aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Malcolm <dmalcolm@redhat.com>2022-03-10 09:02:18 -0500
committerDavid Malcolm <dmalcolm@redhat.com>2022-03-10 09:02:18 -0500
commit708646de75cba2e3855bde09d21816ca66239a67 (patch)
tree521137d1abc7f4e40e522293583e5e1fc8109077
parente671e48e352ee278d816d4633146208807a0e403 (diff)
downloadgcc-708646de75cba2e3855bde09d21816ca66239a67.zip
gcc-708646de75cba2e3855bde09d21816ca66239a67.tar.gz
gcc-708646de75cba2e3855bde09d21816ca66239a67.tar.bz2
analyzer: fix duplicates in check_for_tainted_size_arg
gcc/analyzer/ChangeLog: * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg): Avoid generating duplicate saved_diagnostics by only handling the rdwr_map entry for the ptrarg, not the duplicate entry for the sizarg. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/taint-size-access-attr-1.c: Add -fanalyzer-show-duplicate-count to options; verify that a duplicate was not created for the tainted size. Signed-off-by: David Malcolm <dmalcolm@redhat.com>
-rw-r--r--gcc/analyzer/sm-taint.cc4
-rw-r--r--gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c7
2 files changed, 8 insertions, 3 deletions
diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index c7b2832..a13c2fe 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -904,6 +904,10 @@ taint_state_machine::check_for_tainted_size_arg (sm_context *sm_ctxt,
if (!access)
continue;
+ /* Ignore any duplicate entry in the map for the size argument. */
+ if (access->ptrarg != argno)
+ continue;
+
if (access->sizarg == UINT_MAX)
continue;
diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
index 724679a..7d243a9 100644
--- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
+++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c
@@ -1,8 +1,8 @@
/* Passing tainted sizes to external functions with attribute ((access)) with
a size-index. */
-// TODO: remove need for this option:
-/* { dg-additional-options "-fanalyzer-checker=taint" } */
+// TODO: remove need for the explicit taint option:
+/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */
#include "analyzer-decls.h"
#include <stdio.h>
@@ -27,7 +27,8 @@ void test_fn_read_only (FILE *f, void *p)
__analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */
/* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */
- extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" } */
+ extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" "warning" } */
+ /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */
}
}