From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 8AF8B3858CDA; Tue, 12 Dec 2023 00:03:13 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8AF8B3858CDA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1702339393;
	bh=A9Or/3AYkwKRxE310zpzuobyDY5LLUGzk2ZPPlSRmbM=;
	h=From:To:Subject:Date:From;
	b=i4TK9DNDg7LCcDhsBPY6M/xz3Tg8G+qiRfAuPPTPRob8sCUiJKAgSFpSoCxv4jhpS
	 l5d+4fA8BdyZHNWSt+ttZe8VUD1DCafW9E/rIArfhLDTYj6o+VIHArmv0WjhZknrCV
	 UJok5p69ILlWNM8Xc6HF0np9SkREiFGD/c/5RIno=
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug analyzer/112975] New: -Wanalyzer-tainted-allocation-size false
 positive seen in Linux kernel's drivers/xen/privcmd.c
Date: Tue, 12 Dec 2023 00:03:13 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: analyzer
X-Bugzilla-Version: unknown
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dmalcolm at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter blocked target_milestone
Message-ID: <bug-112975-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <gcc-bugs.sourceware.org>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D112975

            Bug ID: 112975
           Summary: -Wanalyzer-tainted-allocation-size false positive seen
                    in Linux kernel's drivers/xen/privcmd.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

In file included from drivers/xen/privcmd.c:15:
In function =E2=80=98kcalloc=E2=80=99,
    inlined from =E2=80=98privcmd_ioctl_dm_op=E2=80=99 at drivers/xen/privc=
md.c:640:10:
./include/linux/slab.h:645:16: warning: use of attacker-controlled value as
allocation size without upper-bounds checking [CWE-789]
[-Wanalyzer-tainted-allocation-size]
  645 |         return kmalloc_array(n, size, flags | __GFP_ZERO);
      |                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  =E2=80=98privcmd_ioctl=E2=80=99: events 1-4
    |
    |drivers/xen/privcmd.c:834:13:
    |  834 | static long privcmd_ioctl(struct file *file,
    |      |             ^~~~~~~~~~~~~
    |      |             |
    |      |             (1) entry to =E2=80=98privcmd_ioctl=E2=80=99
    |......
    |  840 |         switch (cmd) {
    |      |         ~~~~~~
    |      |         |
    |      |         (2) following =E2=80=98case 1069061:=E2=80=99 branch...
    |......
    |  857 |         case IOCTL_PRIVCMD_DM_OP:
    |      |         ~~~~=20
    |      |         |
    |      |         (3) ...to here
    |  858 |                 ret =3D privcmd_ioctl_dm_op(file, udata);
    |      |                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                       |
    |      |                       (4) calling =E2=80=98privcmd_ioctl_dm_op=
=E2=80=99 from
=E2=80=98privcmd_ioctl=E2=80=99
    |
    +--> =E2=80=98privcmd_ioctl_dm_op=E2=80=99: events 5-12
           |
           |  615 | static long privcmd_ioctl_dm_op(struct file *file, void
__user *udata)
           |      |             ^~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (5) entry to =E2=80=98privcmd_ioctl_dm_op=
=E2=80=99
           |......
           |  627 |         if (copy_from_user(&kdata, udata, sizeof(kdata)=
))
           |      |            ~=20
           |      |            |
           |      |            (6) following =E2=80=98false=E2=80=99 branch=
 (when =E2=80=98n =3D=3D 0=E2=80=99)...
           |......
           |  631 |         if (data->domid !=3D DOMID_INVALID && data->dom=
id !=3D
kdata.dom)
           |      |         ~~=20=20=20
           |      |         |
           |      |         (7) ...to here
           |......
           |  634 |         if (kdata.num =3D=3D 0)
           |      |            ~=20
           |      |            |
           |      |            (8) following =E2=80=98false=E2=80=99 branch=
...
           |......
           |  637 |         if (kdata.num > privcmd_dm_op_max_num)
           |      |         ~~ ~=20
           |      |         |  |
           |      |         |  (10) following =E2=80=98false=E2=80=99 branc=
h...
           |      |         (9) ...to here
           |......
           |  640 |         kbufs =3D kcalloc(kdata.num, sizeof(*kbufs),
GFP_KERNEL);
           |      |         ~~~~~   ~
           |      |         |       |
           |      |         |       (12) inlined call to =E2=80=98kcalloc=
=E2=80=99 from
=E2=80=98privcmd_ioctl_dm_op=E2=80=99
           |      |         (11) ...to here
           |
           +--> =E2=80=98kcalloc=E2=80=99: event 13
                  |
                  |./include/linux/slab.h:645:16:
                  |  645 |         return kmalloc_array(n, size, flags |
__GFP_ZERO);
                  |      |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |                |
                  |      |                (13) use of attacker-controlled v=
alue
as allocation size without upper-bounds checking
                  |

...when the value is checked at (10).


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer=