https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112927
--- Comment #1 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The master branch has been updated by David Malcolm <dmalc...@gcc.gnu.org>: https://gcc.gnu.org/g:b6e537571c21d8f0bc276d7afa156d6d4a54a1c9 commit r14-8390-gb6e537571c21d8f0bc276d7afa156d6d4a54a1c9 Author: David Malcolm <dmalc...@redhat.com> Date: Wed Jan 24 10:11:09 2024 -0500 analyzer kernel plugin: implement __check_object_size [PR112927] PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the analyzer kernel plugin. The issue is that in: (A): if (msg->data_len > 272) { return -90; } (B): n = msg->data_len; __check_object_size(to, n); n = copy_from_user(to, from, n); the analyzer is treating __check_object_size as having arbitrary side effects, and, in particular could modify msg->data_len. Hence the sanitization that occurs at (A) above is treated as being for a different value than the size obtained at (B), hence the bogus warning at the call to copy_from_user. Fixed by extending the analyzer kernel plugin to "teach" it that __check_object_size has no side effects. gcc/testsuite/ChangeLog: PR analyzer/112927 * gcc.dg/plugin/analyzer_kernel_plugin.c (class known_function___check_object_size): New. (kernel_analyzer_init_cb): Register it. * gcc.dg/plugin/plugin.exp: Add taint-pr112927.c. * gcc.dg/plugin/taint-pr112927.c: New test. Signed-off-by: David Malcolm <dmalc...@redhat.com>
