[Bug analyzer/106373] New: False positives from -Wanalyzer-tainted-array-index with casts

dmalcolm at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Wed Jul 20 18:09:20 GMT 2022


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373

            Bug ID: 106373
           Summary: False positives from -Wanalyzer-tainted-array-index
                    with casts
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

See: https://godbolt.org/z/P5nGMohxd

Am seeing false positive with -O1 -fanalyzer -fanalyzer-checker=taint on this
code:

struct raw_ep {
  /* ...snip... */
  int state;
  /* ...snip... */
};

struct raw_dev {
  /* ...snip... */
  struct raw_ep eps[30];
  int eps_num;
  /* ...snip... */
};

int   __attribute__((tainted_args))
simplified_raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
{
  int ret = 0, i = value;

  if (i < 0 || i >= dev->eps_num) {
    ret = -16;
    goto out_unlock;
  }
  if (dev->eps[i].state == 0) {
    ret = -22;
    goto out_unlock;
  }

out_unlock:
  return ret;
}


../../src/raw_gadget.c: In function ‘simplified_raw_ioctl_ep_disable’:
../../src/raw_gadget.c:23:18: warning: use of attacker-controlled value ‘value’
in array lookup without upper-bounds checking [CWE-129]
[-Wanalyzer-tainted-array-index]
   23 |   if (dev->eps[i].state == 0) {
      |       ~~~~~~~~~~~^~~~~~
  ‘simplified_raw_ioctl_ep_disable’: event 1
    |
    |   15 | simplified_raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long
value)
    |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      | |
    |      | (1) function ‘simplified_raw_ioctl_ep_disable’ marked with
‘__attribute__((tainted_args))’
    |
    +--> ‘simplified_raw_ioctl_ep_disable’: events 2-5
           |
           |   15 | simplified_raw_ioctl_ep_disable(struct raw_dev *dev,
unsigned long value)
           |      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      | |
           |      | (2) entry to ‘simplified_raw_ioctl_ep_disable’
           |......
           |   19 |   if (i < 0 || i >= dev->eps_num) {
           |      |      ~
           |      |      |
           |      |      (3) following ‘false’ branch...
           |......
           |   23 |   if (dev->eps[i].state == 0) {
           |      |       ~~~~~~~~~~~~~~~~~
           |      |                  |
           |      |                  (4) ...to here
           |      |                  (5) use of attacker-controlled value
‘value’ in array lookup without upper-bounds checking
           |

Seems to need at least -O1.

Reduced from false positives seen in various ioctl handlers in Linux kernel in
drivers/usb/gadget/legacy/raw_gadget.c (with "allyesconfig").


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer


More information about the Gcc-bugs mailing list