From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 2DAC23858C2C for ; Thu, 24 Aug 2023 14:39:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2DAC23858C2C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692887947; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iWAFq5o1fY1MBum7yPX7ZzoNnlkcwxHJcEN5eoQmLvU=; b=N9XV/YhACu9D+Fe73rebb0zrALr9ggVu+EVLpo6vGGyxvY7Ny53cDKrnoqoI+qdT/ZJuqw 2CHspDUGfM+ZyJPHNgHk84zIp0wYGK9hQuBDQlbCYQ6SXPQsKrck/D/AOSNJrVN2sTNFsg udhLGVojTM87Ey826rM5qJp8wg9hAqc= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-216-oTGxKLAAPWSgIGHE0x_mlA-1; Thu, 24 Aug 2023 10:39:06 -0400 X-MC-Unique: oTGxKLAAPWSgIGHE0x_mlA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C6F083C14AA1 for ; Thu, 24 Aug 2023 14:39:05 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.22.32.117]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F70B40D2839; Thu, 24 Aug 2023 14:39:05 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [pushed 0/9] analyzer: strlen, strcpy, and strcat [PR105899] Date: Thu, 24 Aug 2023 10:38:54 -0400 Message-Id: <20230824143903.3161185-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,BODY_8BITS,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This patch kit makes improvements to the analyzer's new strlen implementation, and wires it up to strcpy and strcat. For example, given: #include void test (void) { char buf[10]; strcpy (buf, "hello world!"); } we now emit: demo.c: In function ‘test’: demo.c:6:3: warning: stack-based buffer overflow [CWE-121] [-Wanalyzer-out-of-bounds] 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ‘test’: events 1-2 | | 5 | char buf[10]; | | ^~~ | | | | | (1) capacity: 10 bytes | 6 | strcpy (buf, "hello world!"); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) out-of-bounds write from byte 10 till byte 12 but ‘buf’ ends at byte 10 | demo.c:6:3: note: write of 3 bytes to beyond the end of ‘buf’ 6 | strcpy (buf, "hello world!"); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ demo.c:6:3: note: valid subscripts for ‘buf’ are ‘[0]’ to ‘[9]’ ┌─────┬─────┬────┬────┬────┬────┬────┬────┬────┬────┐┌─────┬─────┬─────┐ │ [0] │ [1] │[2] │[3] │[4] │[5] │[6] │[7] │[8] │[9] ││[10] │[11] │[12] │ ├─────┼─────┼────┼────┼────┼────┼────┼────┼────┼────┤├─────┼─────┼─────┤ │ ‘h’ │ ‘e’ │‘l’ │‘l’ │‘o’ │‘ ’ │‘w’ │‘o’ │‘r’ │‘l’ ││ ‘d’ │ ‘!’ │ NUL │ ├─────┴─────┴────┴────┴────┴────┴────┴────┴────┴────┴┴─────┴─────┴─────┤ │ string literal (type: ‘char[13]’) │ └──────────────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ v v v v v v v v v v v v v ┌─────┬────────────────────────────────────────┬────┐┌─────────────────┐ │ [0] │ ... │[9] ││ │ ├─────┴────────────────────────────────────────┴────┤│after valid range│ │ ‘buf’ (type: ‘char[10]’) ││ │ └───────────────────────────────────────────────────┘└─────────────────┘ ├─────────────────────────┬─────────────────────────┤├────────┬────────┤ │ │ ╭─────────┴────────╮ ╭───────────┴──────────╮ │capacity: 10 bytes│ │⚠️ overflow of 3 bytes│ ╰──────────────────╯ ╰──────────────────────╯ in addition to the pre-existing: demo.c:6:3: warning: ‘__builtin_memcpy’ writing 13 bytes into a region of size 10 overflows the destination [-Wstringop-overflow=] demo.c:5:8: note: destination object ‘buf’ of size 10 5 | char buf[10]; | ^~~ Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r14-3461-g9aaec66917c96a through to r14-3469-gbbdc0e0d0042ae. David Malcolm (9): analyzer: add logging to impl_path_context analyzer: handle symbolic bindings in scan_for_null_terminator [PR105899] analyzer: reimplement kf_strcpy [PR105899] analyzer: eliminate region_model::get_string_size [PR105899] analyzer: reimplement kf_memcpy_memmove analyzer: handle strlen(INIT_VAL(STRING_REG)) [PR105899] analyzer: handle INIT_VAL(ELEMENT_REG(STRING_REG), CONSTANT_SVAL) [PR105899] analyzer: handle strlen(BITS_WITHIN) [PR105899] analyzer: implement kf_strcat [PR105899] gcc/analyzer/call-details.cc | 12 +- gcc/analyzer/call-details.h | 5 +- gcc/analyzer/engine.cc | 13 +- gcc/analyzer/kf.cc | 116 +++++--- gcc/analyzer/region-model-manager.cc | 19 ++ gcc/analyzer/region-model.cc | 261 +++++++++++++----- gcc/analyzer/region-model.h | 22 +- gcc/doc/invoke.texi | 1 + .../analyzer/out-of-bounds-diagram-16.c | 31 +++ gcc/testsuite/gcc.dg/analyzer/sprintf-1.c | 11 + gcc/testsuite/gcc.dg/analyzer/strcat-1.c | 136 +++++++++ gcc/testsuite/gcc.dg/analyzer/strcpy-1.c | 22 ++ gcc/testsuite/gcc.dg/analyzer/strcpy-3.c | 8 + gcc/testsuite/gcc.dg/analyzer/strcpy-4.c | 51 ++++ 14 files changed, 601 insertions(+), 107 deletions(-) create mode 100644 gcc/testsuite/gcc.dg/analyzer/out-of-bounds-diagram-16.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcat-1.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/strcpy-4.c -- 2.26.3