diff options
author | David Malcolm <dmalcolm@redhat.com> | 2022-03-10 09:02:18 -0500 |
---|---|---|
committer | David Malcolm <dmalcolm@redhat.com> | 2022-03-10 09:02:18 -0500 |
commit | 708646de75cba2e3855bde09d21816ca66239a67 (patch) | |
tree | 521137d1abc7f4e40e522293583e5e1fc8109077 | |
parent | e671e48e352ee278d816d4633146208807a0e403 (diff) | |
download | gcc-708646de75cba2e3855bde09d21816ca66239a67.zip gcc-708646de75cba2e3855bde09d21816ca66239a67.tar.gz gcc-708646de75cba2e3855bde09d21816ca66239a67.tar.bz2 |
analyzer: fix duplicates in check_for_tainted_size_arg
gcc/analyzer/ChangeLog:
* sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
Avoid generating duplicate saved_diagnostics by only handling the
rdwr_map entry for the ptrarg, not the duplicate entry for the
sizarg.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/taint-size-access-attr-1.c: Add
-fanalyzer-show-duplicate-count to options; verify that a
duplicate was not created for the tainted size.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
-rw-r--r-- | gcc/analyzer/sm-taint.cc | 4 | ||||
-rw-r--r-- | gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c | 7 |
2 files changed, 8 insertions, 3 deletions
diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index c7b2832..a13c2fe 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -904,6 +904,10 @@ taint_state_machine::check_for_tainted_size_arg (sm_context *sm_ctxt, if (!access) continue; + /* Ignore any duplicate entry in the map for the size argument. */ + if (access->ptrarg != argno) + continue; + if (access->sizarg == UINT_MAX) continue; diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c index 724679a..7d243a9 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c @@ -1,8 +1,8 @@ /* Passing tainted sizes to external functions with attribute ((access)) with a size-index. */ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ +// TODO: remove need for the explicit taint option: +/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */ #include "analyzer-decls.h" #include <stdio.h> @@ -27,7 +27,8 @@ void test_fn_read_only (FILE *f, void *p) __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */ /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */ - extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" } */ + extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" "warning" } */ + /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */ } } |