From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id CCEAB3858C66 for ; Wed, 24 Jan 2024 15:15:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CCEAB3858C66 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org CCEAB3858C66 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706109312; cv=none; b=HCdUhrYVaWQynk54RHCmOMHZgWGnGpVmPGpMR8Z6bBnVH0wgmLPRhdx/S9Aqvf/A5myYpTgDNRUh+uyc3W5OfCMLHIMsGPV1MiIipHAmciOi1TrGIXVUQhksbJIorvuYcuZRCyYVjL84wBoUTzu1mbfVU1CBY6gO5JL30tKCsgE= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706109312; c=relaxed/simple; bh=yAUw1fiwBEpLJv0UCQqr/qypo9mm4jm/1McevUrJCDo=; h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=T+LY0WtIoLL5FTxjnGG3y2R2rIvg0d6OtvuMERg+jfkQ2+OW203EcLJaRozoxjl/3TgUES/ZieCUef/IMrVAzAAcHDeUY/ac+9vEUdPuP1Y2KDQHleExYHRSRsdrzYol+ab/jz2NV9dOp3xu+WJ/CQAn2AdMyMLAH9AVVYigEZw= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1706109310; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aTL0ub/9BUBG19t19dFVwIqTcgXJoZCYaud3GQnmC18=; b=ShchWlA6cgvuRF49wcTvx2wlfO7kNaDT4X0SoDHGzKmueqFfXg4yZ3cLYhtPtSk50I3/3U wvCbP5rOZFVsb6tl7jDXMXm42lIiCX6x5VrVJXfco91v2DXhzDOtYqANSdIrOyINI18H6L ghA3UsjjO5iVuUdK5edAjC4pw9TPpsA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-536-rUu_C-aKMH2Vgg8d2TlNDQ-1; Wed, 24 Jan 2024 10:15:08 -0500 X-MC-Unique: rUu_C-aKMH2Vgg8d2TlNDQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 94DA0185A785 for ; Wed, 24 Jan 2024 15:15:08 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.22.32.139]) by smtp.corp.redhat.com (Postfix) with ESMTP id 694C41C060AF; Wed, 24 Jan 2024 15:15:08 +0000 (UTC) From: David Malcolm To: gcc-patches@gcc.gnu.org Cc: David Malcolm Subject: [pushed] analyzer kernel plugin: implement __check_object_size [PR112927] Date: Wed, 24 Jan 2024 10:15:06 -0500 Message-Id: <20240124151506.1538189-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-Spam-Status: No, score=-12.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the analyzer kernel plugin. The issue is that in: (A): if (msg->data_len > 272) { return -90; } (B): n = msg->data_len; __check_object_size(to, n); n = copy_from_user(to, from, n); the analyzer is treating __check_object_size as having arbitrary side effects, and, in particular could modify msg->data_len. Hence the sanitization that occurs at (A) above is treated as being for a different value than the size obtained at (B), hence the bogus warning at the call to copy_from_user. Fixed by extending the analyzer kernel plugin to "teach" it that __check_object_size has no side effects. Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Successful run of analyzer integration tests on x86_64-pc-linux-gnu. Pushed to trunk as r14-8390-gb6e537571c21d8. gcc/testsuite/ChangeLog: PR analyzer/112927 * gcc.dg/plugin/analyzer_kernel_plugin.c (class known_function___check_object_size): New. (kernel_analyzer_init_cb): Register it. * gcc.dg/plugin/plugin.exp: Add taint-pr112927.c. * gcc.dg/plugin/taint-pr112927.c: New test. Signed-off-by: David Malcolm --- .../gcc.dg/plugin/analyzer_kernel_plugin.c | 18 +++++++ gcc/testsuite/gcc.dg/plugin/plugin.exp | 3 +- gcc/testsuite/gcc.dg/plugin/taint-pr112927.c | 49 +++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c index 02dba7a3234..5a32f8cc620 100644 --- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c +++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c @@ -209,6 +209,22 @@ public: } }; +/* Implementation of "__check_object_size". */ + +class known_function___check_object_size : public known_function +{ + public: + bool matches_call_types_p (const call_details &cd) const final override + { + return cd.num_args () == 2; + } + + void impl_call_pre (const call_details &) const final override + { + /* No-op. */ + } +}; + /* Callback handler for the PLUGIN_ANALYZER_INIT event. */ static void @@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/) make_unique ()); iface->register_known_function ("copy_to_user", make_unique ()); + iface->register_known_function ("__check_object_size", + make_unique ()); } } // namespace ana diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp index b3782f9c575..a5a72daac1a 100644 --- a/gcc/testsuite/gcc.dg/plugin/plugin.exp +++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp @@ -169,7 +169,8 @@ set plugin_test_list [list \ taint-pr112850.c \ taint-pr112850-precise.c \ taint-pr112850-too-complex.c \ - taint-pr112850-unsanitized.c } \ + taint-pr112850-unsanitized.c \ + taint-pr112927.c } \ { analyzer_cpython_plugin.c \ cpython-plugin-test-no-Python-h.c \ cpython-plugin-test-PyList_Append.c \ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c new file mode 100644 index 00000000000..9c3f7ab6708 --- /dev/null +++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c @@ -0,0 +1,49 @@ +/* Reduced from false positive in Linux kernel + in drivers/char/ipmi/ipmi_devintf.c. */ + +/* { dg-do compile } */ +/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */ +/* { dg-require-effective-target analyzer } */ + +typedef __SIZE_TYPE__ size_t; +extern void +__check_object_size(const void* ptr, unsigned long n); + +extern unsigned long +copy_from_user(void*, const void*, unsigned long); + +__attribute__((__always_inline__)) unsigned long +call_copy_from_user(void* to, const void* from, unsigned long n) +{ + __check_object_size(to, n); + n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */ + return n; +} +struct ipmi_msg +{ + unsigned short data_len; + unsigned char* data; +}; + +static int +handle_send_req(struct ipmi_msg* msg) +{ + char buf[273]; + if (msg->data_len > 272) { + return -90; + } + if (call_copy_from_user(buf, msg->data, msg->data_len)) { + return -14; + } + return 0; +} +long +ipmi_ioctl(void* arg) +{ + struct ipmi_msg msg; + if (call_copy_from_user(&msg, arg, sizeof(msg))) { + return -14; + } + + return handle_send_req(&msg); +} -- 2.26.3