From b6e537571c21d8f0bc276d7afa156d6d4a54a1c9 Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Wed, 24 Jan 2024 10:11:09 -0500
Subject: [PATCH] analyzer kernel plugin: implement __check_object_size
 [PR112927]

PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
analyzer kernel plugin.

The issue is that in:

(A):
  if (msg->data_len > 272) {
    return -90;
  }

(B):
  n = msg->data_len;
  __check_object_size(to, n);
  n = copy_from_user(to, from, n);

the analyzer is treating __check_object_size as having arbitrary side
effects, and, in particular could modify msg->data_len.  Hence the
sanitization that occurs at (A) above is treated as being for a
different value than the size obtained at (B), hence the bogus warning
at the call to copy_from_user.

Fixed by extending the analyzer kernel plugin to "teach" it that
__check_object_size has no side effects.

gcc/testsuite/ChangeLog:
	PR analyzer/112927
	* gcc.dg/plugin/analyzer_kernel_plugin.c
	(class known_function___check_object_size): New.
	(kernel_analyzer_init_cb): Register it.
	* gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
	* gcc.dg/plugin/taint-pr112927.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
 .../gcc.dg/plugin/analyzer_kernel_plugin.c    | 18 +++++++
 gcc/testsuite/gcc.dg/plugin/plugin.exp        |  3 +-
 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c  | 49 +++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c

diff --git a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
index 02dba7a3234d..5a32f8cc620a 100644
--- a/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
+++ b/gcc/testsuite/gcc.dg/plugin/analyzer_kernel_plugin.c
@@ -209,6 +209,22 @@ public:
   }
 };
 
+/* Implementation of "__check_object_size".  */
+  
+class known_function___check_object_size : public known_function
+{
+ public:
+  bool matches_call_types_p (const call_details &cd) const final override
+  {
+    return cd.num_args () == 2;
+  }
+
+  void impl_call_pre (const call_details &) const final override
+  {
+    /* No-op.  */
+  }
+};
+
 /* Callback handler for the PLUGIN_ANALYZER_INIT event.  */
 
 static void
@@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
      make_unique<known_function_copy_from_user> ());
   iface->register_known_function ("copy_to_user",
 				  make_unique<known_function_copy_to_user> ());
+  iface->register_known_function ("__check_object_size",
+				  make_unique<known_function___check_object_size> ());
 }
 
 } // namespace ana
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index b3782f9c5754..a5a72daac1a5 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -169,7 +169,8 @@ set plugin_test_list [list \
 	  taint-pr112850.c \
 	  taint-pr112850-precise.c \
 	  taint-pr112850-too-complex.c \
-	  taint-pr112850-unsanitized.c } \
+	  taint-pr112850-unsanitized.c \
+	  taint-pr112927.c } \
     { analyzer_cpython_plugin.c \
 	  cpython-plugin-test-no-Python-h.c \
 	  cpython-plugin-test-PyList_Append.c \
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
new file mode 100644
index 000000000000..9c3f7ab67086
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
@@ -0,0 +1,49 @@
+/* Reduced from false positive in Linux kernel
+   in drivers/char/ipmi/ipmi_devintf.c.  */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
+/* { dg-require-effective-target analyzer } */
+
+typedef __SIZE_TYPE__ size_t;
+extern void
+__check_object_size(const void* ptr, unsigned long n);
+
+extern unsigned long
+copy_from_user(void*, const void*, unsigned long);
+
+__attribute__((__always_inline__)) unsigned long
+call_copy_from_user(void* to, const void* from, unsigned long n)
+{
+  __check_object_size(to, n);
+  n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
+  return n;
+}
+struct ipmi_msg
+{
+  unsigned short data_len;
+  unsigned char* data;
+};
+
+static int
+handle_send_req(struct ipmi_msg* msg)
+{
+  char buf[273];
+  if (msg->data_len > 272) {
+    return -90;
+  }
+  if (call_copy_from_user(buf, msg->data, msg->data_len)) {
+    return -14;
+  }
+  return 0;
+}
+long
+ipmi_ioctl(void* arg)
+{
+  struct ipmi_msg msg;
+  if (call_copy_from_user(&msg, arg, sizeof(msg))) {
+    return -14;
+  }
+
+  return handle_send_req(&msg);
+}
-- 
GitLab