[Bug analyzer/108719] New: RFE: allow specifying argument indexes for __attribute__((tainted_args))

[Bug analyzer/108719] New: RFE: allow specifying argument indexes for __attribute__((tainted_args))

[clopez at suse dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108719

            Bug ID: 108719
           Summary: RFE: allow specifying argument indexes for
                    __attribute__((tainted_args))
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: clopez at suse dot de
  Target Milestone: ---

Consider allowing developers to specify which function arguments are tainted,
very much like the nonnull attribute, e.g.:

    __attribute__((tainted_args (2, 3)))

When no indexes are specified, all arguments should be considered tainted -
this is the behavior currently implemented.

Specifically, there is a common pattern for callbacks where the first argument
corresponds to untainted data (often either a structure provided by caller of
the callback or some opaque pointer requested by the callee). A prime example
of this are Linux device drivers, where the first parameter is a
kernel-provided structure:

    struct file_operations {
        ...
        ssize_t (*read) (struct file *, char *, size_t, loff_t *);
        ssize_t (*write) (struct file *, const char *, size_t, loff_t *);
        ...
    }

Another example would be qemu MMIO callbacks:

    struct MemoryRegionOps {
        uint64_t (*read)(void *opaque, hwaddr addr, unsigned size);
        void (*write)(void *opaque, hwaddr addr, uint64_t data, unsigned size);
        ...
    }