analyzer kernel plugin: implement __check_object_size [PR112927]
PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
analyzer kernel plugin.
The issue is that in:
(A):
if (msg->data_len > 272) {
return -90;
}
(B):
n = msg->data_len;
__check_object_size(to, n);
n = copy_from_user(to, from, n);
the analyzer is treating __check_object_size as having arbitrary side
effects, and, in particular could modify msg->data_len. Hence the
sanitization that occurs at (A) above is treated as being for a
different value than the size obtained at (B), hence the bogus warning
at the call to copy_from_user.
Fixed by extending the analyzer kernel plugin to "teach" it that
__check_object_size has no side effects.
gcc/testsuite/ChangeLog:
PR analyzer/112927
* gcc.dg/plugin/analyzer_kernel_plugin.c
(class known_function___check_object_size): New.
(kernel_analyzer_init_cb): Register it.
* gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
* gcc.dg/plugin/taint-pr112927.c: New test.
Signed-off-by: 
David Malcolm <dmalcolm@redhat.com>
Showing
- gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c 18 additions, 0 deletionsgcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
- gcc/testsuite/gcc.dg/plugin/plugin.exp 2 additions, 1 deletiongcc/testsuite/gcc.dg/plugin/plugin.exp
- gcc/testsuite/gcc.dg/plugin/taint-pr112927.c 49 additions, 0 deletionsgcc/testsuite/gcc.dg/plugin/taint-pr112927.c
Loading
Please register or sign in to comment