public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org> To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/113619] New: -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c Date: Fri, 26 Jan 2024 15:00:27 +0000 [thread overview] Message-ID: <bug-113619-4@http.gcc.gnu.org/bugzilla/> (raw) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113619 Bug ID: 113619 Summary: -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- Reduced from false positive in Linux kernel's kernel's fs/ceph/ioctl.c: __extension__ typedef unsigned long long __u64; struct ceph_ioctl_layout { __u64 stripe_unit, object_size; }; static long __validate_layout(struct ceph_ioctl_layout* l) { if ((l->object_size & ~(~(((1UL) << 12) - 1))) || (l->stripe_unit & ~(~(((1UL) << 12) - 1))) || ((unsigned)l->stripe_unit != 0 && ((unsigned)l->object_size % (unsigned)l->stripe_unit))) return -22; return 0; } long __attribute__((tainted_args)) ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) { int err; err = __validate_layout(&l); if (err) return err; return err; } t.c: In function ‘__validate_layout’: t.c:13:34: warning: use of attacker-controlled value ‘l.stripe_unit’ as divisor without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor] 13 | ((unsigned)l->object_size % (unsigned)l->stripe_unit))) | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘ceph_ioctl_set_layout_policy’: event 1 | | 20 | ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) function ‘ceph_ioctl_set_layout_policy’ marked with ‘__attribute__((tainted_args))’ | +--> ‘ceph_ioctl_set_layout_policy’: events 2-3 | | 20 | ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) entry to ‘ceph_ioctl_set_layout_policy’ |...... | 23 | err = __validate_layout(&l); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) calling ‘__validate_layout’ from ‘ceph_ioctl_set_layout_policy’ | +--> ‘__validate_layout’: events 4-11 | | 8 | __validate_layout(struct ceph_ioctl_layout* l) | | ^~~~~~~~~~~~~~~~~ | | | | | (4) entry to ‘__validate_layout’ | 9 | { | 10 | if ((l->object_size & ~(~(((1UL) << 12) - 1))) || | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (5) following ‘false’ branch... (7) following ‘false’ branch... | 11 | (l->stripe_unit & ~(~(((1UL) << 12) - 1))) || | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (6) ...to here (9) following ‘true’ branch... | 12 | ((unsigned)l->stripe_unit != 0 && | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) ...to here | 13 | ((unsigned)l->object_size % (unsigned)l->stripe_unit))) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (10) ...to here (11) use of attacker-controlled value ‘l.stripe_unit’ as divisor without checking for zero | ...whereas (unsigned)l->stripe_unit != 0 is checked at line 12. Affects trunk: https://godbolt.org/z/3qfx6scT8 Might show up on earlier releases, but taint state machine required opt-in on them. Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer
next reply other threads:[~2024-01-26 15:00 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2024-01-26 15:00 dmalcolm at gcc dot gnu.org [this message] 2024-02-15 14:33 ` [Bug analyzer/113619] [14 Regression] " dmalcolm at gcc dot gnu.org 2024-03-04 13:08 ` rguenth at gcc dot gnu.org 2024-03-07 20:43 ` law at gcc dot gnu.org 2024-03-21 21:49 ` cvs-commit at gcc dot gnu.org 2024-03-21 21:55 ` dmalcolm at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-113619-4@http.gcc.gnu.org/bugzilla/ \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=gcc-bugs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).