diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2024-01-24 10:11:09 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2024-01-24 10:11:09 -0500 |
| commit | b6e537571c21d8f0bc276d7afa156d6d4a54a1c9 (patch) | |
| tree | 6b964668e866cb5a3fede0176b03a1a7e150a6bd | |
| parent | 3de031c96f28f19a68ea2080260d8fd2c78828ee (diff) | |
| download | gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.zip gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.tar.gz gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.tar.bz2 | |
analyzer kernel plugin: implement __check_object_size [PR112927]
PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
analyzer kernel plugin.
The issue is that in:
(A):
if (msg->data_len > 272) {
return -90;
}
(B):
n = msg->data_len;
__check_object_size(to, n);
n = copy_from_user(to, from, n);
the analyzer is treating __check_object_size as having arbitrary side
effects, and, in particular could modify msg->data_len. Hence the
sanitization that occurs at (A) above is treated as being for a
different value than the size obtained at (B), hence the bogus warning
at the call to copy_from_user.
Fixed by extending the analyzer kernel plugin to "teach" it that
__check_object_size has no side effects.
gcc/testsuite/ChangeLog:
PR analyzer/112927
* gcc.dg/plugin/analyzer_kernel_plugin.c
(class known_function___check_object_size): New.
(kernel_analyzer_init_cb): Register it.
* gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
* gcc.dg/plugin/taint-pr112927.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
| -rw-r--r-- | gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c | 18 | ||||
| -rw-r--r-- | gcc/testsuite/gcc.dg/plugin/plugin.exp | 3 | ||||
| -rw-r--r-- | gcc/testsuite/gcc.dg/plugin/taint-pr112927.c | 49 |
3 files changed, 69 insertions, 1 deletions
diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c index 02dba7a..5a32f8c 100644 --- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c +++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c @@ -209,6 +209,22 @@ public: } }; +/* Implementation of "__check_object_size". */ + +class known_function___check_object_size : public known_function +{ + public: + bool matches_call_types_p (const call_details &cd) const final override + { + return cd.num_args () == 2; + } + + void impl_call_pre (const call_details &) const final override + { + /* No-op. */ + } +}; + /* Callback handler for the PLUGIN_ANALYZER_INIT event. */ static void @@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/) make_unique<known_function_copy_from_user> ()); iface->register_known_function ("copy_to_user", make_unique<known_function_copy_to_user> ()); + iface->register_known_function ("__check_object_size", + make_unique<known_function___check_object_size> ()); } } // namespace ana diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp index b3782f9..a5a72da 100644 --- a/gcc/testsuite/gcc.dg/plugin/plugin.exp +++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp @@ -169,7 +169,8 @@ set plugin_test_list [list \ taint-pr112850.c \ taint-pr112850-precise.c \ taint-pr112850-too-complex.c \ - taint-pr112850-unsanitized.c } \ + taint-pr112850-unsanitized.c \ + taint-pr112927.c } \ { analyzer_cpython_plugin.c \ cpython-plugin-test-no-Python-h.c \ cpython-plugin-test-PyList_Append.c \ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c new file mode 100644 index 0000000..9c3f7ab --- /dev/null +++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c @@ -0,0 +1,49 @@ +/* Reduced from false positive in Linux kernel + in drivers/char/ipmi/ipmi_devintf.c. */ + +/* { dg-do compile } */ +/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */ +/* { dg-require-effective-target analyzer } */ + +typedef __SIZE_TYPE__ size_t; +extern void +__check_object_size(const void* ptr, unsigned long n); + +extern unsigned long +copy_from_user(void*, const void*, unsigned long); + +__attribute__((__always_inline__)) unsigned long +call_copy_from_user(void* to, const void* from, unsigned long n) +{ + __check_object_size(to, n); + n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */ + return n; +} +struct ipmi_msg +{ + unsigned short data_len; + unsigned char* data; +}; + +static int +handle_send_req(struct ipmi_msg* msg) +{ + char buf[273]; + if (msg->data_len > 272) { + return -90; + } + if (call_copy_from_user(buf, msg->data, msg->data_len)) { + return -14; + } + return 0; +} +long +ipmi_ioctl(void* arg) +{ + struct ipmi_msg msg; + if (call_copy_from_user(&msg, arg, sizeof(msg))) { + return -14; + } + + return handle_send_req(&msg); +} |