public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index
@ 2022-07-07 21:11 dmalcolm at gcc dot gnu.org
  2024-01-16  0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2022-07-07 21:11 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229

            Bug ID: 106229
           Summary: False positives from -Wanalyzer-tainted-array-index
                    with unsigned char index
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
  Target Milestone: ---

Consider:

struct s_12
{
  unsigned char idx;
  char buf[256];
};

char __attribute__((tainted_args))
test_12(struct s_12 s)
{
  return s.buf[s.idx];
}

Currently with trunk and gcc 12 this gives:

<source>: In function 'test_12':
<source>:10:15: warning: use of attacker-controlled value 's.idx' in array
lookup without bounds checking [CWE-129] [-Wanalyzer-tainted-array-index]
   10 |   return s.buf[s.idx];
      |          ~~~~~^~~~~~~
  'test_12': event 1
    |
    |    8 | test_12(struct s_12 s)
    |      | ^~~~~~~
    |      | |
    |      | (1) function 'test_12' marked with '__attribute__((tainted_args))'
    |
    +--> 'test_12': events 2-3
           |
           |    8 | test_12(struct s_12 s)
           |      | ^~~~~~~
           |      | |
           |      | (2) entry to 'test_12'
           |    9 | {
           |   10 |   return s.buf[s.idx];
           |      |          ~~~~~~~~~~~~
           |      |               |
           |      |               (3) use of attacker-controlled value 's.idx'
in array lookup without bounds checking

https://godbolt.org/z/ozhWdb78G

However, given that s.idx is unsigned char, it must be within the valid range,
and so the warning is unhelpful.

See on Linux kernel in drivers/tty/vt/keyboard.c where ioctls use a
user-supplied index to access the key_maps array:

include/linux/keyboard.h:extern unsigned short *key_maps[MAX_NR_KEYMAPS];
include/uapi/linux/keyboard.h:#define MAX_NR_KEYMAPS    256

but the index is unsigned char, so must be within range.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index
  2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org
@ 2024-01-16  0:03 ` cvs-commit at gcc dot gnu.org
  2024-01-16  0:11 ` dmalcolm at gcc dot gnu.org
  2024-01-20 17:21 ` pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-01-16  0:03 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229

--- Comment #1 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:ce27b66d952127b7abd0f8cceacb79eb6ecf71db

commit r14-7266-gce27b66d952127b7abd0f8cceacb79eb6ecf71db
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Jan 15 19:01:21 2024 -0500

    analyzer: fix false +ves from -Wanalyzer-tainted-array-index with unsigned
char index [PR106229]

    gcc/analyzer/ChangeLog:
            PR analyzer/106229
            * analyzer.h (compare_constants): New decl.
            * constraint-manager.cc (compare_constants): Make non-static.
            * sm-taint.cc: Add include "fold-const.h".
            (class concrete_range): New.
            (get_possible_range): New.
            (index_can_be_out_of_bounds_p): New.
            (region_model::check_region_for_taint): Reject
            -Wanalyzer-tainted-array-index if the type of the value makes it
            impossible for it to be out-of-bounds of the array.

    gcc/testsuite/ChangeLog:
            PR analyzer/106229
            * c-c++-common/analyzer/taint-index-pr106229.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index
  2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org
  2024-01-16  0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org
@ 2024-01-16  0:11 ` dmalcolm at gcc dot gnu.org
  2024-01-20 17:21 ` pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-01-16  0:11 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk for GCC 14 by the above patch.

Given that taint checking requires explicit opt-in in earlier releases, I don't
plan to backport this.

Marking this as resolved.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index
  2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org
  2024-01-16  0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org
  2024-01-16  0:11 ` dmalcolm at gcc dot gnu.org
@ 2024-01-20 17:21 ` pinskia at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-01-20 17:21 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |14.0
           Keywords|                            |diagnostic

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-20 17:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org
2024-01-16  0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org
2024-01-16  0:11 ` dmalcolm at gcc dot gnu.org
2024-01-20 17:21 ` pinskia at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).