diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2019-12-13 19:36:11 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2020-01-14 18:38:23 -0500 |
| commit | 14f9d7b9a708ebca57257059bda40986bb1e82a7 (patch) | |
| tree | 4589d5e9c89465d4328e8f44dfd9ced286de7547 /gcc/analyzer/sm-file.cc | |
| parent | 000c7a93bdf4040d7d0672fbb9b064eae3d78f5d (diff) | |
| download | gcc-14f9d7b9a708ebca57257059bda40986bb1e82a7.zip gcc-14f9d7b9a708ebca57257059bda40986bb1e82a7.tar.gz gcc-14f9d7b9a708ebca57257059bda40986bb1e82a7.tar.bz2 | |
analyzer: fix dedupe issue seen with CVE-2005-1689
Whilst analyzing the reproducer for detecting CVE-2005-1689
(krb5-1.4.1's src/lib/krb5/krb/recvauth.c), the analyzer reported
11 double-free diagnostics on lines of the form:
krb5_xfree(inbuf.data);
with no deduplication occcurring.
The root cause is that the diagnostics each have a COMPONENT_REF for
the inbuf.data, but they are different trees, and the de-duplication
logic was using pointer equality.
This patch replaces the pointer equality tests with calls to a new
pending_diagnostic::same_tree_p, implemented using simple_cst_equal.
With this patch, de-duplication occurs, and only 3 diagnostics are
reported. The 11 diagnostics are partitioned into 3 dedupe keys,
2 with 2 duplicates and 1 with 7 duplicates.
gcc/analyzer/ChangeLog:
* diagnostic-manager.cc (saved_diagnostic::operator==): Move here
from header. Replace pointer equality test on m_var with call to
pending_diagnostic::same_tree_p.
* diagnostic-manager.h (saved_diagnostic::operator==): Move to
diagnostic-manager.cc.
* pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
* pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
* sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
equality on m_arg with call to pending_diagnostic::same_tree_p.
* sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
(possible_null_arg::subclass_equal_p): Likewise.
(null_arg::subclass_equal_p): Likewise.
(free_of_non_heap::subclass_equal_p): Likewise.
* sm-pattern-test.cc (pattern_match::operator==): Likewise.
* sm-sensitive.cc (exposure_through_output_file::operator==):
Likewise.
* sm-taint.cc (tainted_array_index::operator==): Likewise.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c: New test.
Diffstat (limited to 'gcc/analyzer/sm-file.cc')
| -rw-r--r-- | gcc/analyzer/sm-file.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gcc/analyzer/sm-file.cc b/gcc/analyzer/sm-file.cc index ba18bf7..375f522 100644 --- a/gcc/analyzer/sm-file.cc +++ b/gcc/analyzer/sm-file.cc @@ -96,7 +96,7 @@ public: bool subclass_equal_p (const pending_diagnostic &base_other) const OVERRIDE { - return m_arg == ((const file_diagnostic &)base_other).m_arg; + return same_tree_p (m_arg, ((const file_diagnostic &)base_other).m_arg); } label_text describe_state_change (const evdesc::state_change &change) |