public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c Date: Mon, 11 Dec 2023 23:35:08 +0000 [thread overview] Message-ID: <bug-112974-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974 Bug ID: 112974 Summary: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_c ore.c Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c: In function ‘isst_if_get_tpmi_instance_count’: drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c:1118:47: warning: use of attacker-controlled value as offset without upper-bounds checking [CWE-823] [-Wanalyzer-tainted-offset] 1118 | tpmi_inst.count = isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains; | ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ ‘isst_if_get_tpmi_instance_count’: events 1-5 | | 1112 | if (copy_from_user(&tpmi_inst, argp, sizeof(tpmi_inst))) | | ^ | | | | | (1) following ‘false’ branch (when ‘n == 0’)... |...... | 1115 | if (tpmi_inst.socket_id >= topology_max_packages()) | | ~~ ~ | | | | | | | (3) following ‘false’ branch... | | (2) ...to here |...... | 1118 | tpmi_inst.count = isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains; | | ~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (4) ...to here (5) use of attacker-controlled value as offset without upper-bounds checking | Value is sanitized at (3); am about to attach a reduced reproducer. Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
next reply other threads:[~2023-12-11 23:35 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-12-11 23:35 dmalcolm at gcc dot gnu.org [this message] 2023-12-11 23:45 ` [Bug analyzer/112974] " dmalcolm at gcc dot gnu.org 2024-02-15 19:57 ` [Bug analyzer/112974] [14 Regression] " dmalcolm at gcc dot gnu.org 2024-03-04 13:02 ` rguenth at gcc dot gnu.org 2024-03-07 20:58 ` law at gcc dot gnu.org 2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org 2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-112974-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).