public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
@ 2023-12-12 0:03 dmalcolm at gcc dot gnu.org
2023-12-12 0:13 ` [Bug analyzer/112975] " dmalcolm at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-12-12 0:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
Bug ID: 112975
Summary: -Wanalyzer-tainted-allocation-size false positive seen
in Linux kernel's drivers/xen/privcmd.c
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 106358
Target Milestone: ---
In file included from drivers/xen/privcmd.c:15:
In function ‘kcalloc’,
inlined from ‘privcmd_ioctl_dm_op’ at drivers/xen/privcmd.c:640:10:
./include/linux/slab.h:645:16: warning: use of attacker-controlled value as
allocation size without upper-bounds checking [CWE-789]
[-Wanalyzer-tainted-allocation-size]
645 | return kmalloc_array(n, size, flags | __GFP_ZERO);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘privcmd_ioctl’: events 1-4
|
|drivers/xen/privcmd.c:834:13:
| 834 | static long privcmd_ioctl(struct file *file,
| | ^~~~~~~~~~~~~
| | |
| | (1) entry to ‘privcmd_ioctl’
|......
| 840 | switch (cmd) {
| | ~~~~~~
| | |
| | (2) following ‘case 1069061:’ branch...
|......
| 857 | case IOCTL_PRIVCMD_DM_OP:
| | ~~~~
| | |
| | (3) ...to here
| 858 | ret = privcmd_ioctl_dm_op(file, udata);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) calling ‘privcmd_ioctl_dm_op’ from
‘privcmd_ioctl’
|
+--> ‘privcmd_ioctl_dm_op’: events 5-12
|
| 615 | static long privcmd_ioctl_dm_op(struct file *file, void
__user *udata)
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (5) entry to ‘privcmd_ioctl_dm_op’
|......
| 627 | if (copy_from_user(&kdata, udata, sizeof(kdata)))
| | ~
| | |
| | (6) following ‘false’ branch (when ‘n == 0’)...
|......
| 631 | if (data->domid != DOMID_INVALID && data->domid !=
kdata.dom)
| | ~~
| | |
| | (7) ...to here
|......
| 634 | if (kdata.num == 0)
| | ~
| | |
| | (8) following ‘false’ branch...
|......
| 637 | if (kdata.num > privcmd_dm_op_max_num)
| | ~~ ~
| | | |
| | | (10) following ‘false’ branch...
| | (9) ...to here
|......
| 640 | kbufs = kcalloc(kdata.num, sizeof(*kbufs),
GFP_KERNEL);
| | ~~~~~ ~
| | | |
| | | (12) inlined call to ‘kcalloc’ from
‘privcmd_ioctl_dm_op’
| | (11) ...to here
|
+--> ‘kcalloc’: event 13
|
|./include/linux/slab.h:645:16:
| 645 | return kmalloc_array(n, size, flags |
__GFP_ZERO);
| |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) use of attacker-controlled value
as allocation size without upper-bounds checking
|
...when the value is checked at (10).
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
@ 2023-12-12 0:13 ` dmalcolm at gcc dot gnu.org
2024-02-15 19:57 ` [Bug analyzer/112975] [14 Regression] " dmalcolm at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2023-12-12 0:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Created attachment 56857
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56857&action=edit
Reduced reproducer (needs adding to plugin.exp)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
2023-12-12 0:13 ` [Bug analyzer/112975] " dmalcolm at gcc dot gnu.org
@ 2024-02-15 19:57 ` dmalcolm at gcc dot gnu.org
2024-03-04 13:04 ` rguenth at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-02-15 19:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
Last reconfirmed| |2024-02-15
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
2023-12-12 0:13 ` [Bug analyzer/112975] " dmalcolm at gcc dot gnu.org
2024-02-15 19:57 ` [Bug analyzer/112975] [14 Regression] " dmalcolm at gcc dot gnu.org
@ 2024-03-04 13:04 ` rguenth at gcc dot gnu.org
2024-03-07 20:53 ` law at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-03-04 13:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|unknown |14.0
Target Milestone|--- |14.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
` (2 preceding siblings ...)
2024-03-04 13:04 ` rguenth at gcc dot gnu.org
@ 2024-03-07 20:53 ` law at gcc dot gnu.org
2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: law at gcc dot gnu.org @ 2024-03-07 20:53 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
Jeffrey A. Law <law at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |law at gcc dot gnu.org
Priority|P3 |P2
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
` (3 preceding siblings ...)
2024-03-07 20:53 ` law at gcc dot gnu.org
@ 2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-03-22 14:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
--- Comment #2 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by David Malcolm <dmalcolm@gcc.gnu.org>:
https://gcc.gnu.org/g:c6cf5789135236c5639075c8f235e7dd461b6ff6
commit r14-9625-gc6cf5789135236c5639075c8f235e7dd461b6ff6
Author: David Malcolm <dmalcolm@redhat.com>
Date: Fri Mar 22 10:57:25 2024 -0400
analyzer: look through casts in taint sanitization [PR112974,PR112975]
PR analyzer/112974 and PR analyzer/112975 record false positives
from the analyzer's taint detection where sanitization of the form
if (VALUE CMP VALUE-OF-WIDER-TYPE)
happens, but wasn't being "noticed" by the taint checker, due to the
test being:
(WIDER_TYPE)VALUE CMP VALUE-OF-WIDER-TYPE
at the gimple level, and thus taint_state_machine recording
sanitization of (WIDER_TYPE)VALUE, but not of VALUE.
Fix by stripping casts in taint_state_machine::on_condition so that
the state machine records sanitization of the underlying value.
gcc/analyzer/ChangeLog:
PR analyzer/112974
PR analyzer/112975
* sm-taint.cc (taint_state_machine::on_condition): Strip away
casts before considering LHS and RHS, to increase the chance of
detecting places where sanitization of a value may have happened.
gcc/testsuite/ChangeLog:
PR analyzer/112974
PR analyzer/112975
* gcc.dg/plugin/plugin.exp (plugin_test_list): Add
taint-pr112974.c and taint-pr112975.c to analyzer_kernel_plugin.c.
* gcc.dg/plugin/taint-pr112974.c: New test.
* gcc.dg/plugin/taint-pr112975.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug analyzer/112975] [14 Regression] -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
` (4 preceding siblings ...)
2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
@ 2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: dmalcolm at gcc dot gnu.org @ 2024-03-22 15:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
David Malcolm <dmalcolm at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Should be fixed by the above patch.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-03-22 15:03 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-12 0:03 [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false positive seen in Linux kernel's drivers/xen/privcmd.c dmalcolm at gcc dot gnu.org
2023-12-12 0:13 ` [Bug analyzer/112975] " dmalcolm at gcc dot gnu.org
2024-02-15 19:57 ` [Bug analyzer/112975] [14 Regression] " dmalcolm at gcc dot gnu.org
2024-03-04 13:04 ` rguenth at gcc dot gnu.org
2024-03-07 20:53 ` law at gcc dot gnu.org
2024-03-22 14:59 ` cvs-commit at gcc dot gnu.org
2024-03-22 15:03 ` dmalcolm at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).