[Bug analyzer/106284] New: False positives from -Wanalyzer-tainted-array-index with optimized conditionals
dmalcolm at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Wed Jul 13 20:08:10 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106284
Bug ID: 106284
Summary: False positives from -Wanalyzer-tainted-array-index
with optimized conditionals
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Consider:
#define LOWER_LIMIT 5
#define UPPER_LIMIT 10
static int arr[UPPER_LIMIT];
static int
called_by_test_1 (int iarg)
{
return arr[iarg]; /* { dg-warning "without bounds checking" } */
}
int __attribute__((tainted_args))
test_1 (unsigned long ularg)
{
return called_by_test_1 (ularg);
}
static int
called_by_test_2 (int iarg)
{
if (iarg < LOWER_LIMIT || iarg > UPPER_LIMIT)
return 0;
return arr[iarg]; /* { dg-bogus "bounds checking" "" { xfail *-*-* } } */
}
int __attribute__((tainted_args))
test_2 (unsigned long ularg)
{
return called_by_test_2 (ularg);
}
int __attribute__((tainted_args))
test_3 (int iarg)
{
if (iarg < LOWER_LIMIT || iarg > UPPER_LIMIT)
return 0;
return arr[iarg]; /* { dg-bogus "bounds checking" "" { xfail *-*-* } } */
}
int __attribute__((tainted_args))
test_4 (unsigned int uiarg)
{
if (uiarg > UPPER_LIMIT)
return 0;
return arr[uiarg]; /* { dg-bogus "bounds checking" } */
}
This gives false positives from -Wanalyzer-tainted-array-index at -O1 and above
at the xfails.
See: https://godbolt.org/z/ahq7G6b4n
Affects trunk and gcc 12.1; would possibly also affect 11 (but that reproducer
uses __attribute__((tainted_args)) which gcc 12 added).
Seen via false positive on Linux kernel in drivers/usb/class/usblp.c in
function ‘usblp_set_protocol’ handling usblp_ioctl on IOCNR_SET_PROTOCOL, which
has:
| 1337 | if (protocol < USBLP_FIRST_PROTOCOL || protocol >
USBLP_LAST_PROTOCOL)
| | ~
| | |
| | (15) following ‘false’ branch...
|......
| 1341 | if (usblp->intf->num_altsetting > 1) {
| | ~~~~~~~~~~~~
| | | |
| | | (16) ...to here
| | (17) following ‘true’ branch...
| 1342 | alts = usblp->protocol[protocol].alt_setting;
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (18) ...to here
| | (19) use of attacker-controlled value ‘arg’ in
array lookup without bounds checking
where "arg" is "protocol" (but from the caller frame), and is checked at (15).
More information about the Gcc-bugs
mailing list