[Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
@ 2023-12-11 23:35 dmalcolm at gcc dot gnu.org
  2023-12-11 23:45 ` [Bug analyzer/112974] " dmalcolm at gcc dot gnu.org
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-12-11 23:35 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

            Bug ID: 112974
           Summary: -Wanalyzer-tainted-array-index false positive seen on
                    Linux kernel
                    drivers/platform/x86/intel/speed_select_if/isst_tpmi_c
                    ore.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c: In function
‘isst_if_get_tpmi_instance_count’:
drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c:1118:47: warning:
use of attacker-controlled value as offset without upper-bounds checking
[CWE-823] [-Wanalyzer-tainted-offset]
 1118 |         tpmi_inst.count =
isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains;
      |                           ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
  ‘isst_if_get_tpmi_instance_count’: events 1-5
    |
    | 1112 |         if (copy_from_user(&tpmi_inst, argp, sizeof(tpmi_inst)))
    |      |            ^
    |      |            |
    |      |            (1) following ‘false’ branch (when ‘n == 0’)...
    |......
    | 1115 |         if (tpmi_inst.socket_id >= topology_max_packages())
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (3) following ‘false’ branch...
    |      |         (2) ...to here
    |......
    | 1118 |         tpmi_inst.count =
isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains;
    |      |         ~~~~~~~~~        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |                                     |
    |      |         (4) ...to here                        (5) use of
attacker-controlled value as offset without upper-bounds checking
    |

Value is sanitized at (3); am about to attach a reduced reproducer.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
@ 2023-12-11 23:45 ` dmalcolm at gcc dot gnu.org
  2024-02-15 19:57 ` [Bug analyzer/112974] [14 Regression] " dmalcolm at gcc dot gnu.org
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-12-11 23:45 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Created attachment 56854
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56854&action=edit
Patch adding reduced reproducer

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
  2023-12-11 23:45 ` [Bug analyzer/112974] " dmalcolm at gcc dot gnu.org
@ 2024-02-15 19:57 ` dmalcolm at gcc dot gnu.org
  2024-03-04 13:02 ` rguenth at gcc dot gnu.org
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-15 19:57 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2024-02-15
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
  2023-12-11 23:45 ` [Bug analyzer/112974] " dmalcolm at gcc dot gnu.org
  2024-02-15 19:57 ` [Bug analyzer/112974] [14 Regression] " dmalcolm at gcc dot gnu.org
@ 2024-03-04 13:02 ` rguenth at gcc dot gnu.org
  2024-03-07 20:58 ` law at gcc dot gnu.org
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-03-04 13:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |14.0
            Version|unknown                     |14.0

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2024-03-04 13:02 ` rguenth at gcc dot gnu.org
@ 2024-03-07 20:58 ` law at gcc dot gnu.org
  2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
  2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
  5 siblings, 0 replies; 7+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-07 20:58 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

Jeffrey A. Law <law at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P2
                 CC|                            |law at gcc dot gnu.org

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
                   ` (3 preceding siblings ...)
  2024-03-07 20:58 ` law at gcc dot gnu.org
@ 2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
  2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
  5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-03-22 14:59 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:

https://gcc.gnu.org/g:c6cf5789135236c5639075c8f235e7dd461b6ff6

commit r14-9625-gc6cf5789135236c5639075c8f235e7dd461b6ff6
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Mar 22 10:57:25 2024 -0400

    analyzer: look through casts in taint sanitization [PR112974,PR112975]

    PR analyzer/112974 and PR analyzer/112975 record false positives
    from the analyzer's taint detection where sanitization of the form

      if (VALUE CMP VALUE-OF-WIDER-TYPE)

    happens, but wasn't being "noticed" by the taint checker, due to the
    test being:

      (WIDER_TYPE)VALUE CMP VALUE-OF-WIDER-TYPE

    at the gimple level, and thus taint_state_machine recording
    sanitization of (WIDER_TYPE)VALUE, but not of VALUE.

    Fix by stripping casts in taint_state_machine::on_condition so that
    the state machine records sanitization of the underlying value.

    gcc/analyzer/ChangeLog:
            PR analyzer/112974
            PR analyzer/112975
            * sm-taint.cc (taint_state_machine::on_condition): Strip away
            casts before considering LHS and RHS, to increase the chance of
            detecting places where sanitization of a value may have happened.

    gcc/testsuite/ChangeLog:
            PR analyzer/112974
            PR analyzer/112975
            * gcc.dg/plugin/plugin.exp (plugin_test_list): Add
            taint-pr112974.c and taint-pr112975.c to analyzer_kernel_plugin.c.
            * gcc.dg/plugin/taint-pr112974.c: New test.
            * gcc.dg/plugin/taint-pr112975.c: New test.

    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug analyzer/112974] [14 Regression] -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c
  2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
                   ` (4 preceding siblings ...)
  2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
@ 2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
  5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-03-22 15:03 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2024-03-22 15:03 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-11 23:35 [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c dmalcolm at gcc dot gnu.org
2023-12-11 23:45 ` [Bug analyzer/112974] " dmalcolm at gcc dot gnu.org
2024-02-15 19:57 ` [Bug analyzer/112974] [14 Regression] " dmalcolm at gcc dot gnu.org
2024-03-04 13:02 ` rguenth at gcc dot gnu.org
2024-03-07 20:58 ` law at gcc dot gnu.org
2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).