https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103940
Bug ID: 103940
Summary: RFE: check -Wanalyzer-tainted-size on external fns
with attribute ((access)) with a size-index
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
CC: msebor at gcc dot gnu.org
Target Milestone: ---
GCC 10 gained the "access" function and type attribute, which optionally can
take a size-index param:
https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html
-fanalyzer in trunk (for GCC 12) has gained a -Wanalyzer-tainted-size to
complain about attacker-controlled size values, but it's currently only used
deep inside the region-model code when handling the hardcoded known behavior of
certain functions (memset, IIRC).
Filing this as a reminder that we could probably also issue
-Wanalyzer-tainted-size if an attacker-controlled value is passed without
sanitization as a size to an access-annotated external function.
Martin: does this sound like a good idea?
