public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index Date: Thu, 07 Jul 2022 21:11:18 +0000 [thread overview] Message-ID: <bug-106229-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229 Bug ID: 106229 Summary: False positives from -Wanalyzer-tainted-array-index with unsigned char index Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Consider: struct s_12 { unsigned char idx; char buf[256]; }; char __attribute__((tainted_args)) test_12(struct s_12 s) { return s.buf[s.idx]; } Currently with trunk and gcc 12 this gives: <source>: In function 'test_12': <source>:10:15: warning: use of attacker-controlled value 's.idx' in array lookup without bounds checking [CWE-129] [-Wanalyzer-tainted-array-index] 10 | return s.buf[s.idx]; | ~~~~~^~~~~~~ 'test_12': event 1 | | 8 | test_12(struct s_12 s) | | ^~~~~~~ | | | | | (1) function 'test_12' marked with '__attribute__((tainted_args))' | +--> 'test_12': events 2-3 | | 8 | test_12(struct s_12 s) | | ^~~~~~~ | | | | | (2) entry to 'test_12' | 9 | { | 10 | return s.buf[s.idx]; | | ~~~~~~~~~~~~ | | | | | (3) use of attacker-controlled value 's.idx' in array lookup without bounds checking https://godbolt.org/z/ozhWdb78G However, given that s.idx is unsigned char, it must be within the valid range, and so the warning is unhelpful. See on Linux kernel in drivers/tty/vt/keyboard.c where ioctls use a user-supplied index to access the key_maps array: include/linux/keyboard.h:extern unsigned short *key_maps[MAX_NR_KEYMAPS]; include/uapi/linux/keyboard.h:#define MAX_NR_KEYMAPS 256 but the index is unsigned char, so must be within range.
next reply other threads:[~2022-07-07 21:11 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-07-07 21:11 dmalcolm at gcc dot gnu.org [this message] 2024-01-16 0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org 2024-01-16 0:11 ` dmalcolm at gcc dot gnu.org 2024-01-20 17:21 ` pinskia at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-106229-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).