* [committed] analyzer: fix duplicates in check_for_tainted_size_arg
@ 2022-03-10 14:17 David Malcolm
0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2022-03-10 14:17 UTC (permalink / raw)
To: gcc-patches
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r12-7594-g708646de75cba2.
gcc/analyzer/ChangeLog:
* sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
Avoid generating duplicate saved_diagnostics by only handling the
rdwr_map entry for the ptrarg, not the duplicate entry for the
sizarg.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/taint-size-access-attr-1.c: Add
-fanalyzer-show-duplicate-count to options; verify that a
duplicate was not created for the tainted size.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
gcc/analyzer/sm-taint.cc | 4 ++++
gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c | 7 ++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index c7b28329fca..a13c2fe2cfa 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -904,6 +904,10 @@ taint_state_machine::check_for_tainted_size_arg (sm_context *sm_ctxt,
if (!access)
continue;
+ /* Ignore any duplicate entry in the map for the size argument. */
+ if (access->ptrarg != argno)
+ continue;
+
if (access->sizarg == UINT_MAX)
continue;
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
index 724679a8cf3..7d243a9570f 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
@@ -1,8 +1,8 @@
/* Passing tainted sizes to external functions with attribute ((access)) with
a size-index. */
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
+// TODO: remove need for the explicit taint option:
+/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */
#include "analyzer-decls.h"
#include <stdio.h>
@@ -27,7 +27,8 @@ void test_fn_read_only (FILE *f, void *p)
__analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
/* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
- extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" } */
+ extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" "warning" } */
+ /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */
}
}
--
2.26.3
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-10 14:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-10 14:17 [committed] analyzer: fix duplicates in check_for_tainted_size_arg David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).