public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
@ 2023-12-11 20:07 dmalcolm at gcc dot gnu.org
2024-01-24 22:19 ` [Bug analyzer/112969] " dmalcolm at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-12-11 20:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
Bug ID: 112969
Summary: -Wanalyzer-exposure-through-uninit-copy false positive
seen on Linux kernel's
drivers/net/ethernet/intel/ice/ice_ptp.c
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 106358
Target Milestone: ---
Created attachment 56852
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56852&action=edit
Patch adding reproducer
False positive here:
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:46:7:
warning: potential exposure of sensitive information by copying uninitialized
data from stack across trust boundary [CWE-200]
[-Wanalyzer-exposure-through-uninit-copy]
46 | if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config)))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘ice_ptp_set_ts_config’: events 1-5
|
| 39 | struct hwtstamp_config config;
| | ^~~~~~
| | |
| | (1) region created on stack here
| | (2) capacity: 12 bytes
| 40 | int err;
| 41 | if (copy_from_user(&config, ifr->ifr_ifru.ifru_data,
sizeof(config)))
| | ~
| | |
| | (3) following ‘false’ branch...
| 42 | return -14;
| 43 | pf->ptp.tstamp_config.tx_type = 0;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
|......
| 46 | if (copy_to_user(ifr->ifr_ifru.ifru_data, &config,
sizeof(config)))
| |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (5) uninitialized data copied from stack here
|
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:46:7:
note: 4 bytes are uninitialized
46 | if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config)))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:21:7:
note: field ‘flags’ is uninitialized (4 bytes)
21 | int flags;
| ^~~~~
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:39:26:
note: suggest forcing zero-initialization by providing a ‘{0}’ initializer
39 | struct hwtstamp_config config;
| ^~~~~~
| = {0}
Looks like it doesn't notice that the copy here:
config = pf->ptp.tstamp_config;
initializes config.flag
Also, config was fully initialized at the copy_from_user.
Reduced from examples seen on drivers/net/ethernet/intel/ice/ice_ptp.c
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
@ 2024-01-24 22:19 ` dmalcolm at gcc dot gnu.org
2024-01-25 15:07 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-01-24 22:19 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Ever confirmed|0 |1
Last reconfirmed| |2024-01-24
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Issue seems to be with compound assignments where the source struct is not at
offset 0 within its binding_cluster.
A simpler reproducer, which generates a -Wanalyzer-use-of-uninitialized-value:
Trunk: https://godbolt.org/z/qrzqb7EeP
GCC 13.2: https://godbolt.org/z/8voo1zbq6
GCC 12.3: https://godbolt.org/z/oMxTnsdv6
GCC 11.4 didn't have -Wanalyzer-use-of-uninitialized-value but still doesn't
properly handle the compound assignment: https://godbolt.org/z/Ks36YddTG
/* Reduced from -Wanalyzer-exposure-through-uninit-copy false positives
seen in Linux kernel in drivers/net/ethernet/intel/ice/ice_ptp.c */
extern void __analyzer_eval (int);
struct hwtstamp_config
{
int flags;
int tx_type;
int rx_filter;
};
struct ice_ptp
{
long placeholder;
struct hwtstamp_config tstamp_config;
};
struct ice_pf
{
struct ice_ptp ptp;
};
void
ice_ptp_set_ts_config(struct ice_pf* pf)
{
struct hwtstamp_config config;
pf->ptp.tstamp_config.tx_type = 1;
pf->ptp.tstamp_config.rx_filter = 2;
config = pf->ptp.tstamp_config;
__analyzer_eval (config.flags == pf->ptp.tstamp_config.flags); /* {
dg-warning "TRUE" } */
/* { dg-bogus "use of uninitialized value 'config.flags'" "PR
analyzer/112969" { target *-*-* } .-1 } */
}
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
2024-01-24 22:19 ` [Bug analyzer/112969] " dmalcolm at gcc dot gnu.org
@ 2024-01-25 15:07 ` cvs-commit at gcc dot gnu.org
2024-01-25 15:11 ` dmalcolm at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-01-25 15:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:6426d466779fa889bca170e3ff80dbfc6ea8c2e8
commit r14-8428-g6426d466779fa889bca170e3ff80dbfc6ea8c2e8
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu Jan 25 10:06:12 2024 -0500
analyzer: fix defaults in compound assignments from non-zero offsets
[PR112969]
Confusion in binding_cluster::maybe_get_compound_binding about whether
offsets are relative to the start of the region or to the start of the
cluster was leading to incorrect handling of default values, leading
to false positives from -Wanalyzer-use-of-uninitialized-value, from
-Wanalyzer-exposure-through-uninit-copy, and other logic errors.
Fixed thusly.
gcc/analyzer/ChangeLog:
PR analyzer/112969
* store.cc (binding_cluster::maybe_get_compound_binding): When
populating default_map, express the bit-range of the default key
for REG relative to REG, rather than to the base region.
gcc/testsuite/ChangeLog:
PR analyzer/112969
* c-c++-common/analyzer/compound-assignment-5.c (test_3): Remove
xfails, reorder tests.
* c-c++-common/analyzer/compound-assignment-pr112969.c: New test.
* gcc.dg/plugin/infoleak-pr112969.c: New test.
* gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to
analyzer_kernel_plugin.c tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
2024-01-24 22:19 ` [Bug analyzer/112969] " dmalcolm at gcc dot gnu.org
2024-01-25 15:07 ` cvs-commit at gcc dot gnu.org
@ 2024-01-25 15:11 ` dmalcolm at gcc dot gnu.org
2024-04-14 5:03 ` [Bug analyzer/112969] [11/12/13 Regression] " pinskia at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-01-25 15:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed on trunk for gcc 14 by the above patch.
Keeping open to track backporting this to other branches.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] [11/12/13 Regression] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2024-01-25 15:11 ` dmalcolm at gcc dot gnu.org
@ 2024-04-14 5:03 ` pinskia at gcc dot gnu.org
2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org
2024-05-09 17:51 ` [Bug analyzer/112969] [11/12 " dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-04-14 5:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |11.5
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] [11/12/13 Regression] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2024-04-14 5:03 ` [Bug analyzer/112969] [11/12/13 Regression] " pinskia at gcc dot gnu.org
@ 2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org
2024-05-09 17:51 ` [Bug analyzer/112969] [11/12 " dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-05-09 17:11 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
--- Comment #4 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-13 branch has been updated by David Malcolm
<dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:0593151221ad21c2a67dfda597539c458ab731d8
commit r13-8753-g0593151221ad21c2a67dfda597539c458ab731d8
Author: David Malcolm <dmalcolm@redhat.com>
Date: Thu May 9 13:09:30 2024 -0400
analyzer: fix defaults in compound assignments from non-zero offsets
[PR112969]
Confusion in binding_cluster::maybe_get_compound_binding about whether
offsets are relative to the start of the region or to the start of the
cluster was leading to incorrect handling of default values, leading
to false positives from -Wanalyzer-use-of-uninitialized-value, from
-Wanalyzer-exposure-through-uninit-copy, and other logic errors.
Fixed thusly.
Backported from commit r14-8428-g6426d466779fa8 (keeping tests
in gcc.dg, rather than c-c++-common).
gcc/analyzer/ChangeLog:
PR analyzer/112969
* store.cc (binding_cluster::maybe_get_compound_binding): When
populating default_map, express the bit-range of the default key
for REG relative to REG, rather than to the base region.
gcc/testsuite/ChangeLog:
PR analyzer/112969
* gcc.dg/analyzer/compound-assignment-5.c (test_3): Remove
xfails, reorder tests.
* gcc.dg/analyzer/compound-assignment-pr112969.c: New test.
* gcc.dg/plugin/infoleak-pr112969.c: New test.
* gcc.dg/plugin/plugin.exp: Add infoleak-pr112969.c to
analyzer_kernel_plugin.c tests.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug analyzer/112969] [11/12 Regression] -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
` (4 preceding siblings ...)
2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org
@ 2024-05-09 17:51 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-05-09 17:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[11/12/13 Regression] |[11/12 Regression]
|-Wanalyzer-exposure-through |-Wanalyzer-exposure-through
|-uninit-copy false positive |-uninit-copy false positive
|seen on Linux kernel's |seen on Linux kernel's
|drivers/net/ethernet/intel/ |drivers/net/ethernet/intel/
|ice/ice_ptp.c |ice/ice_ptp.c
--- Comment #5 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed for GCC 13 (for the upcoming GCC 13.3) by the above patch.
Keeping open to track backporting this to other branches.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-05-09 17:51 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-11 20:07 [Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c dmalcolm at gcc dot gnu.org
2024-01-24 22:19 ` [Bug analyzer/112969] " dmalcolm at gcc dot gnu.org
2024-01-25 15:07 ` cvs-commit at gcc dot gnu.org
2024-01-25 15:11 ` dmalcolm at gcc dot gnu.org
2024-04-14 5:03 ` [Bug analyzer/112969] [11/12/13 Regression] " pinskia at gcc dot gnu.org
2024-05-09 17:11 ` cvs-commit at gcc dot gnu.org
2024-05-09 17:51 ` [Bug analyzer/112969] [11/12 " dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).