public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index @ 2022-07-07 21:11 dmalcolm at gcc dot gnu.org 2024-01-16 0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org ` (2 more replies) 0 siblings, 3 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2022-07-07 21:11 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229 Bug ID: 106229 Summary: False positives from -Wanalyzer-tainted-array-index with unsigned char index Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Target Milestone: --- Consider: struct s_12 { unsigned char idx; char buf[256]; }; char __attribute__((tainted_args)) test_12(struct s_12 s) { return s.buf[s.idx]; } Currently with trunk and gcc 12 this gives: <source>: In function 'test_12': <source>:10:15: warning: use of attacker-controlled value 's.idx' in array lookup without bounds checking [CWE-129] [-Wanalyzer-tainted-array-index] 10 | return s.buf[s.idx]; | ~~~~~^~~~~~~ 'test_12': event 1 | | 8 | test_12(struct s_12 s) | | ^~~~~~~ | | | | | (1) function 'test_12' marked with '__attribute__((tainted_args))' | +--> 'test_12': events 2-3 | | 8 | test_12(struct s_12 s) | | ^~~~~~~ | | | | | (2) entry to 'test_12' | 9 | { | 10 | return s.buf[s.idx]; | | ~~~~~~~~~~~~ | | | | | (3) use of attacker-controlled value 's.idx' in array lookup without bounds checking https://godbolt.org/z/ozhWdb78G However, given that s.idx is unsigned char, it must be within the valid range, and so the warning is unhelpful. See on Linux kernel in drivers/tty/vt/keyboard.c where ioctls use a user-supplied index to access the key_maps array: include/linux/keyboard.h:extern unsigned short *key_maps[MAX_NR_KEYMAPS]; include/uapi/linux/keyboard.h:#define MAX_NR_KEYMAPS 256 but the index is unsigned char, so must be within range. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index 2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org @ 2024-01-16 0:03 ` cvs-commit at gcc dot gnu.org 2024-01-16 0:11 ` dmalcolm at gcc dot gnu.org 2024-01-20 17:21 ` pinskia at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: cvs-commit at gcc dot gnu.org @ 2024-01-16 0:03 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229 --- Comment #1 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>: https://gcc.gnu.org/g:ce27b66d952127b7abd0f8cceacb79eb6ecf71db commit r14-7266-gce27b66d952127b7abd0f8cceacb79eb6ecf71db Author: David Malcolm <dmalcolm@redhat.com> Date: Mon Jan 15 19:01:21 2024 -0500 analyzer: fix false +ves from -Wanalyzer-tainted-array-index with unsigned char index [PR106229] gcc/analyzer/ChangeLog: PR analyzer/106229 * analyzer.h (compare_constants): New decl. * constraint-manager.cc (compare_constants): Make non-static. * sm-taint.cc: Add include "fold-const.h". (class concrete_range): New. (get_possible_range): New. (index_can_be_out_of_bounds_p): New. (region_model::check_region_for_taint): Reject -Wanalyzer-tainted-array-index if the type of the value makes it impossible for it to be out-of-bounds of the array. gcc/testsuite/ChangeLog: PR analyzer/106229 * c-c++-common/analyzer/taint-index-pr106229.c: New test. Signed-off-by: David Malcolm <dmalcolm@redhat.com> ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index 2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org 2024-01-16 0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org @ 2024-01-16 0:11 ` dmalcolm at gcc dot gnu.org 2024-01-20 17:21 ` pinskia at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: dmalcolm at gcc dot gnu.org @ 2024-01-16 0:11 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229 David Malcolm <dmalcolm at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> --- Should be fixed on trunk for GCC 14 by the above patch. Given that taint checking requires explicit opt-in in earlier releases, I don't plan to backport this. Marking this as resolved. ^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug analyzer/106229] False positives from -Wanalyzer-tainted-array-index with unsigned char index 2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org 2024-01-16 0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org 2024-01-16 0:11 ` dmalcolm at gcc dot gnu.org @ 2024-01-20 17:21 ` pinskia at gcc dot gnu.org 2 siblings, 0 replies; 4+ messages in thread From: pinskia at gcc dot gnu.org @ 2024-01-20 17:21 UTC (permalink / raw) To: gcc-bugs https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229 Andrew Pinski <pinskia at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |14.0 Keywords| |diagnostic ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-20 17:21 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-07-07 21:11 [Bug analyzer/106229] New: False positives from -Wanalyzer-tainted-array-index with unsigned char index dmalcolm at gcc dot gnu.org 2024-01-16 0:03 ` [Bug analyzer/106229] " cvs-commit at gcc dot gnu.org 2024-01-16 0:11 ` dmalcolm at gcc dot gnu.org 2024-01-20 17:21 ` pinskia at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).