From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2209)
	id CDF29385801F; Wed, 24 Jan 2024 15:12:30 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CDF29385801F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1706109150;
	bh=eilxJH3ouI7KIBdQOtL9OWDt0l4LwcgZ1XVD5i/zbg4=;
	h=From:To:Subject:Date:From;
	b=x803wCmf+MoNcaI2nvC/atLSAhxucoR4XzqQQ4DNDvYE78N6TR9QO3ht0FPBwVpCZ
	 /CSsAjZ1QXj52U5Ta2+tZNlgCQerM6FPt0Dv90iQ6qxhUKqnKRUv2DlR/hNTd5YOWY
	 ICbzWil2I9hZ0S//SuLxUo8ev0MMeh2CTb4IvqIE=
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r14-8390] analyzer kernel plugin: implement __check_object_size
 [PR112927]
X-Act-Checkin: gcc
X-Git-Author: David Malcolm <dmalcolm@redhat.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 3de031c96f28f19a68ea2080260d8fd2c78828ee
X-Git-Newrev: b6e537571c21d8f0bc276d7afa156d6d4a54a1c9
Message-Id: <20240124151230.CDF29385801F@sourceware.org>
Date: Wed, 24 Jan 2024 15:12:30 +0000 (GMT)
List-Id: <gcc-cvs.sourceware.org>

https://gcc.gnu.org/g:b6e537571c21d8f0bc276d7afa156d6d4a54a1c9

commit r14-8390-gb6e537571c21d8f0bc276d7afa156d6d4a54a1c9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Wed Jan 24 10:11:09 2024 -0500

    analyzer kernel plugin: implement __check_object_size [PR112927]
    
    PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
    seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
    analyzer kernel plugin.
    
    The issue is that in:
    
    (A):
      if (msg->data_len > 272) {
        return -90;
      }
    
    (B):
      n = msg->data_len;
      __check_object_size(to, n);
      n = copy_from_user(to, from, n);
    
    the analyzer is treating __check_object_size as having arbitrary side
    effects, and, in particular could modify msg->data_len.  Hence the
    sanitization that occurs at (A) above is treated as being for a
    different value than the size obtained at (B), hence the bogus warning
    at the call to copy_from_user.
    
    Fixed by extending the analyzer kernel plugin to "teach" it that
    __check_object_size has no side effects.
    
    gcc/testsuite/ChangeLog:
            PR analyzer/112927
            * gcc.dg/plugin/analyzer_kernel_plugin.c
            (class known_function___check_object_size): New.
            (kernel_analyzer_init_cb): Register it.
            * gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
            * gcc.dg/plugin/taint-pr112927.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 .../gcc.dg/plugin/analyzer_kernel_plugin.c         | 18 ++++++++
 gcc/testsuite/gcc.dg/plugin/plugin.exp             |  3 +-
 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c       | 49 ++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
index 02dba7a3234..5a32f8cc620 100644
--- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
+++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
@@ -209,6 +209,22 @@ public:
   }
 };
 
+/* Implementation of "__check_object_size".  */
+  
+class known_function___check_object_size : public known_function
+{
+ public:
+  bool matches_call_types_p (const call_details &cd) const final override
+  {
+    return cd.num_args () == 2;
+  }
+
+  void impl_call_pre (const call_details &) const final override
+  {
+    /* No-op.  */
+  }
+};
+
 /* Callback handler for the PLUGIN_ANALYZER_INIT event.  */
 
 static void
@@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
      make_unique<known_function_copy_from_user> ());
   iface->register_known_function ("copy_to_user",
 				  make_unique<known_function_copy_to_user> ());
+  iface->register_known_function ("__check_object_size",
+				  make_unique<known_function___check_object_size> ());
 }
 
 } // namespace ana
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index b3782f9c575..a5a72daac1a 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -169,7 +169,8 @@ set plugin_test_list [list \
 	  taint-pr112850.c \
 	  taint-pr112850-precise.c \
 	  taint-pr112850-too-complex.c \
-	  taint-pr112850-unsanitized.c } \
+	  taint-pr112850-unsanitized.c \
+	  taint-pr112927.c } \
     { analyzer_cpython_plugin.c \
 	  cpython-plugin-test-no-Python-h.c \
 	  cpython-plugin-test-PyList_Append.c \
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
new file mode 100644
index 00000000000..9c3f7ab6708
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
@@ -0,0 +1,49 @@
+/* Reduced from false positive in Linux kernel
+   in drivers/char/ipmi/ipmi_devintf.c.  */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
+/* { dg-require-effective-target analyzer } */
+
+typedef __SIZE_TYPE__ size_t;
+extern void
+__check_object_size(const void* ptr, unsigned long n);
+
+extern unsigned long
+copy_from_user(void*, const void*, unsigned long);
+
+__attribute__((__always_inline__)) unsigned long
+call_copy_from_user(void* to, const void* from, unsigned long n)
+{
+  __check_object_size(to, n);
+  n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
+  return n;
+}
+struct ipmi_msg
+{
+  unsigned short data_len;
+  unsigned char* data;
+};
+
+static int
+handle_send_req(struct ipmi_msg* msg)
+{
+  char buf[273];
+  if (msg->data_len > 272) {
+    return -90;
+  }
+  if (call_copy_from_user(buf, msg->data, msg->data_len)) {
+    return -14;
+  }
+  return 0;
+}
+long
+ipmi_ioctl(void* arg)
+{
+  struct ipmi_msg msg;
+  if (call_copy_from_user(&msg, arg, sizeof(msg))) {
+    return -14;
+  }
+
+  return handle_send_req(&msg);
+}