[gcc r14-8390] analyzer kernel plugin: implement __check_object

public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed

* [gcc r14-8390] analyzer kernel plugin: implement __check_object_size [PR112927]
@ 2024-01-24 15:12 David Malcolm
  0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2024-01-24 15:12 UTC (permalink / raw)
  To: gcc-cvs

https://gcc.gnu.org/g:b6e537571c21d8f0bc276d7afa156d6d4a54a1c9

commit r14-8390-gb6e537571c21d8f0bc276d7afa156d6d4a54a1c9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jan 24 10:11:09 2024 -0500

    analyzer kernel plugin: implement __check_object_size [PR112927]
    
    PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
    seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
    analyzer kernel plugin.
    
    The issue is that in:
    
    (A):
      if (msg->data_len > 272) {
        return -90;
      }
    
    (B):
      n = msg->data_len;
      __check_object_size(to, n);
      n = copy_from_user(to, from, n);
    
    the analyzer is treating __check_object_size as having arbitrary side
    effects, and, in particular could modify msg->data_len.  Hence the
    sanitization that occurs at (A) above is treated as being for a
    different value than the size obtained at (B), hence the bogus warning
    at the call to copy_from_user.
    
    Fixed by extending the analyzer kernel plugin to "teach" it that
    __check_object_size has no side effects.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/112927
            * gcc.dg/plugin/analyzer_kernel_plugin.c
            (class known_function___check_object_size): New.
            (kernel_analyzer_init_cb): Register it.
            * gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
            * gcc.dg/plugin/taint-pr112927.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 .../gcc.dg/plugin/analyzer_kernel_plugin.c         | 18 ++++++++
 gcc/testsuite/gcc.dg/plugin/plugin.exp             |  3 +-
 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c       | 49 ++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
index 02dba7a3234..5a32f8cc620 100644
--- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
+++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
@@ -209,6 +209,22 @@ public:
   }
 };
 
+/* Implementation of "__check_object_size".  */
+  
+class known_function___check_object_size : public known_function
+{
+ public:
+  bool matches_call_types_p (const call_details &cd) const final override
+  {
+    return cd.num_args () == 2;
+  }
+
+  void impl_call_pre (const call_details &) const final override
+  {
+    /* No-op.  */
+  }
+};
+
 /* Callback handler for the PLUGIN_ANALYZER_INIT event.  */
 
 static void
@@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
      make_unique<known_function_copy_from_user> ());
   iface->register_known_function ("copy_to_user",
 				  make_unique<known_function_copy_to_user> ());
+  iface->register_known_function ("__check_object_size",
+				  make_unique<known_function___check_object_size> ());
 }
 
 } // namespace ana
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index b3782f9c575..a5a72daac1a 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -169,7 +169,8 @@ set plugin_test_list [list \
 	  taint-pr112850.c \
 	  taint-pr112850-precise.c \
 	  taint-pr112850-too-complex.c \
-	  taint-pr112850-unsanitized.c } \
+	  taint-pr112850-unsanitized.c \
+	  taint-pr112927.c } \
     { analyzer_cpython_plugin.c \
 	  cpython-plugin-test-no-Python-h.c \
 	  cpython-plugin-test-PyList_Append.c \
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
new file mode 100644
index 00000000000..9c3f7ab6708
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
@@ -0,0 +1,49 @@
+/* Reduced from false positive in Linux kernel
+   in drivers/char/ipmi/ipmi_devintf.c.  */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
+/* { dg-require-effective-target analyzer } */
+
+typedef __SIZE_TYPE__ size_t;
+extern void
+__check_object_size(const void* ptr, unsigned long n);
+
+extern unsigned long
+copy_from_user(void*, const void*, unsigned long);
+
+__attribute__((__always_inline__)) unsigned long
+call_copy_from_user(void* to, const void* from, unsigned long n)
+{
+  __check_object_size(to, n);
+  n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
+  return n;
+}
+struct ipmi_msg
+{
+  unsigned short data_len;
+  unsigned char* data;
+};
+
+static int
+handle_send_req(struct ipmi_msg* msg)
+{
+  char buf[273];
+  if (msg->data_len > 272) {
+    return -90;
+  }
+  if (call_copy_from_user(buf, msg->data, msg->data_len)) {
+    return -14;
+  }
+  return 0;
+}
+long
+ipmi_ioctl(void* arg)
+{
+  struct ipmi_msg msg;
+  if (call_copy_from_user(&msg, arg, sizeof(msg))) {
+    return -14;
+  }
+
+  return handle_send_req(&msg);
+}

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-01-24 15:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-24 15:12 [gcc r14-8390] analyzer kernel plugin: implement __check_object_size [PR112927] David Malcolm

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).