https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112975
Bug ID: 112975
Summary: -Wanalyzer-tainted-allocation-size false positive seen
in Linux kernel's drivers/xen/privcmd.c
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 106358
Target Milestone: ---
In file included from drivers/xen/privcmd.c:15:
In function ‘kcalloc’,
inlined from ‘privcmd_ioctl_dm_op’ at drivers/xen/privcmd.c:640:10:
./include/linux/slab.h:645:16: warning: use of attacker-controlled value as
allocation size without upper-bounds checking [CWE-789]
[-Wanalyzer-tainted-allocation-size]
645 | return kmalloc_array(n, size, flags | __GFP_ZERO);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘privcmd_ioctl’: events 1-4
|
|drivers/xen/privcmd.c:834:13:
| 834 | static long privcmd_ioctl(struct file *file,
| | ^~~~~~~~~~~~~
| | |
| | (1) entry to ‘privcmd_ioctl’
|......
| 840 | switch (cmd) {
| | ~~~~~~
| | |
| | (2) following ‘case 1069061:’ branch...
|......
| 857 | case IOCTL_PRIVCMD_DM_OP:
| | ~~~~
| | |
| | (3) ...to here
| 858 | ret = privcmd_ioctl_dm_op(file, udata);
| | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (4) calling ‘privcmd_ioctl_dm_op’ from
‘privcmd_ioctl’
|
+--> ‘privcmd_ioctl_dm_op’: events 5-12
|
| 615 | static long privcmd_ioctl_dm_op(struct file *file, void
__user *udata)
| | ^~~~~~~~~~~~~~~~~~~
| | |
| | (5) entry to ‘privcmd_ioctl_dm_op’
|......
| 627 | if (copy_from_user(&kdata, udata, sizeof(kdata)))
| | ~
| | |
| | (6) following ‘false’ branch (when ‘n == 0’)...
|......
| 631 | if (data->domid != DOMID_INVALID && data->domid !=
kdata.dom)
| | ~~
| | |
| | (7) ...to here
|......
| 634 | if (kdata.num == 0)
| | ~
| | |
| | (8) following ‘false’ branch...
|......
| 637 | if (kdata.num > privcmd_dm_op_max_num)
| | ~~ ~
| | | |
| | | (10) following ‘false’ branch...
| | (9) ...to here
|......
| 640 | kbufs = kcalloc(kdata.num, sizeof(*kbufs),
GFP_KERNEL);
| | ~~~~~ ~
| | | |
| | | (12) inlined call to ‘kcalloc’ from
‘privcmd_ioctl_dm_op’
| | (11) ...to here
|
+--> ‘kcalloc’: event 13
|
|./include/linux/slab.h:645:16:
| 645 | return kmalloc_array(n, size, flags |
__GFP_ZERO);
| |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (13) use of attacker-controlled value
as allocation size without upper-bounds checking
|
...when the value is checked at (10).
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer
