diff --git a/src/drivers/apps/queries/experimental/UnsafeCallInGlobalInit/UnsafeCallInGlobalInit.sarif b/src/drivers/apps/queries/experimental/UnsafeCallInGlobalInit/UnsafeCallInGlobalInit.sarif index 948ba8d7..61d886f7 100644 --- a/src/drivers/apps/queries/experimental/UnsafeCallInGlobalInit/UnsafeCallInGlobalInit.sarif +++ b/src/drivers/apps/queries/experimental/UnsafeCallInGlobalInit/UnsafeCallInGlobalInit.sarif @@ -7,7 +7,7 @@ "driver": { "name": "CodeQL", "organization": "GitHub", - "semanticVersion": "2.20.4", + "semanticVersion": "2.25.5", "notifications": [ { "id": "cpp/baseline/expected-extracted-files", @@ -28,6 +28,32 @@ ] } }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, { "id": "cpp/extractor/summary", "name": "cpp/extractor/summary", @@ -56,9 +82,14 @@ "enabled": true, "level": "warning" }, + "help": { + "text": "# UnsafeCallInGlobalInit\r\nWhen using a DLL, it is frequently the case that any static construtors are called from DllMain. There are a number of constraints that apply to calling other functions from DllMain. In particular, it is possible to create memory leaks if the DLL is loaded and unloaded dynamically. SysAllocString is an example of a function that, in this case, could cause a memory leak.\r\n\r\n\r\n## Recommendation\r\nThe ideal DllMain would be just an empty stub. However, given the complexity of many applications, this is generally too restrictive. A good rule of thumb for DllMain is to postpone as much initialization as possible. Lazy initialization increases robustness of the application because this initialization is not performed while the loader lock is held. Also, lazy initialization enables you to safely use much more of the Windows API.\r\n\r\n\r\n## Example\r\nDLLMain function\r\n\r\n```c\r\n \r\n\t\tBOOL WINAPI DllMain(\r\n\t\tHINSTANCE hinstDLL, // handle to DLL module\r\n\t\tDWORD fdwReason, // reason for calling function\r\n\t\tLPVOID lpvReserved ) // reserved\r\n\t\t{\r\n\t\t\t// Perform actions based on the reason for calling.\r\n\t\t\tswitch( fdwReason ) \r\n\t\t\t{ \r\n\t\t\t\tcase DLL_PROCESS_ATTACH:\r\n\t\t\t\t// Initialize once for each new process.\r\n\t\t\t\t// Return FALSE to fail DLL load.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_THREAD_ATTACH:\r\n\t\t\t\t// Do thread-specific initialization.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_THREAD_DETACH:\r\n\t\t\t\t// Do thread-specific cleanup.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_PROCESS_DETACH:\r\n\t\t\t\t\r\n\t\t\t\t\tif (lpvReserved != nullptr)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tbreak; // do not do cleanup if process termination scenario\r\n\t\t\t\t\t}\r\n\t\t\t\t\t\r\n\t\t\t\t// Perform any necessary cleanup.\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn TRUE; // Successful DLL_PROCESS_ATTACH.\r\n\t\t}\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28637 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28637-calling-function-in-a-global-initializer-is-unsafe)\r\n", + "markdown": "# UnsafeCallInGlobalInit\r\nWhen using a DLL, it is frequently the case that any static construtors are called from DllMain. There are a number of constraints that apply to calling other functions from DllMain. In particular, it is possible to create memory leaks if the DLL is loaded and unloaded dynamically. SysAllocString is an example of a function that, in this case, could cause a memory leak.\r\n\r\n\r\n## Recommendation\r\nThe ideal DllMain would be just an empty stub. However, given the complexity of many applications, this is generally too restrictive. A good rule of thumb for DllMain is to postpone as much initialization as possible. Lazy initialization increases robustness of the application because this initialization is not performed while the loader lock is held. Also, lazy initialization enables you to safely use much more of the Windows API.\r\n\r\n\r\n## Example\r\nDLLMain function\r\n\r\n```c\r\n \r\n\t\tBOOL WINAPI DllMain(\r\n\t\tHINSTANCE hinstDLL, // handle to DLL module\r\n\t\tDWORD fdwReason, // reason for calling function\r\n\t\tLPVOID lpvReserved ) // reserved\r\n\t\t{\r\n\t\t\t// Perform actions based on the reason for calling.\r\n\t\t\tswitch( fdwReason ) \r\n\t\t\t{ \r\n\t\t\t\tcase DLL_PROCESS_ATTACH:\r\n\t\t\t\t// Initialize once for each new process.\r\n\t\t\t\t// Return FALSE to fail DLL load.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_THREAD_ATTACH:\r\n\t\t\t\t// Do thread-specific initialization.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_THREAD_DETACH:\r\n\t\t\t\t// Do thread-specific cleanup.\r\n\t\t\t\t\tbreak;\r\n\r\n\t\t\t\tcase DLL_PROCESS_DETACH:\r\n\t\t\t\t\r\n\t\t\t\t\tif (lpvReserved != nullptr)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tbreak; // do not do cleanup if process termination scenario\r\n\t\t\t\t\t}\r\n\t\t\t\t\t\r\n\t\t\t\t// Perform any necessary cleanup.\r\n\t\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\treturn TRUE; // Successful DLL_PROCESS_ATTACH.\r\n\t\t}\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28637 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28637-calling-function-in-a-global-initializer-is-unsafe)\r\n" + }, "properties": { "tags": [ - "correctness" + "correctness", + "ca_ported" ], "description": "When using a DLL, it is frequently the case that any\n static construtors are called from DllMain.\n There are a number of constraints that apply to calling\n other functions from DllMain. In particular, it is\n possible to create memory leaks if the DLL is loaded\n and unloaded dynamically.", "feature.area": "Multiple", @@ -67,7 +98,7 @@ "kind": "problem", "name": "UnsafeCallInGlobalInit", "opaqueid": "CQLD-C28637", - "owner.email:": "sdat@microsoft.com", + "owner.email": "sdat@microsoft.com", "platform": "Desktop", "precision": "medium", "problem.severity": "warning", @@ -81,10 +112,10 @@ "extensions": [ { "name": "microsoft/windows-drivers", - "semanticVersion": "1.3.0+b07e02f3113bb2484479302f733f94b124503172", + "semanticVersion": "1.10.0+fbfe122225e35194bef9b7e3c22ca68f420404d5", "locations": [ { - "uri": "file:///C:/codeql-home/WDDST/src/", + "uri": "file:///F:/source/repos/wddst-2/src/", "description": { "text": "The QL pack root directory." }, @@ -95,7 +126,7 @@ } }, { - "uri": "file:///C:/codeql-home/WDDST/src/qlpack.yml", + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", "description": { "text": "The QL pack definition file." }, @@ -109,10 +140,10 @@ }, { "name": "codeql/cpp-all", - "semanticVersion": "3.1.0+d42788844f7ec0a6b9832140313cc2318e513987", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", "locations": [ { - "uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/", + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", "description": { "text": "The QL pack root directory." }, @@ -123,7 +154,7 @@ } }, { - "uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/qlpack.yml", + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", "description": { "text": "The QL pack definition file." }, @@ -147,7 +178,7 @@ "artifactLocation": { "uri": "Source.cpp", "uriBaseId": "%SRCROOT%", - "index": 0 + "index": 1 } } } @@ -173,7 +204,7 @@ "artifactLocation": { "uri": "driver_snippet.c", "uriBaseId": "%SRCROOT%", - "index": 1 + "index": 0 } } } @@ -192,16 +223,58 @@ } } }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:58:17.868214700Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 319 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:58:17.871691800Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, { "message": { "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." }, "level": "note", - "timeUtc": "2025-02-11T03:13:43.543961700Z", + "timeUtc": "2026-05-28T00:58:47.592215400Z", "descriptor": { "id": "cpp/extractor/summary", - "index": 1 + "index": 3 }, "properties": { "attributes": { @@ -210,7 +283,7 @@ "compilers": [ { "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.42.34436 for x64" + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" } ], "extractor-failures": 0, @@ -230,20 +303,52 @@ "artifacts": [ { "location": { - "uri": "Source.cpp", + "uri": "driver_snippet.c", "uriBaseId": "%SRCROOT%", "index": 0 } }, { "location": { - "uri": "driver_snippet.c", + "uri": "Source.cpp", "uriBaseId": "%SRCROOT%", "index": 1 } } ], - "results": [], + "results": [ + { + "ruleId": "cpp/drivers/unsafe-call-in-global-init", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/unsafe-call-in-global-init", + "index": 0 + }, + "message": { + "text": "Unsafe call in DllMain: LoadLibraryW. Review Dynamic-Link Library Best Practices." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 13, + "startColumn": 24, + "endColumn": 31 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "1a32903747849c92:1", + "primaryLocationStartColumnFingerprint": "23" + } + } + ], "columnKind": "utf16CodeUnits", "properties": { "semmle.formatSpecifier": "sarifv2.1.0" diff --git a/src/drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.sarif b/src/drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.sarif index 19611796..9ebd74ec 100644 --- a/src/drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.sarif +++ b/src/drivers/general/queries/IoInitializeTimerCall/IoInitializeTimerCall.sarif @@ -1,201 +1,393 @@ { - "$schema" : "https://json.schemastore.org/sarif-2.1.0.json", - "version" : "2.1.0", - "runs" : [ { - "tool" : { - "driver" : { - "name" : "CodeQL", - "organization" : "GitHub", - "semanticVersion" : "2.15.4", - "notifications" : [ { - "id" : "cpp/baseline/expected-extracted-files", - "name" : "cpp/baseline/expected-extracted-files", - "shortDescription" : { - "text" : "Expected extracted files" - }, - "fullDescription" : { - "text" : "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration" : { - "enabled" : true - }, - "properties" : { - "tags" : [ "expected-extracted-files", "telemetry" ] - } - } ], - "rules" : [ { - "id" : "cpp/drivers/pool-tag-integral", - "name" : "cpp/drivers/pool-tag-integral", - "shortDescription" : { - "text" : "IoInitializeTimer is best called from AddDevice" - }, - "fullDescription" : { - "text" : "IoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "warning" - }, - "properties" : { - "tags" : [ "correctness", "wddst" ], - "description" : "IoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once.", - "feature.area" : "Multiple", - "id" : "cpp/drivers/pool-tag-integral", - "impact" : "", - "kind" : "problem", - "name" : "IoInitializeTimer is best called from AddDevice", - "opaqueid" : "CQLD-C28133", - "owner.email" : "sdat@microsoft.com", - "platform" : "Desktop", - "precision" : "high", - "problem.severity" : "warning", - "query-version" : "v1", - "repro.text" : "", - "scope" : "domainspecific", - "security.severity" : "Low" - } - } ] - }, - "extensions" : [ { - "name" : "microsoft/windows-drivers", - "semanticVersion" : "1.0.13+4cf80ade609037becb8999823de45e08bd818a20", - "locations" : [ { - "uri" : "file:///C:/codeql-home/WDDST/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///C:/codeql-home/WDDST/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - } ] - }, - "invocations" : [ { - "toolExecutionNotifications" : [ { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "driver/driver_snippet.c", - "uriBaseId" : "%SRCROOT%", - "index" : 0 + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/io-initialize-timer-call", + "name": "cpp/drivers/io-initialize-timer-call", + "shortDescription": { + "text": "IoInitializeTimer is best called from AddDevice" + }, + "fullDescription": { + "text": "IoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# IoInitializeTimer is best called from AddDevice\r\nIoInitializeTimer is best called from AddDevice\r\n\r\n\r\n## Recommendation\r\nIoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once.\r\n\r\n\r\n## References\r\n* [ C28133 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28133-ioinitializetimer-is-best-called-from-add-device)\r\n", + "markdown": "# IoInitializeTimer is best called from AddDevice\r\nIoInitializeTimer is best called from AddDevice\r\n\r\n\r\n## Recommendation\r\nIoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once.\r\n\r\n\r\n## References\r\n* [ C28133 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28133-ioinitializetimer-is-best-called-from-add-device)\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported", + "wddst" + ], + "description": "IoInitializeTimer can only be called once per device object. Calling it from the AddDevice routine helps assure that it is not unexpectedly called more than once.", + "feature.area": "Multiple", + "id": "cpp/drivers/io-initialize-timer-call", + "impact": "", + "kind": "problem", + "name": "IoInitializeTimer is best called from AddDevice", + "opaqueid": "CQLD-C28133", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "high", + "problem.severity": "warning", + "query-version": "v1", + "repro.text": "", + "scope": "domainspecific", + "security.severity": "Low" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+fbfe122225e35194bef9b7e3c22ca68f420404d5", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + } + ] + }, + "invocations": [ + { + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T01:12:33.285731200Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 304 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T01:12:33.299727100Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T01:13:03.073037900Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + }, + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + }, + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + ], + "results": [ + { + "ruleId": "cpp/drivers/io-initialize-timer-call", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/io-initialize-timer-call", + "index": 0 + }, + "message": { + "text": "IoInitializeTimer should be called from AddDevice" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 16, + "startColumn": 5, + "endColumn": 22 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "dc91db8b202a7996:1", + "primaryLocationStartColumnFingerprint": "0" + } + } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "cpp/baseline/expected-extracted-files", - "index" : 0 - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "driver/fail_driver1.c", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "cpp/baseline/expected-extracted-files", - "index" : 0 - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - }, { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "driver/fail_driver1.h", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - } - } - } ], - "message" : { - "text" : "" - }, - "level" : "none", - "descriptor" : { - "id" : "cpp/baseline/expected-extracted-files", - "index" : 0 - }, - "properties" : { - "formattedMessage" : { - "text" : "" - } - } - } ], - "executionSuccessful" : true - } ], - "artifacts" : [ { - "location" : { - "uri" : "driver/driver_snippet.c", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - } - }, { - "location" : { - "uri" : "driver/fail_driver1.c", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - } - }, { - "location" : { - "uri" : "driver/fail_driver1.h", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - } - } ], - "results" : [ { - "ruleId" : "cpp/drivers/pool-tag-integral", - "ruleIndex" : 0, - "rule" : { - "id" : "cpp/drivers/pool-tag-integral", - "index" : 0 - }, - "message" : { - "text" : "IoInitializeTimer should be called from AddDevice" - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "driver/driver_snippet.c", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 16, - "startColumn" : 5, - "endColumn" : 22 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "dc91db8b202a7996:1", - "primaryLocationStartColumnFingerprint" : "0" - } - } ], - "columnKind" : "utf16CodeUnits", - "properties" : { - "semmle.formatSpecifier" : "sarifv2.1.0" - } - } ] + ] } \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.sarif b/src/drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.sarif index cc8b2c5f..2e2a5386 100644 --- a/src/drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.sarif +++ b/src/drivers/general/queries/IrqlAnnotationIssue/IrqlAnnotationIssue.sarif @@ -1,377 +1,390 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.20.3", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" - ] - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-annotation-issue", - "name": "cpp/drivers/irql-annotation-issue", - "shortDescription": { - "text": "Irql Annotation Issue" - }, - "fullDescription": { - "text": "The value for an IRQL from annotation could not be evaluated in this context." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "properties": { - "tags": [ - "correctness" - ], - "description": "The value for an IRQL from annotation could not be evaluated in this context.", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-annotation-issue", - "impact": "Insecure Coding Practice", - "kind": "problem", - "name": "Irql Annotation Issue", - "opaqueid": "CQLD-C28153", - "owner.email:": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v1", - "repro.text": "This warning indicates that the Code Analysis tool cannot interpret the function annotation because the annotation is not\n coded correctly. As a result, the Code Analysis tool cannot determine the specified IRQL value. This warning can occur with any of\n the driver-specific annotations that mention an IRQL when the Code Analysis tool cannot evaluate the expression for the IRQL.", - "scope": "domainspecific" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.3.0+4f62dc40ad4c6e0c3b6d23bddcf5bf13fbdcdc33", - "locations": [ - { - "uri": "file:///C:/codeql-home/WDDST/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/codeql-home/WDDST/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "3.1.0+d42788844f7ec0a6b9832140313cc2318e513987", - "locations": [ - { - "uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/Users/jronstadt/.codeql/packages/codeql/cpp-all/3.1.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ - { - "toolExecutionNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2025-01-31T03:05:35.226520Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 1 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.42.34436 for x64" - } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-annotation-issue", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-annotation-issue", - "index": 0 - }, - "message": { - "text": "Invalid IRQL annotation: -1" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 50, - "endColumn": 33 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "c485bcb41025b395:1", - "primaryLocationStartColumnFingerprint": "0" - } - }, - { - "ruleId": "cpp/drivers/irql-annotation-issue", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-annotation-issue", - "index": 0 - }, - "message": { - "text": "Invalid IRQL annotation: -1" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 42, - "endColumn": 18 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "df94724e38a83f68:1", - "primaryLocationStartColumnFingerprint": "0" - } - }, - { - "ruleId": "cpp/drivers/irql-annotation-issue", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-annotation-issue", - "index": 0 - }, - "message": { - "text": "Invalid IRQL annotation: 65" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 37, - "endColumn": 20 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "d2e3355b345c7d56:1", - "primaryLocationStartColumnFingerprint": "0" - } - } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-annotation-issue", + "name": "cpp/drivers/irql-annotation-issue", + "shortDescription": { + "text": "Irql Annotation Issue" + }, + "fullDescription": { + "text": "The value for an IRQL from annotation could not be evaluated in this context." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# Irql Annotation Issue\r\nThe value for an IRQL from annotation could not be evaluated in this context.\r\n\r\n\r\n## Recommendation\r\nThis warning indicates that the Code Analysis tool cannot interpret the function annotation because the annotation is not coded correctly. As a result, the Code Analysis tool cannot determine the specified IRQL value. This warning can occur with any of the driver-specific annotations that mention an IRQL when the Code Analysis tool cannot evaluate the expression for the IRQL.\r\n\r\n\r\n## Example\r\nIncorrect IRQL annotation\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_requires_(65)\r\n\t\t\r\n```\r\nIncorrect IRQL annotation\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_always_function_max_(irql_variable)\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28153 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28153-irql-annotation-eval-context)\r\n", + "markdown": "# Irql Annotation Issue\r\nThe value for an IRQL from annotation could not be evaluated in this context.\r\n\r\n\r\n## Recommendation\r\nThis warning indicates that the Code Analysis tool cannot interpret the function annotation because the annotation is not coded correctly. As a result, the Code Analysis tool cannot determine the specified IRQL value. This warning can occur with any of the driver-specific annotations that mention an IRQL when the Code Analysis tool cannot evaluate the expression for the IRQL.\r\n\r\n\r\n## Example\r\nIncorrect IRQL annotation\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_requires_(65)\r\n\t\t\r\n```\r\nIncorrect IRQL annotation\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_always_function_max_(irql_variable)\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28153 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28153-irql-annotation-eval-context)\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported" + ], + "description": "The value for an IRQL from annotation could not be evaluated in this context.", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-annotation-issue", + "impact": "Insecure Coding Practice", + "kind": "problem", + "name": "Irql Annotation Issue", + "opaqueid": "CQLD-C28153", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v2", + "repro.text": "This warning indicates that the Code Analysis tool cannot interpret the function annotation because the annotation is not\n coded correctly. As a result, the Code Analysis tool cannot determine the specified IRQL value. This warning can occur with any of\n the driver-specific annotations that mention an IRQL when the Code Analysis tool cannot evaluate the expression for the IRQL.", + "scope": "domainspecific" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + } + ] + }, + "invocations": [ + { + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:12:28.236475500Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 269 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:12:28.246246100Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:13:04.664357800Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + }, + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + }, + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + ], + "results": [ + { + "ruleId": "cpp/drivers/irql-annotation-issue", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-annotation-issue", + "index": 0 + }, + "message": { + "text": "Invalid IRQL annotation: 65" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 37, + "endColumn": 20 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "d2e3355b345c7d56:1", + "primaryLocationStartColumnFingerprint": "0" + } + } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" + } + } + ] } \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.sarif b/src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.sarif index b2bf15de..fab4236b 100644 --- a/src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.sarif +++ b/src/drivers/general/queries/IrqlFloatStateMismatch/IrqlFloatStateMismatch.sarif @@ -1,577 +1,577 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.24.2", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-float-state-mismatch", + "name": "cpp/drivers/irql-float-state-mismatch", + "shortDescription": { + "text": "Irql Float State Mismatch" + }, + "fullDescription": { + "text": "The IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation)." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# Irql Float State Mismatch\r\nThe IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).\r\n\r\n\r\n## Recommendation\r\nThe IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state. Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.\r\n\r\n\r\n## Example\r\nExample of incorrect code. Floating point state was saved at APC_LEVEL but restored at PASSIVE_LEVEL\r\n\r\n```c\r\n \r\n\t\t_IRQL_requires_(PASSIVE_LEVEL) \r\n\t\tvoid driver_utility_bad(void)\r\n\t\t{\r\n\t\t\tKIRQL oldIRQL;\r\n\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\t\t\t// running at APC level\r\n\t\t\tKFLOATING_SAVE FloatBuf;\r\n\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(oldIRQL); // lower back to PASSIVE_LEVEL\r\n\t\t\t\t// ...\r\n\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\r\n\t\t\t}\r\n\t\t}\r\n\t\t\r\n```\r\nCorrect example\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_requires_(PASSIVE_LEVEL) \r\n\t\t\tvoid driver_utility_good(void)\r\n\t\t\t{\r\n\t\t\t\t// running at APC level\r\n\t\t\t\tKFLOATING_SAVE FloatBuf;\r\n\t\t\t\tKIRQL oldIRQL;\r\n\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\r\n\t\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\r\n\t\t\t\t{\r\n\t\t\t\t\tKeLowerIrql(oldIRQL);\r\n\t\t\t\t\t// ...\r\n\t\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\t\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28111 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28111-floating-point-irql-mismatch)\r\n\r\n## Semmle-specific notes\r\n**Wrapper / common-caller pattern.** The query searches for IRQL-changing calls between save and restore in either their shared enclosing function, or — when one or both endpoints sit inside a thin one-level helper (e.g. `save_fp_helper` forwarding to `KeSaveFloatingPointState`) — in the common caller of those helpers.\r\n\r\n**Known false negatives:**\r\n\r\n* **IRQL changes deep inside helper bodies.** If a helper raises/lowers IRQL between its entry and the save/restore primitive it forwards to, that change isn't visible from the common caller. Annotate the helper with `_IRQL_raises_` / `_IRQL_saves_global_` to make its IRQL behavior visible without body inspection.\r\n* **Indirect calls.** IRQL changes via function pointer or dispatch-table dispatch are not recognized; the predicate inspects only the static call target.\r\n* **Loops where restore is textually before save.** The AST-loop branch of `irqlChangesBetween` correctly recognizes such patterns, but the upstream IRQL cascade does not always bind at `KeSaveFloatingPointState`'s argument expression inside loop bodies, so the `irqlSource != irqlSink` filter rejects them before this predicate fires. Recovering this case needs work in `Irql.qll`.\r\n* **Wrapper chains longer than one level.** Only one level of helper wrapping is modelled. Multi-level wrappers need the annotation hint above, or a direct call site.\r\n", + "markdown": "# Irql Float State Mismatch\r\nThe IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).\r\n\r\n\r\n## Recommendation\r\nThe IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state. Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.\r\n\r\n\r\n## Example\r\nExample of incorrect code. Floating point state was saved at APC_LEVEL but restored at PASSIVE_LEVEL\r\n\r\n```c\r\n \r\n\t\t_IRQL_requires_(PASSIVE_LEVEL) \r\n\t\tvoid driver_utility_bad(void)\r\n\t\t{\r\n\t\t\tKIRQL oldIRQL;\r\n\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\t\t\t// running at APC level\r\n\t\t\tKFLOATING_SAVE FloatBuf;\r\n\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(oldIRQL); // lower back to PASSIVE_LEVEL\r\n\t\t\t\t// ...\r\n\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\r\n\t\t\t}\r\n\t\t}\r\n\t\t\r\n```\r\nCorrect example\r\n\r\n```c\r\n \r\n\t\t\t_IRQL_requires_(PASSIVE_LEVEL) \r\n\t\t\tvoid driver_utility_good(void)\r\n\t\t\t{\r\n\t\t\t\t// running at APC level\r\n\t\t\t\tKFLOATING_SAVE FloatBuf;\r\n\t\t\t\tKIRQL oldIRQL;\r\n\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\r\n\t\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\r\n\t\t\t\t{\r\n\t\t\t\t\tKeLowerIrql(oldIRQL);\r\n\t\t\t\t\t// ...\r\n\t\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\r\n\t\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28111 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28111-floating-point-irql-mismatch)\r\n\r\n## Semmle-specific notes\r\n**Wrapper / common-caller pattern.** The query searches for IRQL-changing calls between save and restore in either their shared enclosing function, or — when one or both endpoints sit inside a thin one-level helper (e.g. `save_fp_helper` forwarding to `KeSaveFloatingPointState`) — in the common caller of those helpers.\r\n\r\n**Known false negatives:**\r\n\r\n* **IRQL changes deep inside helper bodies.** If a helper raises/lowers IRQL between its entry and the save/restore primitive it forwards to, that change isn't visible from the common caller. Annotate the helper with `_IRQL_raises_` / `_IRQL_saves_global_` to make its IRQL behavior visible without body inspection.\r\n* **Indirect calls.** IRQL changes via function pointer or dispatch-table dispatch are not recognized; the predicate inspects only the static call target.\r\n* **Loops where restore is textually before save.** The AST-loop branch of `irqlChangesBetween` correctly recognizes such patterns, but the upstream IRQL cascade does not always bind at `KeSaveFloatingPointState`'s argument expression inside loop bodies, so the `irqlSource != irqlSink` filter rejects them before this predicate fires. Recovering this case needs work in `Irql.qll`.\r\n* **Wrapper chains longer than one level.** Only one level of helper wrapping is modelled. Multi-level wrappers need the annotation hint above, or a direct call site.\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported" + ], + "description": "The IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-float-state-mismatch", + "impact": "Insecure Coding Practice", + "kind": "problem", + "name": "Irql Float State Mismatch", + "opaqueid": "CQLD-C28111", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v6", + "repro.text": "The IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state.\n Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.", + "scope": "domainspecific" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + } ] - } }, - { - "id": "cli/file-coverage-baseline", - "name": "cli/file-coverage-baseline", - "shortDescription": { - "text": "File coverage baseline telemetry" - }, - "fullDescription": { - "text": "File coverage baseline telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cli/platform", - "name": "cli/platform", - "shortDescription": { - "text": "Platform" - }, - "fullDescription": { - "text": "Platform" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-float-state-mismatch", - "name": "cpp/drivers/irql-float-state-mismatch", - "shortDescription": { - "text": "Irql Float State Mismatch" - }, - "fullDescription": { - "text": "The IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation)." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "help": { - "text": "# Irql Float State Mismatch\nThe IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).\n\n\n## Recommendation\nThe IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state. Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.\n\n\n## Example\nExample of incorrect code. Floating point state was saved at APC_LEVEL but restored at PASSIVE_LEVEL\n\n```c\n \n\t\t_IRQL_requires_(PASSIVE_LEVEL) \n\t\tvoid driver_utility_bad(void)\n\t\t{\n\t\t\tKIRQL oldIRQL;\n\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\t\t\t// running at APC level\n\t\t\tKFLOATING_SAVE FloatBuf;\n\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\n\t\t\t{\n\t\t\t\tKeLowerIrql(oldIRQL); // lower back to PASSIVE_LEVEL\n\t\t\t\t// ...\n\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\n\t\t\t}\n\t\t}\n\t\t\n```\nCorrect example\n\n```c\n \n\t\t\t_IRQL_requires_(PASSIVE_LEVEL) \n\t\t\tvoid driver_utility_good(void)\n\t\t\t{\n\t\t\t\t// running at APC level\n\t\t\t\tKFLOATING_SAVE FloatBuf;\n\t\t\t\tKIRQL oldIRQL;\n\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\n\t\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\n\t\t\t\t{\n\t\t\t\t\tKeLowerIrql(oldIRQL);\n\t\t\t\t\t// ...\n\t\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\t\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\n\t\t\t\t}\n\t\t\t}\n\t\t\n```\n\n## References\n* [ C28111 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28111-floating-point-irql-mismatch)\n\n## Semmle-specific notes\n**Wrapper / common-caller pattern.** The query reasons about IRQL-changing calls between save and restore not only when both calls share an enclosing function, but also when they sit inside one-level helper wrappers that are called from a common caller (for example, thin `save_fp_helper` / `restore_fp_helper` functions that simply forward to `KeSaveFloatingPointState` / `KeRestoreFloatingPointState`). In those cases the intermediate IRQL transition is searched in the common caller (or in either helper's enclosing function for the asymmetric case where one side is a helper and the other is direct).\n\n**Remaining limitations.** Despite the source-position and AST-loop branches, the predicate still does not detect:\n\n* **IRQL changes performed deep inside helper bodies.** If the helper function itself raises or lowers the IRQL after the save (or before the restore), the change is not visible from the common caller's source-position view, and no intermediate IRQL change is found. Annotating the helper with `_IRQL_raises_` or `_IRQL_saves_global_` makes its IRQL behavior visible without body inspection.\n* **Indirect calls.** IRQL changes performed by an indirect call (function pointer or dispatch-table call) between save and restore are not detected, because the predicate only inspects the static call target.\n* **Loops where the restore is textually before the save.** The AST-loop branch of `irqlChangesBetween` correctly recognises that all three calls (save, restore, and an IRQL-changing call) sit inside the same loop body and would fire on this pattern. However, the upstream IRQL analysis library used to compute the IRQL at the save and restore sites does not consistently bind a value at the argument expression of `KeSaveFloatingPointState` when the call is inside a loop body, so the `irqlSource != irqlSink` filter rejects these cases before `irqlChangesBetween` is consulted. Recovering this true positive requires improvements to the IRQL analysis library and not just to this query.\n* **Wrapper chains longer than one level.** Only one level of wrapping is currently modelled (the helper is called directly from the common caller). Multi-level wrappers require the same annotation hint described above, or a direct call site.\n", - "markdown": "# Irql Float State Mismatch\nThe IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).\n\n\n## Recommendation\nThe IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state. Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.\n\n\n## Example\nExample of incorrect code. Floating point state was saved at APC_LEVEL but restored at PASSIVE_LEVEL\n\n```c\n \n\t\t_IRQL_requires_(PASSIVE_LEVEL) \n\t\tvoid driver_utility_bad(void)\n\t\t{\n\t\t\tKIRQL oldIRQL;\n\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\t\t\t// running at APC level\n\t\t\tKFLOATING_SAVE FloatBuf;\n\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\n\t\t\t{\n\t\t\t\tKeLowerIrql(oldIRQL); // lower back to PASSIVE_LEVEL\n\t\t\t\t// ...\n\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\n\t\t\t}\n\t\t}\n\t\t\n```\nCorrect example\n\n```c\n \n\t\t\t_IRQL_requires_(PASSIVE_LEVEL) \n\t\t\tvoid driver_utility_good(void)\n\t\t\t{\n\t\t\t\t// running at APC level\n\t\t\t\tKFLOATING_SAVE FloatBuf;\n\t\t\t\tKIRQL oldIRQL;\n\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\n\t\t\t\tif (KeSaveFloatingPointState(&FloatBuf))\n\t\t\t\t{\n\t\t\t\t\tKeLowerIrql(oldIRQL);\n\t\t\t\t\t// ...\n\t\t\t\t\tKeRaiseIrql(APC_LEVEL, &oldIRQL);\n\t\t\t\t\tKeRestoreFloatingPointState(&FloatBuf);\n\t\t\t\t}\n\t\t\t}\n\t\t\n```\n\n## References\n* [ C28111 ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28111-floating-point-irql-mismatch)\n\n## Semmle-specific notes\n**Wrapper / common-caller pattern.** The query reasons about IRQL-changing calls between save and restore not only when both calls share an enclosing function, but also when they sit inside one-level helper wrappers that are called from a common caller (for example, thin `save_fp_helper` / `restore_fp_helper` functions that simply forward to `KeSaveFloatingPointState` / `KeRestoreFloatingPointState`). In those cases the intermediate IRQL transition is searched in the common caller (or in either helper's enclosing function for the asymmetric case where one side is a helper and the other is direct).\n\n**Remaining limitations.** Despite the source-position and AST-loop branches, the predicate still does not detect:\n\n* **IRQL changes performed deep inside helper bodies.** If the helper function itself raises or lowers the IRQL after the save (or before the restore), the change is not visible from the common caller's source-position view, and no intermediate IRQL change is found. Annotating the helper with `_IRQL_raises_` or `_IRQL_saves_global_` makes its IRQL behavior visible without body inspection.\n* **Indirect calls.** IRQL changes performed by an indirect call (function pointer or dispatch-table call) between save and restore are not detected, because the predicate only inspects the static call target.\n* **Loops where the restore is textually before the save.** The AST-loop branch of `irqlChangesBetween` correctly recognises that all three calls (save, restore, and an IRQL-changing call) sit inside the same loop body and would fire on this pattern. However, the upstream IRQL analysis library used to compute the IRQL at the save and restore sites does not consistently bind a value at the argument expression of `KeSaveFloatingPointState` when the call is inside a loop body, so the `irqlSource != irqlSink` filter rejects these cases before `irqlChangesBetween` is consulted. Recovering this true positive requires improvements to the IRQL analysis library and not just to this query.\n* **Wrapper chains longer than one level.** Only one level of wrapping is currently modelled (the helper is called directly from the common caller). Multi-level wrappers require the same annotation hint described above, or a direct call site.\n" - }, - "properties": { - "tags": [ - "correctness", - "ca_ported" - ], - "description": "The IRQL where the floating-point state was saved does not match the current IRQL (for this restore operation).", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-float-state-mismatch", - "impact": "Insecure Coding Practice", - "kind": "problem", - "name": "Irql Float State Mismatch", - "opaqueid": "CQLD-C28111", - "owner.email": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v6", - "repro.text": "The IRQL at which the driver is executing when it restores a floating-point state is different than the IRQL at which it was executing when it saved the floating-point state.\n Because the IRQL at which the driver runs determines how the floating-point state is saved, the driver must be executing at the same IRQL when it calls the functions to save and to restore the floating-point state.", - "scope": "domainspecific" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.9.0+39dd725fc01992bf14a42934229a3cc1fd7bf25b", - "locations": [ - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", - "locations": [ - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] + "invocations": [ + { + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:13:49.700734800Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 314 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:13:49.708902200Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:14:23.943032200Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true } - }, - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." + ], + "artifacts": [ + { + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ - { - "toolExecutionNotifications": [ - { - "locations": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "locations": [ + }, { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" } - } - }, - { - "locations": [ + ], + "results": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (1).\nThe irql level where the floating-point state was saved (2) does not match the irql level for the restore operation (1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 156, + "startColumn": 38, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "7203877b7e98c247:1", + "primaryLocationStartColumnFingerprint": "29" } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T20:46:26.236012500Z", - "descriptor": { - "id": "cli/file-coverage-baseline", - "index": 1 - }, - "properties": { - "attributes": { - "durationMilliseconds": 233 }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T20:46:26.241012400Z", - "descriptor": { - "id": "cli/platform", - "index": 2 - }, - "properties": { - "attributes": { - "arch": "amd64", - "name": "Windows 11", - "version": "10.0" - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2026-04-29T20:47:05.794926800Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 3 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.50.35724 for x64" + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (1).\nThe irql level where the floating-point state was saved (2) does not match the irql level for the restore operation (1)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 156, + "startColumn": 37, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "7203877b7e98c247:1", + "primaryLocationStartColumnFingerprint": "28" } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (1).\nThe irql level where the floating-point state was saved (2) does not match the irql level for the restore operation (1)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 }, - "region": { - "startLine": 156, - "startColumn": 38, - "endColumn": 46 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "7203877b7e98c247:1", - "primaryLocationStartColumnFingerprint": "29" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (1).\nThe irql level where the floating-point state was saved (2) does not match the irql level for the restore operation (1)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 156, - "startColumn": 37, - "endColumn": 46 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "7203877b7e98c247:1", - "primaryLocationStartColumnFingerprint": "28" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (2)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 111, - "startColumn": 33, - "endColumn": 36 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "32de180444120f36:1", - "primaryLocationStartColumnFingerprint": "28" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (0) does not match the irql level for the restore operation (2)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 111, + "startColumn": 33, + "endColumn": 36 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "32de180444120f36:1", + "primaryLocationStartColumnFingerprint": "28" + } }, - "region": { - "startLine": 66, - "startColumn": 38, - "endColumn": 46 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "ff98177eaaf7d309:1", - "primaryLocationStartColumnFingerprint": "29" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 66, + "startColumn": 38, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "ff98177eaaf7d309:1", + "primaryLocationStartColumnFingerprint": "29" + } }, - "region": { - "startLine": 66, - "startColumn": 37, - "endColumn": 46 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "ff98177eaaf7d309:1", - "primaryLocationStartColumnFingerprint": "28" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 66, + "startColumn": 37, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "ff98177eaaf7d309:1", + "primaryLocationStartColumnFingerprint": "28" + } }, - "region": { - "startLine": 23, - "startColumn": 38, - "endColumn": 46 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "b3909ff165022b51:1", - "primaryLocationStartColumnFingerprint": "29" - } - }, - { - "ruleId": "cpp/drivers/irql-float-state-mismatch", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-float-state-mismatch", - "index": 0 - }, - "message": { - "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 23, + "startColumn": 38, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "b3909ff165022b51:1", + "primaryLocationStartColumnFingerprint": "29" + } }, - "region": { - "startLine": 23, - "startColumn": 37, - "endColumn": 46 + { + "ruleId": "cpp/drivers/irql-float-state-mismatch", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-float-state-mismatch", + "index": 0 + }, + "message": { + "text": "The irql level where the floating-point state was saved (1) does not match the irql level for the restore operation (0)." + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 23, + "startColumn": 37, + "endColumn": 46 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "b3909ff165022b51:1", + "primaryLocationStartColumnFingerprint": "28" + } } - } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - ], - "partialFingerprints": { - "primaryLocationLineHash": "b3909ff165022b51:1", - "primaryLocationStartColumnFingerprint": "28" - } } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] + ] } \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.sarif b/src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.sarif index 83b7330a..54fd890e 100644 --- a/src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.sarif +++ b/src/drivers/general/queries/IrqlSetTooHigh/IrqlSetTooHigh.sarif @@ -1,638 +1,638 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.24.2", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" - ] - } - }, - { - "id": "cli/file-coverage-baseline", - "name": "cli/file-coverage-baseline", - "shortDescription": { - "text": "File coverage baseline telemetry" - }, - "fullDescription": { - "text": "File coverage baseline telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cli/platform", - "name": "cli/platform", - "shortDescription": { - "text": "Platform" - }, - "fullDescription": { - "text": "Platform" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-set-too-high", - "name": "cpp/drivers/irql-set-too-high", - "shortDescription": { - "text": "IRQL set too high (C28150)" - }, - "fullDescription": { - "text": "A function annotated with a maximum IRQL for execution raises the IRQL above that amount." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "help": { - "text": "# IRQL set too high (C28150)\nThe function has raised the IRQL to a level above what is allowed.\n\n\n## Recommendation\nA function has been annotated as having a max IRQL, but the execution of that function raises the IRQL above that maximum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver tries to raise the IRQL to HIGH_LEVEL while in a dispatch routine. This should be avoided.\n\n```c\n\n\t\t\t// Within a dispatch routine\n\t\t\tKeRaiseIrql(HIGH_LEVEL, &oldIRQL);\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28150 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28150-function-causes-irq-level-to-be-set-above-max)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Lower-on-exit pattern: known false negative.** When a function has no `_IRQL_always_function_max_` but does carry an `_IRQL_raises_(R)` annotation, the query treats `R` as the implicit ceiling for the function body. A function annotated as both `_IRQL_requires_min_(M)` and `_IRQL_raises_(R)` with `M > R` is interpreted as a \"lower IRQL on exit\" pattern (for example a wrapper around a mutex or spin-lock release that runs at `DISPATCH_LEVEL` on entry and returns at `PASSIVE_LEVEL`). For these functions the implicit ceiling is suppressed entirely, because `R` describes the exit IRQL rather than a maximum.\n\nThis means that a buggy \"lower-on-exit\" function whose body raises the IRQL above `M` at some intermediate point will *not* be flagged. If the function actually has a maximum that should be enforced along the body, declare it explicitly with `_IRQL_always_function_max_(MAX)` so the query has a concrete ceiling to check against.\n\n", - "markdown": "# IRQL set too high (C28150)\nThe function has raised the IRQL to a level above what is allowed.\n\n\n## Recommendation\nA function has been annotated as having a max IRQL, but the execution of that function raises the IRQL above that maximum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver tries to raise the IRQL to HIGH_LEVEL while in a dispatch routine. This should be avoided.\n\n```c\n\n\t\t\t// Within a dispatch routine\n\t\t\tKeRaiseIrql(HIGH_LEVEL, &oldIRQL);\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28150 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28150-function-causes-irq-level-to-be-set-above-max)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Lower-on-exit pattern: known false negative.** When a function has no `_IRQL_always_function_max_` but does carry an `_IRQL_raises_(R)` annotation, the query treats `R` as the implicit ceiling for the function body. A function annotated as both `_IRQL_requires_min_(M)` and `_IRQL_raises_(R)` with `M > R` is interpreted as a \"lower IRQL on exit\" pattern (for example a wrapper around a mutex or spin-lock release that runs at `DISPATCH_LEVEL` on entry and returns at `PASSIVE_LEVEL`). For these functions the implicit ceiling is suppressed entirely, because `R` describes the exit IRQL rather than a maximum.\n\nThis means that a buggy \"lower-on-exit\" function whose body raises the IRQL above `M` at some intermediate point will *not* be flagged. If the function actually has a maximum that should be enforced along the body, declare it explicitly with `_IRQL_always_function_max_(MAX)` so the query has a concrete ceiling to check against.\n\n" - }, - "properties": { - "tags": [ - "correctness", - "ca_ported", - "wddst" - ], - "description": "A function annotated with a maximum IRQL for execution raises the IRQL above that amount.", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-set-too-high", - "impact": "Exploitable Design", - "kind": "problem", - "name": "IRQL set too high (C28150)", - "opaqueid": "CQLD-C28150", - "owner.email": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v2", - "repro.text": "The following statement exits at an IRQL too high for the function it is contained in.", - "scope": "domainspecific", - "security.severity": "Low" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.9.0+a76f8551b47f01adada99ddc44a5ea4fa9839fca", - "locations": [ - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", - "locations": [ - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ { - "toolExecutionNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-set-too-high", + "name": "cpp/drivers/irql-set-too-high", + "shortDescription": { + "text": "IRQL set too high (C28150)" + }, + "fullDescription": { + "text": "A function annotated with a maximum IRQL for execution raises the IRQL above that amount." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# IRQL set too high (C28150)\r\nThe function has raised the IRQL to a level above what is allowed.\r\n\r\n\r\n## Recommendation\r\nA function has been annotated as having a max IRQL, but the execution of that function raises the IRQL above that maximum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver tries to raise the IRQL to HIGH_LEVEL while in a dispatch routine. This should be avoided.\r\n\r\n```c\r\n\r\n\t\t\t// Within a dispatch routine\r\n\t\t\tKeRaiseIrql(HIGH_LEVEL, &oldIRQL);\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28150 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28150-function-causes-irq-level-to-be-set-above-max)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Lower-on-exit pattern: known false negative.** A function annotated `_IRQL_requires_min_(M)` + `_IRQL_raises_(R)` with `M > R` is treated as \"raises only at exit\" (e.g. a wrapper around a spin-lock or mutex release that enters at `DISPATCH_LEVEL` and returns at `PASSIVE_LEVEL`): the query suppresses the implicit ceiling so `R` is read as the exit IRQL rather than a body-wide maximum. Consequently a buggy lower-on-exit function whose body raises IRQL above `M` in the middle is not flagged. To enforce a body-wide maximum, declare it explicitly with `_IRQL_always_function_max_(MAX)`.\r\n\r\n", + "markdown": "# IRQL set too high (C28150)\r\nThe function has raised the IRQL to a level above what is allowed.\r\n\r\n\r\n## Recommendation\r\nA function has been annotated as having a max IRQL, but the execution of that function raises the IRQL above that maximum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver tries to raise the IRQL to HIGH_LEVEL while in a dispatch routine. This should be avoided.\r\n\r\n```c\r\n\r\n\t\t\t// Within a dispatch routine\r\n\t\t\tKeRaiseIrql(HIGH_LEVEL, &oldIRQL);\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28150 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28150-function-causes-irq-level-to-be-set-above-max)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Lower-on-exit pattern: known false negative.** A function annotated `_IRQL_requires_min_(M)` + `_IRQL_raises_(R)` with `M > R` is treated as \"raises only at exit\" (e.g. a wrapper around a spin-lock or mutex release that enters at `DISPATCH_LEVEL` and returns at `PASSIVE_LEVEL`): the query suppresses the implicit ceiling so `R` is read as the exit IRQL rather than a body-wide maximum. Consequently a buggy lower-on-exit function whose body raises IRQL above `M` in the middle is not flagged. To enforce a body-wide maximum, declare it explicitly with `_IRQL_always_function_max_(MAX)`.\r\n\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported", + "wddst" + ], + "description": "A function annotated with a maximum IRQL for execution raises the IRQL above that amount.", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-set-too-high", + "impact": "Exploitable Design", + "kind": "problem", + "name": "IRQL set too high (C28150)", + "opaqueid": "CQLD-C28150", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v2", + "repro.text": "The following statement exits at an IRQL too high for the function it is contained in.", + "scope": "domainspecific", + "security.severity": "Low" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } + ] }, - { - "locations": [ + "invocations": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:18:56.630529400Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 272 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:18:56.630529400Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:19:26.059716100Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true } - } - }, - { - "locations": [ + ], + "artifacts": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:47:08.489157300Z", - "descriptor": { - "id": "cli/file-coverage-baseline", - "index": 1 - }, - "properties": { - "attributes": { - "durationMilliseconds": 312 }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:47:08.494163300Z", - "descriptor": { - "id": "cli/platform", - "index": 2 - }, - "properties": { - "attributes": { - "arch": "amd64", - "name": "Windows 11", - "version": "10.0" - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2026-04-29T04:47:58.301890800Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 3 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.50.35724 for x64" + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-set-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-high", - "index": 0 - }, - "message": { - "text": "[CallFunctionThatRaisesIRQL_fail5](1): CallFunctionThatRaisesIRQL_fail5 is annotated that it should never raise the IRQL above 0, but the statement [call to IrqlSetHigherFromPassive_pass0](2) may set the IRQL to 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 131, - "startColumn": 5, - "endColumn": 35 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "50d7736bf7d9212d:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 129, - "startColumn": 10, - "endColumn": 42 - } - }, - "message": { - "text": "CallFunctionThatRaisesIRQL_fail5" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 131, - "startColumn": 5, - "endColumn": 35 - } - }, - "message": { - "text": "call to IrqlSetHigherFromPassive_pass0" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-set-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-high", - "index": 0 - }, - "message": { - "text": "[IrqlRaiseLevelExplicit_fail4](1): IrqlRaiseLevelExplicit_fail4 is annotated that it should never raise the IRQL above 0, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 121, - "startColumn": 5, - "endColumn": 42 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "b7bb153208f2004d:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 118, - "startColumn": 10, - "endColumn": 38 - } - }, - "message": { - "text": "IrqlRaiseLevelExplicit_fail4" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 121, - "startColumn": 5, - "endColumn": 42 - } - }, - "message": { - "text": "call to KfRaiseIrql" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-set-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-high", - "index": 0 - }, - "message": { - "text": "[IrqlRaiseLevelExplicit_fail3](1): IrqlRaiseLevelExplicit_fail3 is annotated that it should never raise the IRQL above 0, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 112, - "startColumn": 5, - "endColumn": 42 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "988957c55591351a:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 109, - "startColumn": 10, - "endColumn": 38 - } - }, - "message": { - "text": "IrqlRaiseLevelExplicit_fail3" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 112, - "startColumn": 5, - "endColumn": 42 + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } } - }, - "message": { - "text": "call to KfRaiseIrql" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-set-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-high", - "index": 0 - }, - "message": { - "text": "[IrqlRaiseLevelExplicit_fail0](1): IrqlRaiseLevelExplicit_fail0 is annotated that it should never raise the IRQL above 1, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + ], + "results": [ + { + "ruleId": "cpp/drivers/irql-set-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-high", + "index": 0 + }, + "message": { + "text": "[CallFunctionThatRaisesIRQL_fail5](1): CallFunctionThatRaisesIRQL_fail5 is annotated that it should never raise the IRQL above 0, but the statement [call to IrqlSetHigherFromPassive_pass0](2) may set the IRQL to 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 5, + "endColumn": 35 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "50d7736bf7d9212d:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 129, + "startColumn": 10, + "endColumn": 42 + } + }, + "message": { + "text": "CallFunctionThatRaisesIRQL_fail5" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 131, + "startColumn": 5, + "endColumn": 35 + } + }, + "message": { + "text": "call to IrqlSetHigherFromPassive_pass0" + } + } + ] }, - "region": { - "startLine": 102, - "startColumn": 5, - "endColumn": 42 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "71b218a9127ea6cb:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-set-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-high", + "index": 0 + }, + "message": { + "text": "[IrqlRaiseLevelExplicit_fail4](1): IrqlRaiseLevelExplicit_fail4 is annotated that it should never raise the IRQL above 0, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 121, + "startColumn": 5, + "endColumn": 42 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "b7bb153208f2004d:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 118, + "startColumn": 10, + "endColumn": 38 + } + }, + "message": { + "text": "IrqlRaiseLevelExplicit_fail4" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 121, + "startColumn": 5, + "endColumn": 42 + } + }, + "message": { + "text": "call to KfRaiseIrql" + } + } + ] }, - "region": { - "startLine": 99, - "startColumn": 10, - "endColumn": 38 - } - }, - "message": { - "text": "IrqlRaiseLevelExplicit_fail0" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-set-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-high", + "index": 0 + }, + "message": { + "text": "[IrqlRaiseLevelExplicit_fail3](1): IrqlRaiseLevelExplicit_fail3 is annotated that it should never raise the IRQL above 0, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 112, + "startColumn": 5, + "endColumn": 42 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "988957c55591351a:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 109, + "startColumn": 10, + "endColumn": 38 + } + }, + "message": { + "text": "IrqlRaiseLevelExplicit_fail3" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 112, + "startColumn": 5, + "endColumn": 42 + } + }, + "message": { + "text": "call to KfRaiseIrql" + } + } + ] }, - "region": { - "startLine": 102, - "startColumn": 5, - "endColumn": 42 + { + "ruleId": "cpp/drivers/irql-set-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-high", + "index": 0 + }, + "message": { + "text": "[IrqlRaiseLevelExplicit_fail0](1): IrqlRaiseLevelExplicit_fail0 is annotated that it should never raise the IRQL above 1, but the statement [call to KfRaiseIrql](2) may set the IRQL to 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 102, + "startColumn": 5, + "endColumn": 42 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "71b218a9127ea6cb:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 99, + "startColumn": 10, + "endColumn": 38 + } + }, + "message": { + "text": "IrqlRaiseLevelExplicit_fail0" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 102, + "startColumn": 5, + "endColumn": 42 + } + }, + "message": { + "text": "call to KfRaiseIrql" + } + } + ] } - }, - "message": { - "text": "call to KfRaiseIrql" - } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - ] } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] -} + ] +} \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.sarif b/src/drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.sarif index b02509fa..4403823a 100644 --- a/src/drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.sarif +++ b/src/drivers/general/queries/IrqlSetTooLow/IrqlSetTooLow.sarif @@ -1,533 +1,569 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.23.3", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" - ] - } - }, - { - "id": "cli/platform", - "name": "cli/platform", - "shortDescription": { - "text": "Platform" - }, - "fullDescription": { - "text": "Platform" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-set-too-low", - "name": "cpp/drivers/irql-set-too-low", - "shortDescription": { - "text": "IRQL set too low (C28124)" - }, - "fullDescription": { - "text": "A function annotated with a minimum IRQL for execution lowers the IRQL below that amount." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "properties": { - "tags": [ - "correctness", - "ca_ported", - "wddst" - ], - "description": "A function annotated with a minimum IRQL for execution lowers the IRQL below that amount.", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-set-too-low", - "impact": "Exploitable Design", - "kind": "problem", - "name": "IRQL set too low (C28124)", - "opaqueid": "CQLD-C28124", - "owner.email": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v1", - "repro.text": "The following statement exits at an IRQL too low for the function it is contained in.", - "scope": "domainspecific", - "security.severity": "Low" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.8.1+801b2d9a470acb3a6f2beddebaff099855c9ac8e", - "locations": [ - { - "uri": "file:///D:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///D:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "4.2.0+2409bcc0d62644acbc432900bc59c2e3ff33bd56", - "locations": [ - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/4.2.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/4.2.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ { - "toolExecutionNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-set-too-low", + "name": "cpp/drivers/irql-set-too-low", + "shortDescription": { + "text": "IRQL set too low (C28124)" + }, + "fullDescription": { + "text": "A function annotated with a minimum IRQL for execution lowers the IRQL below that amount." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# IRQL set too low (C28124)\r\nThe function has lowered the IRQL to a level below what is allowed.\r\n\r\n\r\n## Recommendation\r\nA function has been annotated as having a minimum IRQL, but the execution of that function lowers the IRQL below that minimum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate. If your function is a dispatch routine or callback, review the expected IRQL levels for that role.\r\n\r\n\r\n## Example\r\nIn this example, the driver tries to lower the IRQL to PASSIVE_LEVEL within a KEDEFERRED_ROUTINE callback, which must run at DISPATCH_LEVEL or higher. This should be avoided.\r\n\r\n```c\r\n\r\n\t\t\t// Within a KDEFERRED_ROUTINE callback\r\n\t\t\tKeLowerIrql(PASSIVE_LEVEL, &oldIRQL);\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28124 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28124-call-below-minimum-irq-level)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n", + "markdown": "# IRQL set too low (C28124)\r\nThe function has lowered the IRQL to a level below what is allowed.\r\n\r\n\r\n## Recommendation\r\nA function has been annotated as having a minimum IRQL, but the execution of that function lowers the IRQL below that minimum. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate. If your function is a dispatch routine or callback, review the expected IRQL levels for that role.\r\n\r\n\r\n## Example\r\nIn this example, the driver tries to lower the IRQL to PASSIVE_LEVEL within a KEDEFERRED_ROUTINE callback, which must run at DISPATCH_LEVEL or higher. This should be avoided.\r\n\r\n```c\r\n\r\n\t\t\t// Within a KDEFERRED_ROUTINE callback\r\n\t\t\tKeLowerIrql(PASSIVE_LEVEL, &oldIRQL);\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28124 warning - Windows Drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28124-call-below-minimum-irq-level)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported", + "wddst" + ], + "description": "A function annotated with a minimum IRQL for execution lowers the IRQL below that amount.", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-set-too-low", + "impact": "Exploitable Design", + "kind": "problem", + "name": "IRQL set too low (C28124)", + "opaqueid": "CQLD-C28124", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v1", + "repro.text": "The following statement exits at an IRQL too low for the function it is contained in.", + "scope": "domainspecific", + "security.severity": "Low" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } + ] }, - { - "locations": [ + "invocations": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:20:18.881975300Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 235 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:20:18.881975300Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:20:46.323773300Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true } - } - }, - { - "locations": [ + ], + "artifacts": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "On the Windows 11 (amd64; 10.0) platform.", - "markdown": "On the Windows 11 (amd64; 10.0) platform." - }, - "level": "none", - "timeUtc": "2026-01-23T07:55:34.089258700Z", - "descriptor": { - "id": "cli/platform", - "index": 1 - }, - "properties": { - "attributes": { - "arch": "amd64", - "name": "Windows 11", - "version": "10.0" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2026-01-23T15:55:45.403761Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 2 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.44.35222 for x64" + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-set-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-low", - "index": 0 - }, - "message": { - "text": "[IrqlAlwaysMinAPC_fail](1): IrqlAlwaysMinAPC_fail is annotated that it should never lower the IRQL below 1, but the statement [call to KeLowerIrql](2) may set the IRQL to 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 92, - "startColumn": 5, - "endColumn": 16 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "8a19ae2477ed23d3:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 90, - "startColumn": 10, - "endColumn": 31 - } - }, - "message": { - "text": "IrqlAlwaysMinAPC_fail" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 92, - "startColumn": 5, - "endColumn": 16 - } - }, - "message": { - "text": "call to KeLowerIrql" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-set-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-low", - "index": 0 - }, - "message": { - "text": "[IrqlMinDispatchLowerIrql_fail1](1): IrqlMinDispatchLowerIrql_fail1 is annotated that it should never lower the IRQL below 2, but the statement [call to KeLowerIrql](2) may set the IRQL to 1" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 59, - "startColumn": 5, - "endColumn": 16 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "c6798a9b4760c05b:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 57, - "startColumn": 10, - "endColumn": 40 - } - }, - "message": { - "text": "IrqlMinDispatchLowerIrql_fail1" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 59, - "startColumn": 5, - "endColumn": 16 - } - }, - "message": { - "text": "call to KeLowerIrql" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-set-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-set-too-low", - "index": 0 - }, - "message": { - "text": "[IrqlMinDispatchLowerIrql_fail](1): IrqlMinDispatchLowerIrql_fail is annotated that it should never lower the IRQL below 2, but the statement [{ ... }](2) may set the IRQL to 1" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 42, - "endLine": 44, - "endColumn": 2 + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "83574f45ab0b5d97:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + ], + "results": [ + { + "ruleId": "cpp/drivers/irql-set-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-low", + "index": 0 + }, + "message": { + "text": "[IrqlAlwaysMinAPC_fail](1): IrqlAlwaysMinAPC_fail is annotated that it should never lower the IRQL below 1, but the statement [call to KeLowerIrql](2) may set the IRQL to 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 92, + "startColumn": 5, + "endColumn": 16 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "8a19ae2477ed23d3:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 90, + "startColumn": 10, + "endColumn": 31 + } + }, + "message": { + "text": "IrqlAlwaysMinAPC_fail" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 92, + "startColumn": 5, + "endColumn": 16 + } + }, + "message": { + "text": "call to KeLowerIrql" + } + } + ] }, - "region": { - "startLine": 41, - "startColumn": 10, - "endColumn": 39 - } - }, - "message": { - "text": "IrqlMinDispatchLowerIrql_fail" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-set-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-low", + "index": 0 + }, + "message": { + "text": "[IrqlMinDispatchLowerIrql_fail1](1): IrqlMinDispatchLowerIrql_fail1 is annotated that it should never lower the IRQL below 2, but the statement [call to KeLowerIrql](2) may set the IRQL to 1" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 59, + "startColumn": 5, + "endColumn": 16 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "c6798a9b4760c05b:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 57, + "startColumn": 10, + "endColumn": 40 + } + }, + "message": { + "text": "IrqlMinDispatchLowerIrql_fail1" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 59, + "startColumn": 5, + "endColumn": 16 + } + }, + "message": { + "text": "call to KeLowerIrql" + } + } + ] }, - "region": { - "startLine": 42, - "endLine": 44, - "endColumn": 2 + { + "ruleId": "cpp/drivers/irql-set-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-set-too-low", + "index": 0 + }, + "message": { + "text": "[IrqlMinDispatchLowerIrql_fail](1): IrqlMinDispatchLowerIrql_fail is annotated that it should never lower the IRQL below 2, but the statement [{ ... }](2) may set the IRQL to 1" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 42, + "endLine": 44, + "endColumn": 2 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "83574f45ab0b5d97:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 41, + "startColumn": 10, + "endColumn": 39 + } + }, + "message": { + "text": "IrqlMinDispatchLowerIrql_fail" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 42, + "endLine": 44, + "endColumn": 2 + } + }, + "message": { + "text": "{{ ... }}" + } + } + ] } - }, - "message": { - "text": "{{ ... }}" - } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - ] } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] + ] } \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.sarif b/src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.sarif index 6f5b52c9..14cb356e 100644 --- a/src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.sarif +++ b/src/drivers/general/queries/IrqlTooHigh/IrqlTooHigh.sarif @@ -1,912 +1,912 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.24.2", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" - ] - } - }, - { - "id": "cli/file-coverage-baseline", - "name": "cli/file-coverage-baseline", - "shortDescription": { - "text": "File coverage baseline telemetry" - }, - "fullDescription": { - "text": "File coverage baseline telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cli/platform", - "name": "cli/platform", - "shortDescription": { - "text": "Platform" - }, - "fullDescription": { - "text": "Platform" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-too-high", - "name": "cpp/drivers/irql-too-high", - "shortDescription": { - "text": "IRQL too high (C28121)" - }, - "fullDescription": { - "text": "A function annotated with IRQL requirements was called at an IRQL too high for the requirements." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "help": { - "text": "# IRQL too high (C28121)\nThe function is not permitted to be called at the current IRQ level. The current level is too high.\n\n\n## Recommendation\nThe driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver is at too high of an IRQL to acquire a spinlock:\n\n```c\n\n\t\t\tNTSTATUS \n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\n\t\t\t\tNTSTATUS status;\n\t\t\t\tKIRQL lockIrql;\n\t\t\t\tKeRaiseIrql(HIGH_LEVEL, oldIrql);\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\n\t\t\t\tKeLowerIrql(*oldIrql);\n\t\t\t\treturn status;\n\t\t\t}\n\t\t\t\n\t\t\n```\nThe driver should be careful not to raise the IRQL too high:\n\n```c\n\n\t\t\tNTSTATUS \n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\n\t\t\t\tNTSTATUS status;\n\t\t\t\tKIRQL lockIrql;\n\t\t\t\tKeRaiseIrql(APC_LEVEL, oldIrql);\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\n\t\t\t\tKeLowerIrql(*oldIrql);\n\t\t\t\treturn status;\n\t\t\t}\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28121 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28121-irq-execution-too-high)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Dead-branch suppression.** The query suppresses calls inside an `if (b)` block when `b` is a non-`static` local variable initialized to `FALSE` / `0` that is never mutated (no `=`, no compound assignment, no `++` / `--`) and whose address is never taken. Compile-time constant `0` conditions are also suppressed. This is intended to silence dead-branch patterns produced by NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`; the conditions on the variable case are deliberately conservative to avoid silently dropping legitimate findings when the runtime value of the variable cannot be proven to remain `FALSE` (globals reassigned in another function, address-taken locals mutated through a pointer, compound mutation, etc.).\n\n", - "markdown": "# IRQL too high (C28121)\nThe function is not permitted to be called at the current IRQ level. The current level is too high.\n\n\n## Recommendation\nThe driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver is at too high of an IRQL to acquire a spinlock:\n\n```c\n\n\t\t\tNTSTATUS \n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\n\t\t\t\tNTSTATUS status;\n\t\t\t\tKIRQL lockIrql;\n\t\t\t\tKeRaiseIrql(HIGH_LEVEL, oldIrql);\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\n\t\t\t\tKeLowerIrql(*oldIrql);\n\t\t\t\treturn status;\n\t\t\t}\n\t\t\t\n\t\t\n```\nThe driver should be careful not to raise the IRQL too high:\n\n```c\n\n\t\t\tNTSTATUS \n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\n\t\t\t\tNTSTATUS status;\n\t\t\t\tKIRQL lockIrql;\n\t\t\t\tKeRaiseIrql(APC_LEVEL, oldIrql);\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\n\t\t\t\tKeLowerIrql(*oldIrql);\n\t\t\t\treturn status;\n\t\t\t}\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28121 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28121-irq-execution-too-high)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Dead-branch suppression.** The query suppresses calls inside an `if (b)` block when `b` is a non-`static` local variable initialized to `FALSE` / `0` that is never mutated (no `=`, no compound assignment, no `++` / `--`) and whose address is never taken. Compile-time constant `0` conditions are also suppressed. This is intended to silence dead-branch patterns produced by NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`; the conditions on the variable case are deliberately conservative to avoid silently dropping legitimate findings when the runtime value of the variable cannot be proven to remain `FALSE` (globals reassigned in another function, address-taken locals mutated through a pointer, compound mutation, etc.).\n\n" - }, - "properties": { - "tags": [ - "correctness", - "ca_ported", - "wddst" - ], - "description": "A function annotated with IRQL requirements was called at an IRQL too high for the requirements.", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-too-high", - "impact": "Exploitable Design", - "kind": "problem", - "name": "IRQL too high (C28121)", - "opaqueid": "CQLD-C28121", - "owner.email": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v5", - "repro.text": "The following function call is taking place at an IRQL too high for what the call target is annotated as.", - "scope": "domainspecific", - "security.severity": "Low" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.9.0+a76f8551b47f01adada99ddc44a5ea4fa9839fca", - "locations": [ - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", - "locations": [ - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ { - "toolExecutionNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-too-high", + "name": "cpp/drivers/irql-too-high", + "shortDescription": { + "text": "IRQL too high (C28121)" + }, + "fullDescription": { + "text": "A function annotated with IRQL requirements was called at an IRQL too high for the requirements." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# IRQL too high (C28121)\r\nThe function is not permitted to be called at the current IRQ level. The current level is too high.\r\n\r\n\r\n## Recommendation\r\nThe driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver is at too high of an IRQL to acquire a spinlock:\r\n\r\n```c\r\n\r\n\t\t\tNTSTATUS \r\n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\r\n\t\t\t\tNTSTATUS status;\r\n\t\t\t\tKIRQL lockIrql;\r\n\t\t\t\tKeRaiseIrql(HIGH_LEVEL, oldIrql);\r\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeLowerIrql(*oldIrql);\r\n\t\t\t\treturn status;\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\nThe driver should be careful not to raise the IRQL too high:\r\n\r\n```c\r\n\r\n\t\t\tNTSTATUS \r\n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\r\n\t\t\t\tNTSTATUS status;\r\n\t\t\t\tKIRQL lockIrql;\r\n\t\t\t\tKeRaiseIrql(APC_LEVEL, oldIrql);\r\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeLowerIrql(*oldIrql);\r\n\t\t\t\treturn status;\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28121 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28121-irq-execution-too-high)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Dead-branch suppression.** The query suppresses calls inside `if (b)` when `b` is either a compile-time constant `0`, or a non-`static` local initialized to `FALSE`/`0` that is never reassigned, incremented/decremented, or address-taken in the enclosing function. Targets dead-branch patterns from NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`. The variable conditions are deliberately strict to avoid suppressing real findings on globals, function-statics, or values mutated through a pointer parameter.\r\n\r\n", + "markdown": "# IRQL too high (C28121)\r\nThe function is not permitted to be called at the current IRQ level. The current level is too high.\r\n\r\n\r\n## Recommendation\r\nThe driver is executing at an IRQL that is too high for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver is at too high of an IRQL to acquire a spinlock:\r\n\r\n```c\r\n\r\n\t\t\tNTSTATUS \r\n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\r\n\t\t\t\tNTSTATUS status;\r\n\t\t\t\tKIRQL lockIrql;\r\n\t\t\t\tKeRaiseIrql(HIGH_LEVEL, oldIrql);\r\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeLowerIrql(*oldIrql);\r\n\t\t\t\treturn status;\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\nThe driver should be careful not to raise the IRQL too high:\r\n\r\n```c\r\n\r\n\t\t\tNTSTATUS \r\n\t\t\tIrqlTooHigh(PKSPIN_LOCK myLock, PKIRQL oldIrql){\r\n\t\t\t\tNTSTATUS status;\r\n\t\t\t\tKIRQL lockIrql;\r\n\t\t\t\tKeRaiseIrql(APC_LEVEL, oldIrql);\r\n\t\t\t\tKeAcquireSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeReleaseSpinLock(myLock, &lockIrql);\r\n\t\t\t\tKeLowerIrql(*oldIrql);\r\n\t\t\t\treturn status;\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28121 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28121-irq-execution-too-high)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Dead-branch suppression.** The query suppresses calls inside `if (b)` when `b` is either a compile-time constant `0`, or a non-`static` local initialized to `FALSE`/`0` that is never reassigned, incremented/decremented, or address-taken in the enclosing function. Targets dead-branch patterns from NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`. The variable conditions are deliberately strict to avoid suppressing real findings on globals, function-statics, or values mutated through a pointer parameter.\r\n\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported", + "wddst" + ], + "description": "A function annotated with IRQL requirements was called at an IRQL too high for the requirements.", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-too-high", + "impact": "Exploitable Design", + "kind": "problem", + "name": "IRQL too high (C28121)", + "opaqueid": "CQLD-C28121", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v5", + "repro.text": "The following function call is taking place at an IRQL too high for what the call target is annotated as.", + "scope": "domainspecific", + "security.severity": "Low" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } + ] }, - { - "locations": [ + "invocations": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "locations": [ + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:20:31.602369Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 265 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:20:31.602369Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:21:00.780112200Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true + } + ], + "artifacts": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:31:57.790909200Z", - "descriptor": { - "id": "cli/file-coverage-baseline", - "index": 1 - }, - "properties": { - "attributes": { - "durationMilliseconds": 317 - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:31:57.796908700Z", - "descriptor": { - "id": "cli/platform", - "index": 2 - }, - "properties": { - "attributes": { - "arch": "amd64", - "name": "Windows 11", - "version": "10.0" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2026-04-29T04:32:37.806676200Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 3 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.50.35724 for x64" + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooHigh_globalReassigned](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 150, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "b144babee8b922b:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 }, - "region": { - "startLine": 147, - "startColumn": 6, - "endColumn": 41 - } - }, - "message": { - "text": "failForIrqlTooHigh_globalReassigned" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 150, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "PassiveOnly_TooHigh" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooHigh_byReference](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 138, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "c860f155ed9fe979:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 133, - "startColumn": 6, - "endColumn": 36 - } - }, - "message": { - "text": "failForIrqlTooHigh_byReference" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 138, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "PassiveOnly_TooHigh" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooHigh_increment](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 126, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "bf3c3ea7c818ee5f:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 121, - "startColumn": 6, - "endColumn": 34 - } - }, - "message": { - "text": "failForIrqlTooHigh_increment" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 126, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "PassiveOnly_TooHigh" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooHigh_compoundAssignment](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 115, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "b8558f6fccea75ce:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 110, - "startColumn": 6, - "endColumn": 43 - } - }, - "message": { - "text": "failForIrqlTooHigh_compoundAssignment" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 115, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "PassiveOnly_TooHigh" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[TestInner1](1): IRQL potentially too high at call to [TestInner2](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 42, - "startColumn": 12, - "endColumn": 22 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "1defbc9e59f0310b:1", - "primaryLocationStartColumnFingerprint": "7" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 41, - "startColumn": 10, - "endColumn": 20 - } - }, - "message": { - "text": "TestInner1" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 42, - "startColumn": 12, - "endColumn": 22 - } - }, - "message": { - "text": "TestInner2" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[TestInner2](1): IRQL potentially too high at call to [TestInner4](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 36, - "startColumn": 14, - "endColumn": 24 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "7ae2af586e0dd70a:1", - "primaryLocationStartColumnFingerprint": "9" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 26, - "startColumn": 10, - "endColumn": 20 + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 2 + } } - }, - "message": { - "text": "TestInner2" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + ], + "results": [ + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooHigh_globalReassigned](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 150, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "b144babee8b922b:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 147, + "startColumn": 6, + "endColumn": 41 + } + }, + "message": { + "text": "failForIrqlTooHigh_globalReassigned" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 150, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "PassiveOnly_TooHigh" + } + } + ] }, - "region": { - "startLine": 36, - "startColumn": 14, - "endColumn": 24 - } - }, - "message": { - "text": "TestInner4" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[DpcForIsrRoutine](1): IRQL potentially too high at call to [IoGetInitialStack](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooHigh_byReference](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 138, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "c860f155ed9fe979:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 133, + "startColumn": 6, + "endColumn": 36 + } + }, + "message": { + "text": "failForIrqlTooHigh_byReference" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 138, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "PassiveOnly_TooHigh" + } + } + ] }, - "region": { - "startLine": 379, - "startColumn": 5, - "endColumn": 22 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "48e9dbeaff18e9e7:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooHigh_increment](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 126, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "bf3c3ea7c818ee5f:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 121, + "startColumn": 6, + "endColumn": 34 + } + }, + "message": { + "text": "failForIrqlTooHigh_increment" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 126, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "PassiveOnly_TooHigh" + } + } + ] }, - "region": { - "startLine": 360, - "endColumn": 17 - } - }, - "message": { - "text": "DpcForIsrRoutine" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooHigh_compoundAssignment](1): IRQL potentially too high at call to [PassiveOnly_TooHigh](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 115, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "b8558f6fccea75ce:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 110, + "startColumn": 6, + "endColumn": 43 + } + }, + "message": { + "text": "failForIrqlTooHigh_compoundAssignment" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 115, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "PassiveOnly_TooHigh" + } + } + ] }, - "region": { - "startLine": 379, - "startColumn": 5, - "endColumn": 22 - } - }, - "message": { - "text": "IoGetInitialStack" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-high", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-high", - "index": 0 - }, - "message": { - "text": "[CompletionRoutine](1): IRQL potentially too high at call to [KeSetEvent](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[TestInner1](1): IRQL potentially too high at call to [TestInner2](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 42, + "startColumn": 12, + "endColumn": 22 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "1defbc9e59f0310b:1", + "primaryLocationStartColumnFingerprint": "7" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 41, + "startColumn": 10, + "endColumn": 20 + } + }, + "message": { + "text": "TestInner1" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 42, + "startColumn": 12, + "endColumn": 22 + } + }, + "message": { + "text": "TestInner2" + } + } + ] }, - "region": { - "startLine": 337, - "startColumn": 5, - "endColumn": 15 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "779dfb1bf8eb10c3:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[TestInner2](1): IRQL potentially too high at call to [TestInner4](2). Maximum IRQL for this call: 0, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 36, + "startColumn": 14, + "endColumn": 24 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "7ae2af586e0dd70a:1", + "primaryLocationStartColumnFingerprint": "9" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 26, + "startColumn": 10, + "endColumn": 20 + } + }, + "message": { + "text": "TestInner2" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 36, + "startColumn": 14, + "endColumn": 24 + } + }, + "message": { + "text": "TestInner4" + } + } + ] }, - "region": { - "startLine": 316, - "endColumn": 18 - } - }, - "message": { - "text": "CompletionRoutine" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 1 + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[DpcForIsrRoutine](1): IRQL potentially too high at call to [IoGetInitialStack](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 379, + "startColumn": 5, + "endColumn": 22 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "48e9dbeaff18e9e7:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 360, + "endColumn": 17 + } + }, + "message": { + "text": "DpcForIsrRoutine" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 379, + "startColumn": 5, + "endColumn": 22 + } + }, + "message": { + "text": "IoGetInitialStack" + } + } + ] }, - "region": { - "startLine": 337, - "startColumn": 5, - "endColumn": 15 - } - }, - "message": { - "text": "KeSetEvent" - } + { + "ruleId": "cpp/drivers/irql-too-high", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-high", + "index": 0 + }, + "message": { + "text": "[CompletionRoutine](1): IRQL potentially too high at call to [KeSetEvent](2). Maximum IRQL for this call: 1, IRQL at preceding node: 2" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 337, + "startColumn": 5, + "endColumn": 15 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "779dfb1bf8eb10c3:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 316, + "endColumn": 18 + } + }, + "message": { + "text": "CompletionRoutine" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 1 + }, + "region": { + "startLine": 337, + "startColumn": 5, + "endColumn": 15 + } + }, + "message": { + "text": "KeSetEvent" + } + } + ] + } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - ] } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] -} + ] +} \ No newline at end of file diff --git a/src/drivers/general/queries/IrqlTooLow/IrqlTooLow.sarif b/src/drivers/general/queries/IrqlTooLow/IrqlTooLow.sarif index 7ce307a5..aed6b6ef 100644 --- a/src/drivers/general/queries/IrqlTooLow/IrqlTooLow.sarif +++ b/src/drivers/general/queries/IrqlTooLow/IrqlTooLow.sarif @@ -1,776 +1,776 @@ { - "$schema": "https://json.schemastore.org/sarif-2.1.0.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "CodeQL", - "organization": "GitHub", - "semanticVersion": "2.24.2", - "notifications": [ - { - "id": "cpp/baseline/expected-extracted-files", - "name": "cpp/baseline/expected-extracted-files", - "shortDescription": { - "text": "Expected extracted files" - }, - "fullDescription": { - "text": "Files appearing in the source archive that are expected to be extracted." - }, - "defaultConfiguration": { - "enabled": true - }, - "properties": { - "tags": [ - "expected-extracted-files", - "telemetry" - ] - } - }, - { - "id": "cli/file-coverage-baseline", - "name": "cli/file-coverage-baseline", - "shortDescription": { - "text": "File coverage baseline telemetry" - }, - "fullDescription": { - "text": "File coverage baseline telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cli/platform", - "name": "cli/platform", - "shortDescription": { - "text": "Platform" - }, - "fullDescription": { - "text": "Platform" - }, - "defaultConfiguration": { - "enabled": true - } - }, - { - "id": "cpp/extractor/summary", - "name": "cpp/extractor/summary", - "shortDescription": { - "text": "C++ extractor telemetry" - }, - "fullDescription": { - "text": "C++ extractor telemetry" - }, - "defaultConfiguration": { - "enabled": true - } - } - ], - "rules": [ - { - "id": "cpp/drivers/irql-too-low", - "name": "cpp/drivers/irql-too-low", - "shortDescription": { - "text": "IRQL too low (C28120)" - }, - "fullDescription": { - "text": "A function annotated with IRQL requirements was called at an IRQL too low for the requirements." - }, - "defaultConfiguration": { - "enabled": true, - "level": "warning" - }, - "help": { - "text": "# IRQL too low (C28120)\nThe function is not permitted to be called at the current IRQ level. The current level is too low.\n\n\n## Recommendation\nThe driver is executing at an IRQL that is too low for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver is calling a DDI that must be called at DISPATCH_LEVEL or higher:\n\n```c\n\n\t\t\t// Within a standard thread running at APC_LEVEL:\n\t\t\tif (KeShouldYieldProcessor())\n\t\t\t{\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\n\t\t\t}\n\t\t\t\n\t\t\n```\nThe driver should be careful to only call from a DISPATCH_LEVEL context:\n\n```c\n\n\t\t\t// Within a work loop running at DISPATCH_LEVEL\n\t\t\tif (KeShouldYieldProcessor())\n\t\t\t{\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\n\t\t\t}\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28120 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28120-irql-execution-too-low)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Dead-branch suppression.** The query suppresses calls inside an `if (b)` block when `b` is a non-`static` local variable initialized to `FALSE` / `0` that is never mutated (no `=`, no compound assignment, no `++` / `--`) and whose address is never taken. Compile-time constant `0` conditions are also suppressed. This is intended to silence dead-branch patterns produced by NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`; the conditions on the variable case are deliberately conservative to avoid silently dropping legitimate findings when the runtime value of the variable cannot be proven to remain `FALSE` (globals reassigned in another function, address-taken locals mutated through a pointer, compound mutation, etc.).\n\n", - "markdown": "# IRQL too low (C28120)\nThe function is not permitted to be called at the current IRQ level. The current level is too low.\n\n\n## Recommendation\nThe driver is executing at an IRQL that is too low for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\n\n\n## Example\nIn this example, the driver is calling a DDI that must be called at DISPATCH_LEVEL or higher:\n\n```c\n\n\t\t\t// Within a standard thread running at APC_LEVEL:\n\t\t\tif (KeShouldYieldProcessor())\n\t\t\t{\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\n\t\t\t}\n\t\t\t\n\t\t\n```\nThe driver should be careful to only call from a DISPATCH_LEVEL context:\n\n```c\n\n\t\t\t// Within a work loop running at DISPATCH_LEVEL\n\t\t\tif (KeShouldYieldProcessor())\n\t\t\t{\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\n\t\t\t}\n\t\t\t\n\t\t\n```\n\n## References\n* [ C28120 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28120-irql-execution-too-low)\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\n\n## Semmle-specific notes\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\n\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\n\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\n\n**Dead-branch suppression.** The query suppresses calls inside an `if (b)` block when `b` is a non-`static` local variable initialized to `FALSE` / `0` that is never mutated (no `=`, no compound assignment, no `++` / `--`) and whose address is never taken. Compile-time constant `0` conditions are also suppressed. This is intended to silence dead-branch patterns produced by NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`; the conditions on the variable case are deliberately conservative to avoid silently dropping legitimate findings when the runtime value of the variable cannot be proven to remain `FALSE` (globals reassigned in another function, address-taken locals mutated through a pointer, compound mutation, etc.).\n\n" - }, - "properties": { - "tags": [ - "correctness", - "ca_ported", - "wddst" - ], - "description": "A function annotated with IRQL requirements was called at an IRQL too low for the requirements.", - "feature.area": "Multiple", - "id": "cpp/drivers/irql-too-low", - "impact": "Exploitable Design", - "kind": "problem", - "name": "IRQL too low (C28120)", - "opaqueid": "CQLD-C28120", - "owner.email": "sdat@microsoft.com", - "platform": "Desktop", - "precision": "medium", - "problem.severity": "warning", - "query-version": "v6", - "repro.text": "The following function call is taking place at an IRQL too low for what the call target is annotated as.", - "scope": "domainspecific", - "security.severity": "Low" - } - } - ] - }, - "extensions": [ - { - "name": "microsoft/windows-drivers", - "semanticVersion": "1.9.0+a76f8551b47f01adada99ddc44a5ea4fa9839fca", - "locations": [ - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///F:/source/repos/Windows-Driver-Developer-Supplemental-Tools/src/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - }, - { - "name": "codeql/cpp-all", - "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", - "locations": [ - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", - "description": { - "text": "The QL pack root directory." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackRoot" - ] - } - }, - { - "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", - "description": { - "text": "The QL pack definition file." - }, - "properties": { - "tags": [ - "CodeQL/LocalPackDefinitionFile" - ] - } - } - ] - } - ] - }, - "invocations": [ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ { - "toolExecutionNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.25.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + }, + { + "id": "cli/file-coverage-baseline", + "name": "cli/file-coverage-baseline", + "shortDescription": { + "text": "File coverage baseline telemetry" + }, + "fullDescription": { + "text": "File coverage baseline telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cli/platform", + "name": "cli/platform", + "shortDescription": { + "text": "Platform" + }, + "fullDescription": { + "text": "Platform" + }, + "defaultConfiguration": { + "enabled": true + } + }, + { + "id": "cpp/extractor/summary", + "name": "cpp/extractor/summary", + "shortDescription": { + "text": "C++ extractor telemetry" + }, + "fullDescription": { + "text": "C++ extractor telemetry" + }, + "defaultConfiguration": { + "enabled": true + } + } + ], + "rules": [ + { + "id": "cpp/drivers/irql-too-low", + "name": "cpp/drivers/irql-too-low", + "shortDescription": { + "text": "IRQL too low (C28120)" + }, + "fullDescription": { + "text": "A function annotated with IRQL requirements was called at an IRQL too low for the requirements." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "help": { + "text": "# IRQL too low (C28120)\r\nThe function is not permitted to be called at the current IRQ level. The current level is too low.\r\n\r\n\r\n## Recommendation\r\nThe driver is executing at an IRQL that is too low for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver is calling a DDI that must be called at DISPATCH_LEVEL or higher:\r\n\r\n```c\r\n\r\n\t\t\t// Within a standard thread running at APC_LEVEL:\r\n\t\t\tif (KeShouldYieldProcessor())\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\nThe driver should be careful to only call from a DISPATCH_LEVEL context:\r\n\r\n```c\r\n\r\n\t\t\t// Within a work loop running at DISPATCH_LEVEL\r\n\t\t\tif (KeShouldYieldProcessor())\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28120 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28120-irql-execution-too-low)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Dead-branch suppression.** The query suppresses calls inside `if (b)` when `b` is either a compile-time constant `0`, or a non-`static` local initialized to `FALSE`/`0` that is never reassigned, incremented/decremented, or address-taken in the enclosing function. Targets dead-branch patterns from NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`. The variable conditions are deliberately strict to avoid suppressing real findings on globals, function-statics, or values mutated through a pointer parameter.\r\n\r\n", + "markdown": "# IRQL too low (C28120)\r\nThe function is not permitted to be called at the current IRQ level. The current level is too low.\r\n\r\n\r\n## Recommendation\r\nThe driver is executing at an IRQL that is too low for the function that it is calling. Consult the WDK documentation for the function and verify the IRQL at which the function can be called. If you have applied custom IRQL annotations to your own functions, confirm that they are accurate.\r\n\r\n\r\n## Example\r\nIn this example, the driver is calling a DDI that must be called at DISPATCH_LEVEL or higher:\r\n\r\n```c\r\n\r\n\t\t\t// Within a standard thread running at APC_LEVEL:\r\n\t\t\tif (KeShouldYieldProcessor())\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\nThe driver should be careful to only call from a DISPATCH_LEVEL context:\r\n\r\n```c\r\n\r\n\t\t\t// Within a work loop running at DISPATCH_LEVEL\r\n\t\t\tif (KeShouldYieldProcessor())\r\n\t\t\t{\r\n\t\t\t\tKeLowerIrql(PASSIVE_LEVEL);\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\r\n```\r\n\r\n## References\r\n* [ C28120 warning - Windows Drivers ](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/28120-irql-execution-too-low)\r\n* [ IRQL annotations for drivers ](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/irql-annotations-for-drivers)\r\n\r\n## Semmle-specific notes\r\nThis query uses interprocedural data-flow analysis and can take a large amount of CPU time and memory to run.\r\n\r\nThis query may provide false positives in cases where functions are not annotated with their expected IRQL ranges or behaviors.\r\n\r\nFor information on how to annotate your functions with information about how they adjust the IRQL, see \"IRQL annotations for drivers\" in the references section.\r\n\r\n**Dead-branch suppression.** The query suppresses calls inside `if (b)` when `b` is either a compile-time constant `0`, or a non-`static` local initialized to `FALSE`/`0` that is never reassigned, incremented/decremented, or address-taken in the enclosing function. Targets dead-branch patterns from NDIS macros such as `FILTER_ACQUIRE_LOCK(lock, bFalse)`. The variable conditions are deliberately strict to avoid suppressing real findings on globals, function-statics, or values mutated through a pointer parameter.\r\n\r\n" + }, + "properties": { + "tags": [ + "correctness", + "ca_ported", + "wddst" + ], + "description": "A function annotated with IRQL requirements was called at an IRQL too low for the requirements.", + "feature.area": "Multiple", + "id": "cpp/drivers/irql-too-low", + "impact": "Exploitable Design", + "kind": "problem", + "name": "IRQL too low (C28120)", + "opaqueid": "CQLD-C28120", + "owner.email": "sdat@microsoft.com", + "platform": "Desktop", + "precision": "medium", + "problem.severity": "warning", + "query-version": "v6", + "repro.text": "The following function call is taking place at an IRQL too low for what the call target is annotated as.", + "scope": "domainspecific", + "security.severity": "Low" + } + } + ] + }, + "extensions": [ + { + "name": "microsoft/windows-drivers", + "semanticVersion": "1.10.0+6af9e601c84a31fd16ec52d95fed345ac5436774", + "locations": [ + { + "uri": "file:///F:/source/repos/wddst-2/src/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///F:/source/repos/wddst-2/src/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] + }, + { + "name": "codeql/cpp-all", + "semanticVersion": "7.0.0+c5329f6f3863621c140ea7abd5954860e96c8bf1", + "locations": [ + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/", + "description": { + "text": "The QL pack root directory." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackRoot" + ] + } + }, + { + "uri": "file:///C:/Users/natede/.codeql/packages/codeql/cpp-all/7.0.0/qlpack.yml", + "description": { + "text": "The QL pack definition file." + }, + "properties": { + "tags": [ + "CodeQL/LocalPackDefinitionFile" + ] + } + } + ] } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } + ] }, - { - "locations": [ + "invocations": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:21:56.473187100Z", + "descriptor": { + "id": "cli/file-coverage-baseline", + "index": 1 + }, + "properties": { + "attributes": { + "durationMilliseconds": 222 + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "" + }, + "level": "none", + "timeUtc": "2026-05-28T00:21:56.473187100Z", + "descriptor": { + "id": "cli/platform", + "index": 2 + }, + "properties": { + "attributes": { + "arch": "amd64", + "name": "Windows 11", + "version": "10.0" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + }, + { + "message": { + "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", + "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." + }, + "level": "note", + "timeUtc": "2026-05-28T00:22:25.471025600Z", + "descriptor": { + "id": "cpp/extractor/summary", + "index": 3 + }, + "properties": { + "attributes": { + "cache-hits": 0, + "cache-misses": 1, + "compilers": [ + { + "program": "cl", + "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.51.36244 for x64" + } + ], + "extractor-failures": 1, + "extractor-successes": 0, + "trap-caching": "disabled" + }, + "visibility": { + "statusPage": false, + "telemetry": true + } + } + } + ], + "executionSuccessful": true } - } - }, - { - "locations": [ + ], + "artifacts": [ { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 + "location": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 } - } - } - ], - "message": { - "text": "" - }, - "level": "none", - "descriptor": { - "id": "cpp/baseline/expected-extracted-files", - "index": 0 - }, - "properties": { - "formattedMessage": { - "text": "" - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:35:27.144286700Z", - "descriptor": { - "id": "cli/file-coverage-baseline", - "index": 1 - }, - "properties": { - "attributes": { - "durationMilliseconds": 271 - }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "" - }, - "level": "none", - "timeUtc": "2026-04-29T04:35:27.147284600Z", - "descriptor": { - "id": "cli/platform", - "index": 2 - }, - "properties": { - "attributes": { - "arch": "amd64", - "name": "Windows 11", - "version": "10.0" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - }, - { - "message": { - "text": "Internal telemetry for the C++ extractor.\n\nNo action needed.", - "markdown": "Internal telemetry for the C++ extractor.\n\nNo action needed." - }, - "level": "note", - "timeUtc": "2026-04-29T04:36:08.306667Z", - "descriptor": { - "id": "cpp/extractor/summary", - "index": 3 - }, - "properties": { - "attributes": { - "cache-hits": 0, - "cache-misses": 1, - "compilers": [ - { - "program": "cl", - "version": "Microsoft (R) C/C++ Optimizing Compiler Version 19.50.35724 for x64" + { + "location": { + "uri": "driver/fail_driver1.h", + "uriBaseId": "%SRCROOT%", + "index": 1 } - ], - "extractor-failures": 1, - "extractor-successes": 0, - "trap-caching": "disabled" }, - "visibility": { - "statusPage": false, - "telemetry": true - } - } - } - ], - "executionSuccessful": true - } - ], - "artifacts": [ - { - "location": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - } - }, - { - "location": { - "uri": "driver/fail_driver1.h", - "uriBaseId": "%SRCROOT%", - "index": 1 - } - }, - { - "location": { - "uri": "driver/fail_driver1.c", - "uriBaseId": "%SRCROOT%", - "index": 2 - } - } - ], - "results": [ - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooLow_globalReassigned](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 112, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "4e9bf712603567a:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 110, - "startColumn": 6, - "endColumn": 40 - } - }, - "message": { - "text": "failForIrqlTooLow_globalReassigned" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 112, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "DispatchOnly_TooLow" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooLow_byReference](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 105, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "30d5b4e4b89956a4:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 101, - "startColumn": 6, - "endColumn": 35 - } - }, - "message": { - "text": "failForIrqlTooLow_byReference" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 105, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "DispatchOnly_TooLow" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooLow_increment](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 96, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "dd920dbcc12ad933:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 92, - "startColumn": 6, - "endColumn": 33 - } - }, - "message": { - "text": "failForIrqlTooLow_increment" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 96, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "DispatchOnly_TooLow" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[failForIrqlTooLow_compoundAssignment](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 87, - "startColumn": 9, - "endColumn": 28 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "d830060d8a1428a7:1", - "primaryLocationStartColumnFingerprint": "0" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 83, - "startColumn": 6, - "endColumn": 42 - } - }, - "message": { - "text": "failForIrqlTooLow_compoundAssignment" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 87, - "startColumn": 9, - "endColumn": 28 - } - }, - "message": { - "text": "DispatchOnly_TooLow" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[TestInner1](1): IRQL potentially too low at call to [TestInner2](2). Minimum IRQL for this call: 1, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 - }, - "region": { - "startLine": 41, - "startColumn": 12, - "endColumn": 22 + { + "location": { + "uri": "driver/fail_driver1.c", + "uriBaseId": "%SRCROOT%", + "index": 2 + } } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "1defbc9e59f0310b:1", - "primaryLocationStartColumnFingerprint": "7" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + ], + "results": [ + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooLow_globalReassigned](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 112, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "4e9bf712603567a:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 110, + "startColumn": 6, + "endColumn": 40 + } + }, + "message": { + "text": "failForIrqlTooLow_globalReassigned" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 112, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "DispatchOnly_TooLow" + } + } + ] }, - "region": { - "startLine": 40, - "startColumn": 10, - "endColumn": 20 - } - }, - "message": { - "text": "TestInner1" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooLow_byReference](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 105, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "30d5b4e4b89956a4:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 101, + "startColumn": 6, + "endColumn": 35 + } + }, + "message": { + "text": "failForIrqlTooLow_byReference" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 105, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "DispatchOnly_TooLow" + } + } + ] }, - "region": { - "startLine": 41, - "startColumn": 12, - "endColumn": 22 - } - }, - "message": { - "text": "TestInner2" - } - } - ] - }, - { - "ruleId": "cpp/drivers/irql-too-low", - "ruleIndex": 0, - "rule": { - "id": "cpp/drivers/irql-too-low", - "index": 0 - }, - "message": { - "text": "[someFunc](1): IRQL potentially too low at call to [TestInner3](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooLow_increment](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 96, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "dd920dbcc12ad933:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 92, + "startColumn": 6, + "endColumn": 33 + } + }, + "message": { + "text": "failForIrqlTooLow_increment" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 96, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "DispatchOnly_TooLow" + } + } + ] }, - "region": { - "startLine": 21, - "startColumn": 12, - "endColumn": 22 - } - } - } - ], - "partialFingerprints": { - "primaryLocationLineHash": "bf32240018f4d9fb:1", - "primaryLocationStartColumnFingerprint": "7" - }, - "relatedLocations": [ - { - "id": 1, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[failForIrqlTooLow_compoundAssignment](1): IRQL potentially too low at call to [DispatchOnly_TooLow](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 87, + "startColumn": 9, + "endColumn": 28 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "d830060d8a1428a7:1", + "primaryLocationStartColumnFingerprint": "0" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 83, + "startColumn": 6, + "endColumn": 42 + } + }, + "message": { + "text": "failForIrqlTooLow_compoundAssignment" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 87, + "startColumn": 9, + "endColumn": 28 + } + }, + "message": { + "text": "DispatchOnly_TooLow" + } + } + ] }, - "region": { - "startLine": 20, - "startColumn": 10, - "endColumn": 18 - } - }, - "message": { - "text": "someFunc" - } - }, - { - "id": 2, - "physicalLocation": { - "artifactLocation": { - "uri": "driver/driver_snippet.c", - "uriBaseId": "%SRCROOT%", - "index": 0 + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[TestInner1](1): IRQL potentially too low at call to [TestInner2](2). Minimum IRQL for this call: 1, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 41, + "startColumn": 12, + "endColumn": 22 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "1defbc9e59f0310b:1", + "primaryLocationStartColumnFingerprint": "7" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 40, + "startColumn": 10, + "endColumn": 20 + } + }, + "message": { + "text": "TestInner1" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 41, + "startColumn": 12, + "endColumn": 22 + } + }, + "message": { + "text": "TestInner2" + } + } + ] }, - "region": { - "startLine": 21, - "startColumn": 12, - "endColumn": 22 + { + "ruleId": "cpp/drivers/irql-too-low", + "ruleIndex": 0, + "rule": { + "id": "cpp/drivers/irql-too-low", + "index": 0 + }, + "message": { + "text": "[someFunc](1): IRQL potentially too low at call to [TestInner3](2). Minimum IRQL for this call: 2, IRQL at preceding node: 0" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 21, + "startColumn": 12, + "endColumn": 22 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "bf32240018f4d9fb:1", + "primaryLocationStartColumnFingerprint": "7" + }, + "relatedLocations": [ + { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 20, + "startColumn": 10, + "endColumn": 18 + } + }, + "message": { + "text": "someFunc" + } + }, + { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "driver/driver_snippet.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 21, + "startColumn": 12, + "endColumn": 22 + } + }, + "message": { + "text": "TestInner3" + } + } + ] } - }, - "message": { - "text": "TestInner3" - } + ], + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarifv2.1.0" } - ] } - ], - "columnKind": "utf16CodeUnits", - "properties": { - "semmle.formatSpecifier": "sarifv2.1.0" - } - } - ] -} + ] +} \ No newline at end of file