[Bug c/35592] New: Want attribute to enable precision loss warning

[Bug c/35592] New: Want attribute to enable precision loss warning

[felix-gcc at fefe dot de]

gcc has a warning if one assigns a pointer to an integer of lower width.
I would like to have a way to be warned if someone calls malloc(long long) on
32-bit platforms.  A general warning about integer truncation would generate
lots of spam, so I suggest adding a way to say "if an integer given to this
function is implicitly truncated, that's a bug).  The main target would be
malloc and malloc-like functions, obviously.


-- 
           Summary: Want attribute to enable precision loss warning
           Product: gcc
           Version: 4.3.0
            Status: UNCONFIRMED
          Severity: enhancement
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: felix-gcc at fefe dot de
 GCC build triplet: x86_64-unknown-linux-gnu
  GCC host triplet: x86_64-unknown-linux-gnu
GCC target triplet: x86_64-unknown-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[pinskia at gcc dot gnu dot org]

------- Comment #1 from pinskia at gcc dot gnu dot org  2008-03-14 19:20 -------
You should try -Wconversion .


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[felix-gcc at fefe dot de]

------- Comment #2 from felix-gcc at fefe dot de  2008-03-14 19:58 -------
I am aware of -Wconversion, but I am not interested in ALL conversion
truncations.  Truncation happens to be a security issue in a few cases, in many
other cases it would just be a regular bug.  My suggestions aims to isolate the
security relevant cases, for the rest we have -Wconversion.

If the size_t given to memcpy is truncated, that does not overwrite a buffer.
But if the size_t given to malloc is truncated, that is a pretty surefire way
to find a security issue.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[manu at gcc dot gnu dot org]

------- Comment #3 from manu at gcc dot gnu dot org  2008-04-01 02:53 -------
(In reply to comment #2)
> 
> If the size_t given to memcpy is truncated, that does not overwrite a buffer.
> But if the size_t given to malloc is truncated, that is a pretty surefire way
> to find a security issue.

I guess that depends on how the conversion occurs:

int i = -5;
...
memcpy (dest, src, i);

I would have trouble defining which cases are security issues.

On the other hand, the truncation may actually take place far from where malloc
is called:

size_t len = 999999999999999LL;
...
buffer = malloc (len);

not sure how your proposal could handle that.


-- 

manu at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |manu at gcc dot gnu dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[felix-gcc at fefe dot de]

------- Comment #4 from felix-gcc at fefe dot de  2008-04-01 16:09 -------
I'm not familiar enough with how gcc works to say whether warning about
precision loss that turns out important later on can be done at all.

But I think we should not reject an idea because it only handles 60% of the
cases.  Instead we should be happy we only have to worry about the other 40%,
not about 100% from then on.

I agree that signed int to size_t conversion for memcpy should also be warned
about by some attribute.  Could be done by the same attribute.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[rguenth at gcc dot gnu dot org]

------- Comment #5 from rguenth at gcc dot gnu dot org  2008-04-01 19:18 -------
Can you cook up some code examples where you'd like to see a warning?


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592

[Bug c/35592] Want attribute to enable precision loss warning

[felix-gcc at fefe dot de]

------- Comment #6 from felix-gcc at fefe dot de  2008-04-01 19:34 -------
Sure. For example:

  char* c=malloc(lseek(somefd,0,SEEK_END);

on a platform where off_t is 64-bit, but where size_t is 32-bit.  For example:
i686-linux with #define _FILE_OFFSET_BITS 64.

Now that I'm thinking about it, would it be possible to have a generic overflow
warning in that context?  For example,

  malloc(p->len+1)

So that gcc sees I'm adding something there, and if the range is not clamped
down before that gives an error?


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35592