[Bug analyzer/106373] New: False positives from -Wanalyzer-tainted-array-index with casts
dmalcolm at gcc dot gnu.org
gcc-bugzilla@gcc.gnu.org
Wed Jul 20 18:09:20 GMT 2022
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106373
Bug ID: 106373
Summary: False positives from -Wanalyzer-tainted-array-index
with casts
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 106358
Target Milestone: ---
See: https://godbolt.org/z/P5nGMohxd
Am seeing false positive with -O1 -fanalyzer -fanalyzer-checker=taint on this
code:
struct raw_ep {
/* ...snip... */
int state;
/* ...snip... */
};
struct raw_dev {
/* ...snip... */
struct raw_ep eps[30];
int eps_num;
/* ...snip... */
};
int __attribute__((tainted_args))
simplified_raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long value)
{
int ret = 0, i = value;
if (i < 0 || i >= dev->eps_num) {
ret = -16;
goto out_unlock;
}
if (dev->eps[i].state == 0) {
ret = -22;
goto out_unlock;
}
out_unlock:
return ret;
}
../../src/raw_gadget.c: In function ‘simplified_raw_ioctl_ep_disable’:
../../src/raw_gadget.c:23:18: warning: use of attacker-controlled value ‘value’
in array lookup without upper-bounds checking [CWE-129]
[-Wanalyzer-tainted-array-index]
23 | if (dev->eps[i].state == 0) {
| ~~~~~~~~~~~^~~~~~
‘simplified_raw_ioctl_ep_disable’: event 1
|
| 15 | simplified_raw_ioctl_ep_disable(struct raw_dev *dev, unsigned long
value)
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) function ‘simplified_raw_ioctl_ep_disable’ marked with
‘__attribute__((tainted_args))’
|
+--> ‘simplified_raw_ioctl_ep_disable’: events 2-5
|
| 15 | simplified_raw_ioctl_ep_disable(struct raw_dev *dev,
unsigned long value)
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (2) entry to ‘simplified_raw_ioctl_ep_disable’
|......
| 19 | if (i < 0 || i >= dev->eps_num) {
| | ~
| | |
| | (3) following ‘false’ branch...
|......
| 23 | if (dev->eps[i].state == 0) {
| | ~~~~~~~~~~~~~~~~~
| | |
| | (4) ...to here
| | (5) use of attacker-controlled value
‘value’ in array lookup without upper-bounds checking
|
Seems to need at least -O1.
Reduced from false positives seen in various ioctl handlers in Linux kernel in
drivers/usb/gadget/legacy/raw_gadget.c (with "allyesconfig").
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer
More information about the Gcc-bugs
mailing list