[Bug c/109352] New: Feature request: warn about "u64 = u32 * u32" and similar

[Bug c/109352] New: Feature request: warn about "u64 = u32 * u32" and similar

[zhangboyang.id at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109352

            Bug ID: 109352
           Summary: Feature request: warn about "u64 = u32 * u32" and
                    similar
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zhangboyang.id at gmail dot com
  Target Milestone: ---

Hi,

Please consider give warnings about "u64 = u32 * u32" and similar statements.
In most cases, programmers want "u64 = (uint64_t) u32 * (uint64_t) u32" instead
of "u64 = (uint32_t) u32 * (uint32_t) u32".

This cause real world problems. In a security bug of GNU GRUB2 (CVE-2022-2601,
reported by me), a similar expression causes interger overflow therefore heap
overwrite. The simplified code is like below:

  struct bitmap {
    uint32_t width, height;
    uint8_t pixel[];
  };

  bmp = malloc(sizeof(struct bitmap) + width * height / 8);

In the above example, if width==65536 and height==65536, then width*height will
overflow to 0. Thus the allocated memory is smaller than expected.

I'm not a compiler expert, so I can't give a precise definition of which
statements should be warned. But I come up with some example code, please see
below:

1)
   uint64_t pow2(int n)
   {
     return 1 << n;   // I think almost everyone was hit by this :)
     return 1U << n;  // or this
   }

2)
   double area(float b, float h)
   {
     return b * h / 2.0; // lose precision
   }

3)
   uint64_t add(uint64_t base, uint32_t a, uint32_t b)
   {
     return base + (a + b); // it's different from "base + a + b"
   }

By the way, if a programmer think a warning is unnecessary, it should be able
to  suppressed by "u64 = (uint32_t)(u32 * u32);"

Zhang Boyang

[Bug c/109352] Feature request: warn about "u64 = u32 * u32" and similar

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109352

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
"similar expression causes interger overflow ". No it causes wrapping.

[Bug c/109352] Feature request: warn about "u64 = u32 * u32" and similar

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109352

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Dup. We rejected implementing this back in 2006. 

The code has a well defined behavior and the warning will most likely find way
too many false positives.

*** This bug has been marked as a duplicate of bug 24542 ***