From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id AA57D3858D39; Fri, 26 Jan 2024 15:00:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org AA57D3858D39 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1706281227; bh=JU57B8/xC0qYMmvir2/P7m/3ROFtd2/x1kqpB5ixJLk=; h=From:To:Subject:Date:From; b=hfxOAIstfXeZf8YNnIvgc7+UWRsR8fj+F7Uu63uJ/+fn0W3QQGl4UWQ0ZZ2Svkh3z sgncanG/6BjBYK3+9ihnTM5UB2hxeAURf/CEiZD9yysaqO52Clz6A4ebv/MJzypBY7 ncwmvyWKBGVTJ3wmhx/T2vLqVYcryvWYxB+F5vUE= From: "dmalcolm at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug analyzer/113619] New: -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c Date: Fri, 26 Jan 2024 15:00:27 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: analyzer X-Bugzilla-Version: 14.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: dmalcolm at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: dmalcolm at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter blocked target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D113619 Bug ID: 113619 Summary: -Wanalyzer-tainted-divisor false positive seen in Linux kernel's fs/ceph/ioctl.c Product: gcc Version: 14.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- Reduced from false positive in Linux kernel's kernel's fs/ceph/ioctl.c: __extension__ typedef unsigned long long __u64; struct ceph_ioctl_layout { __u64 stripe_unit, object_size; }; static long __validate_layout(struct ceph_ioctl_layout* l) { if ((l->object_size & ~(~(((1UL) << 12) - 1))) || (l->stripe_unit & ~(~(((1UL) << 12) - 1))) || ((unsigned)l->stripe_unit !=3D 0 && ((unsigned)l->object_size % (unsigned)l->stripe_unit))) return -22; return 0; } long __attribute__((tainted_args)) ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) { int err; err =3D __validate_layout(&l); if (err) return err; return err; } t.c: In function =E2=80=98__validate_layout=E2=80=99: t.c:13:34: warning: use of attacker-controlled value =E2=80=98l.stripe_unit= =E2=80=99 as divisor without checking for zero [CWE-369] [-Wanalyzer-tainted-divisor] 13 | ((unsigned)l->object_size % (unsigned)l->stripe_unit))) | ~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~ =E2=80=98ceph_ioctl_set_layout_policy=E2=80=99: event 1 | | 20 | ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) function =E2=80=98ceph_ioctl_set_layout_policy=E2=80=99 ma= rked with =E2=80=98__attribute__((tainted_args))=E2=80=99 | +--> =E2=80=98ceph_ioctl_set_layout_policy=E2=80=99: events 2-3 | | 20 | ceph_ioctl_set_layout_policy(struct ceph_ioctl_layout l) | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) entry to =E2=80=98ceph_ioctl_set_layout_policy=E2= =80=99 |...... | 23 | err =3D __validate_layout(&l); | | ~~~~~~~~~~~~~~~~~~~~~ | | | | | (3) calling =E2=80=98__validate_layout=E2=80=99= from =E2=80=98ceph_ioctl_set_layout_policy=E2=80=99 | +--> =E2=80=98__validate_layout=E2=80=99: events 4-11 | | 8 | __validate_layout(struct ceph_ioctl_layout* l) | | ^~~~~~~~~~~~~~~~~ | | | | | (4) entry to =E2=80=98__validate_layout=E2=80=99 | 9 | { | 10 | if ((l->object_size & ~(~(((1UL) << 12) - 1)))= || | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~ | | | = | | | (5) following =E2=80=98false=E2=80=99 branc= h... (7) following =E2=80=98false=E2=80=99 branch... | 11 | (l->stripe_unit & ~(~(((1UL) << 12) - 1)))= || | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~= ~~~ | | | = | | | (6) ...to here = (9) following =E2=80=98true=E2=80=99 branch... | 12 | ((unsigned)l->stripe_unit !=3D 0 && | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (8) ...to here | 13 | ((unsigned)l->object_size % (unsigned)l->stripe_unit))) | |=20=20=20=20=20=20=20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (10) ...to here (11) use of attacker-controlled value =E2=80=98l.stripe_unit=E2=80=99 as divisor withou= t checking for zero | ...whereas (unsigned)l->stripe_unit !=3D 0 is checked at line 12. Affects trunk: https://godbolt.org/z/3qfx6scT8 Might show up on earlier releases, but taint state machine required opt-in = on them. Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer=