diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2024-01-24 10:11:09 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2024-01-24 10:11:09 -0500 |
| commit | b6e537571c21d8f0bc276d7afa156d6d4a54a1c9 (patch) | |
| tree | 6b964668e866cb5a3fede0176b03a1a7e150a6bd /gcc/cgraph.cc | |
| parent | 3de031c96f28f19a68ea2080260d8fd2c78828ee (diff) | |
| download | gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.zip gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.tar.gz gcc-b6e537571c21d8f0bc276d7afa156d6d4a54a1c9.tar.bz2 | |
analyzer kernel plugin: implement __check_object_size [PR112927]
PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
analyzer kernel plugin.
The issue is that in:
(A):
if (msg->data_len > 272) {
return -90;
}
(B):
n = msg->data_len;
__check_object_size(to, n);
n = copy_from_user(to, from, n);
the analyzer is treating __check_object_size as having arbitrary side
effects, and, in particular could modify msg->data_len. Hence the
sanitization that occurs at (A) above is treated as being for a
different value than the size obtained at (B), hence the bogus warning
at the call to copy_from_user.
Fixed by extending the analyzer kernel plugin to "teach" it that
__check_object_size has no side effects.
gcc/testsuite/ChangeLog:
PR analyzer/112927
* gcc.dg/plugin/analyzer_kernel_plugin.c
(class known_function___check_object_size): New.
(kernel_analyzer_init_cb): Register it.
* gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
* gcc.dg/plugin/taint-pr112927.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
Diffstat (limited to 'gcc/cgraph.cc')
0 files changed, 0 insertions, 0 deletions