def queryBundle = MainArgsToStrcpy
+
+  "find main function with data flow between argument and strcpy" in {
+    buildCpgForBin("buf1.exe")
+    val query = queryBundle.mainArgsToStrcpy()
+    val results = findMatchingMethodParam(query)
+    results shouldBe Set("main")
+  }
+}
diff --git a/src/test/scala/io/joern/suites/GhidraQueryTestSuite.scala b/src/test/scala/io/joern/suites/GhidraQueryTestSuite.scala
@@ -15,12 +15,22 @@ class GhidraQueryTestSuite extends DataFlowBinToCpgSuite {
 
   override def beforeAll(): Unit = {
     semanticsFilename = argumentProvider.testSemanticsFilename
+    super.beforeAll()
   }
 
   def queryBundle: QueryBundle = QueryUtil.EmptyBundle
 
   def allQueries = QueryUtil.allQueries(queryBundle, argumentProvider)
 
+  def findMatchingMethodParam(query: Query): Set[String] = {
+    query(cpg)
+      .flatMap(_.evidence)
+      .collect { case methodParam: nodes.MethodParameterIn => methodParam }
+      .method
+      .name
+      .toSetImmutable
+  }
+
   def findMatchingCalls(query: Query): Set[String] = {
     query(cpg)
       .flatMap(_.evidence)