https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106229
Bug ID: 106229
Summary: False positives from -Wanalyzer-tainted-array-index
with unsigned char index
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
Consider:
struct s_12
{
unsigned char idx;
char buf[256];
};
char __attribute__((tainted_args))
test_12(struct s_12 s)
{
return s.buf[s.idx];
}
Currently with trunk and gcc 12 this gives:
<source>: In function 'test_12':
<source>:10:15: warning: use of attacker-controlled value 's.idx' in array
lookup without bounds checking [CWE-129] [-Wanalyzer-tainted-array-index]
10 | return s.buf[s.idx];
| ~~~~~^~~~~~~
'test_12': event 1
|
| 8 | test_12(struct s_12 s)
| | ^~~~~~~
| | |
| | (1) function 'test_12' marked with '__attribute__((tainted_args))'
|
+--> 'test_12': events 2-3
|
| 8 | test_12(struct s_12 s)
| | ^~~~~~~
| | |
| | (2) entry to 'test_12'
| 9 | {
| 10 | return s.buf[s.idx];
| | ~~~~~~~~~~~~
| | |
| | (3) use of attacker-controlled value 's.idx'
in array lookup without bounds checking
https://godbolt.org/z/ozhWdb78G
However, given that s.idx is unsigned char, it must be within the valid range,
and so the warning is unhelpful.
See on Linux kernel in drivers/tty/vt/keyboard.c where ioctls use a
user-supplied index to access the key_maps array:
include/linux/keyboard.h:extern unsigned short *key_maps[MAX_NR_KEYMAPS];
include/uapi/linux/keyboard.h:#define MAX_NR_KEYMAPS 256
but the index is unsigned char, so must be within range.
