[Bug analyzer/112927] New: -Wanalyzer-tainted-size false positive seen in Linux kernel's drivers/char/ipmi/ipmi_devintf.c

Fri, 08 Dec 2023 14:26:12 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112927

            Bug ID: 112927
           Summary: -Wanalyzer-tainted-size false positive seen in Linux
                    kernel's drivers/char/ipmi/ipmi_devintf.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

Created attachment 56837
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56837&action=edit
Reduced reproducer

With the kernel plugin, this test erroenously reports:

In function 'call_copy_from_user',
    inlined from 'handle_send_req' at
gcc.dg/plugin/taint-drivers-char-ipmi-ipmi_devintf.c:35:7:
gcc.dg/plugin/taint-drivers-char-ipmi-ipmi_devintf.c:19:7: warning: use of
attacker-controlled value as size without upper-bounds checking [CWE-129]
[-Wanalyzer-tainted-size]
   19 |   n = copy_from_user(to, from, n); /* { dg-bogus "use of
attacker-controlled value as size without upper-bounds checking" } */
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~
  'ipmi_ioctl': events 1-4
    |
    |   41 | ipmi_ioctl(void* arg)
    |      | ^~~~~~~~~~
    |      | |
    |      | (1) entry to 'ipmi_ioctl'
    |......
    |   44 |   if (call_copy_from_user(&msg, arg, sizeof(msg))) {
    |      |      ~
    |      |      |
    |      |      (2) following 'false' branch (when 'n == 0')...
    |......
    |   48 |   return handle_send_req(&msg);
    |      |          ~~~~~~~~~~~~~~~~~~~~~
    |      |          |
    |      |          (3) ...to here
    |      |          (4) calling 'handle_send_req' from 'ipmi_ioctl'
    |
    +--> 'handle_send_req': events 5-8
           |
           |   29 | handle_send_req(struct ipmi_msg* msg)
           |      | ^~~~~~~~~~~~~~~
           |      | |
           |      | (5) entry to 'handle_send_req'
           |......
           |   32 |   if (msg->data_len > 272) {
           |      |      ~
           |      |      |
           |      |      (6) following 'false' branch...
           |......
           |   35 |   if (call_copy_from_user(buf, msg->data, msg->data_len)) {
           |      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |
           |      |       (7) ...to here
           |      |       (8) inlined call to 'call_copy_from_user' from
'handle_send_req'
           |
           +--> 'call_copy_from_user': event 9
                  |
                  |   19 |   n = copy_from_user(to, from, n); /* { dg-bogus
"use of attacker-controlled value as size without upper-bounds checking" } */
                  |      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |       |
                  |      |       (9) use of attacker-controlled value as size
without upper-bounds checking
                  |


despite the value being sanitized at event (6).


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer

Reply via email to