public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/112792] New: -Wanalyzer-out-of-bounds seen on Linux kernel with certain unions Date: Thu, 30 Nov 2023 21:38:18 +0000 [thread overview] Message-ID: <bug-112792-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112792 Bug ID: 112792 Summary: -Wanalyzer-out-of-bounds seen on Linux kernel with certain unions Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV typedef unsigned int u32; union msix_perm { struct { u32 rsvd2 : 8; u32 pasid : 20; }; u32 bits; } __attribute__((__packed__)); union msix_perm mperm; void idxd_device_set_perm_entry(u32 pasid) { mperm.pasid = pasid; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ False positive with -fanalyzer: t.c: In function ‘idxd_device_set_perm_entry’: t.c:14:15: warning: buffer overflow [CWE-787] [-Wanalyzer-out-of-bounds] 14 | mperm.pasid = pasid; | ~~~~~~~~~~~~^~~~~~~ event 1 | | 11 | union msix_perm mperm; | | ^~~~~ | | | | | (1) capacity: 4 bytes | +--> ‘idxd_device_set_perm_entry’: event 2 | | 14 | mperm.pasid = pasid; | | ~~~~~~~~~~~~^~~~~~~ | | | | | (2) out-of-bounds write at byte 4 but ‘mperm’ ends at byte 4 | t.c:14:15: note: write of 1 byte to beyond the end of ‘mperm’ ┌─────────────────────────────────────────┐ │ write from ‘pasid’ (type: ‘u32’) │ └─────────────────────────────────────────┘ │ │ v ┌──────────────────────────────────────────────────────────────────────┐ │ ‘mperm’ (type: ‘union msix_perm’) │ └──────────────────────────────────────────────────────────────────────┘ ├──────────────────────────────────┬───────────────────────────────────┤ │ ╭────────┴────────╮ │capacity: 4 bytes│ ╰─────────────────╯ Affects trunk: https://godbolt.org/z/oWoY7j6eY Affects 13.2: https://godbolt.org/z/vzdEbq6E1 (reduced from drivers/dma/idxd/device.c) Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
next reply other threads:[~2023-11-30 21:38 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-11-30 21:38 dmalcolm at gcc dot gnu.org [this message] 2023-12-15 20:59 ` [Bug analyzer/112792] -Wanalyzer-out-of-bounds false positives " dmalcolm at gcc dot gnu.org 2023-12-16 14:04 ` cvs-commit at gcc dot gnu.org 2023-12-16 21:21 ` cvs-commit at gcc dot gnu.org 2023-12-26 20:39 ` dmalcolm at gcc dot gnu.org 2024-04-14 5:04 ` [Bug analyzer/112792] [13 Regression] " pinskia at gcc dot gnu.org 2024-05-08 19:04 ` [Bug analyzer/112792] " dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-112792-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).