IrqlInconsistentWithRequired: CodeQL port of C28166 (#159)

* CodeQL port of C28156

* updates from review

src/drivers/general/queries/IrqlInconsistentWithRequired/IrqlInconsistentWithRequired.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+		The actual IRQL is inconsistent with the required IRQL
+		</p>
+	</overview>
+	<recommendation>
+		<p>
+			An _IRQL_requires_same_ annotation specifies that the driver should be executing at a particular IRQL when the function completes, but there is at least one path in which the driver is executing at a different IRQL when the function completes.
+		</p>
+	</recommendation>
+	<example>
+		<p>
+			Function annotated with _IRQL_requires_same_ but can possibly exit at a different IRQL level.
+		</p>
+		<sample language="c"> <![CDATA[
+		_IRQL_requires_same_ void fail1(PKIRQL oldIrql)
+		{
+
+			if (oldIrql == PASSIVE_LEVEL)
+			{
+				KeLowerIrql(*oldIrql);
+			}
+			else
+			{
+				KeRaiseIrql(DISPATCH_LEVEL, oldIrql); // Function exits at DISPATCH_LEVEL
+			}
+		}
+		}]]>
+
+	</example>
+	<semmleNotes>
+		<p>
+		</p>
+	</semmleNotes>
+	<references>
+		<li>
+			<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/28166-function-does-not-restore-irql-value">
+				C28166
+			</a>
+		</li>
+	</references>
+</qhelp>

src/drivers/general/queries/IrqlInconsistentWithRequired/IrqlInconsistentWithRequired.ql

@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+/**
+ * @id cpp/drivers/irql-inconsistent-with-required
+ * @kind problem
+ * @name Irql Inconsistent With Required
+ * @description The actual IRQL is inconsistent with the required IRQL
+ * @platform Desktop
+ * @feature.area Multiple
+ * @impact Insecure Coding Practice
+ * @repro.text An _IRQL_requires_same_ annotation specifies that the driver should be executing at a particular IRQL when the function completes, but there is at least one path in which the driver is executing at a different IRQL when the function completes.
+ * @owner.email: [email protected]
+ * @opaqueid CQLD-C28166
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ * @scope domainspecific
+ * @query-version v1
+ */
+
+import cpp
+import drivers.libraries.Irql
+
+from
+  IrqlRequiresSameAnnotatedFunction f, int irqlLevelEntry, int irqlLevelExit,
+  ControlFlowNode exitCfn, ControlFlowNode entryCfn
+where
+  exitCfn = f.getControlFlowScope() and
+  entryCfn = f.getBlock() and
+  irqlLevelEntry = getPotentialExitIrqlAtCfn(entryCfn) and
+  irqlLevelExit = getPotentialExitIrqlAtCfn(exitCfn) and
+  irqlLevelEntry != irqlLevelExit
+select f,
+  "Possible IRQL level at function completion inconsistent with the required IRQL level for some path. Irql level expected: "
+    + irqlLevelEntry + ". Irql level found: " + irqlLevelExit +
+    ". Review the IRQL level of the function."