From patchwork Thu Jul 21 01:41:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Li, Pan2 via Gcc-patches" X-Patchwork-Id: 88 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e252:0:0:0:0:0 with SMTP id bl18csp1224810wrb; Wed, 20 Jul 2022 18:45:18 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vGR148Wg8VrlM1uc+RY3IvOxHYdhffyjpy4wFYO2529FPgO3UewxqFE8t90ohDeAAxR0tE X-Received: by 2002:a17:907:2c68:b0:72b:3a2c:e5b5 with SMTP id ib8-20020a1709072c6800b0072b3a2ce5b5mr37888124ejc.619.1658367918724; Wed, 20 Jul 2022 18:45:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658367918; cv=none; d=google.com; s=arc-20160816; b=DyKKE5oMYkOqUtVYHk3+DzZ683y+PyVKrpX7BF4Gq7ekSr5miNeWi2MLxWWqG36G9N Facl0J93MBKam9AZlSABFKFfBmNV+WiSfuHfb2Ce/mj/Q1G3dk6eb82zOq8jysnFvg75 kXfXsN1we/8vpxTvWWzJyJJKEwnTSxbINgg8EJyxQvniKXpKwu249XqQsjQcP3NIbR7Q ooiAvNnQZ9H+kQAUdmglVU0YmZKfAtwBoFtt7ny2ovO56dPVPRkvtSD4lHH8zGa8m63v w8Ol436VulUXIf4LLww330+c8fBquo1gYIsBY3Oj9/G0kq+J2rmEYYFDOsTYyQ3UOXKa pfUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-transfer-encoding:mime-version:message-id:date:subject:to :dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=aEeDER1MgWKPrEJ59+UeCIVhkWrtGi6H8+cTXGDhIWs=; b=GpszqfxjWQbVfiaE74qoIilMJ9u8XGgxPmizq5S/GcshnAZ553+7TyMVjTVprIIkWG mcst0exNuDqzSjgV2J9WydMU3Lv0sexRTzBcRbtmnSQwQCWGQGZjgb4uwhGjKmIu2anX Il4xxhrT9TZYyqfuQDbNrbdeoTNmThJ8gDtRAg4OoIhNrGcoqllj9z2ieZzQvOtFR8zV v9q2PrJAtbjF+PQDFmpMrqQVml2ZJO0ZsWrYsNdzydmd8VdqtX5etYF0F5I1QqEI2cbR ynkgE0E7EM28WjI9ZZhgEgxChhoRRtSjxlFSkkV7Od4PVCtIYxj3WioJ0EV0zChOG1xQ wqUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=t49o4No6; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id i8-20020a0564020f0800b0043b9432b3a8si681428eda.141.2022.07.20.18.45.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Jul 2022 18:45:18 -0700 (PDT) Received-SPF: pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@gcc.gnu.org header.s=default header.b=t49o4No6; spf=pass (google.com: domain of gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gnu.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 98A78383543F for ; Thu, 21 Jul 2022 01:43:22 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 98A78383543F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1658367802; bh=aEeDER1MgWKPrEJ59+UeCIVhkWrtGi6H8+cTXGDhIWs=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=t49o4No6JIhnkw1W0sr0RBG1uP92Rpe8097tFvRv6auY6Zig3UfAd3nbhP0CXnmu1 ZZNn9Xz0nwHSHis+0ydGAZaZM+dlyrgyn9yanE9UdkIzAogl0nSErvikbH/ww4yUTv rQa4bgUHgK1JxUnwXYcgy78Hl928EBK6jpCURcL4= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 8B5B6383B7B5 for ; Thu, 21 Jul 2022 01:41:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8B5B6383B7B5 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-482-ekMhv7x7OEehZ0p9wNEakA-1; Wed, 20 Jul 2022 21:41:47 -0400 X-MC-Unique: ekMhv7x7OEehZ0p9wNEakA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6363D85A585 for ; Thu, 21 Jul 2022 01:41:47 +0000 (UTC) Received: from t14s.localdomain.com (unknown [10.2.16.236]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3CF1A18ECC; Thu, 21 Jul 2022 01:41:47 +0000 (UTC) To: gcc-patches@gcc.gnu.org Subject: [committed] analyzer: bulletproof taint warnings against NULL m_arg Date: Wed, 20 Jul 2022 21:41:45 -0400 Message-Id: <20220721014145.1506954-1-dmalcolm@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: David Malcolm via Gcc-patches From: "Li, Pan2 via Gcc-patches" Reply-To: David Malcolm Errors-To: gcc-patches-bounces+ouuuleilei=gmail.com@gcc.gnu.org Sender: "Gcc-patches" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1738924798940345188?= X-GMAIL-MSGID: =?utf-8?q?1738924798940345188?= Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Pushed to trunk as r13-1774-g742377ed0f0931. gcc/analyzer/ChangeLog: * sm-taint.cc (tainted_array_index::emit): Bulletproof against NULL m_arg. (tainted_array_index::describe_final_event): Likewise. (tainted_size::emit): Likewise. (tainted_size::describe_final_event): Likewise. Signed-off-by: David Malcolm --- gcc/analyzer/sm-taint.cc | 247 ++++++++++++++++++++++++++------------- 1 file changed, 164 insertions(+), 83 deletions(-) diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index 0486c01aaca..51bfe06835d 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -212,53 +212,96 @@ public: diagnostic_metadata m; /* CWE-129: "Improper Validation of Array Index". */ m.add_cwe (129); - switch (m_has_bounds) - { - default: - gcc_unreachable (); - case BOUNDS_NONE: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE" - " in array lookup without bounds checking", - m_arg); - break; - case BOUNDS_UPPER: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE" - " in array lookup without checking for negative", - m_arg); - break; - case BOUNDS_LOWER: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE" - " in array lookup without upper-bounds checking", - m_arg); - break; - } + if (m_arg) + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE" + " in array lookup without bounds checking", + m_arg); + break; + case BOUNDS_UPPER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE" + " in array lookup without checking for negative", + m_arg); + break; + case BOUNDS_LOWER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE" + " in array lookup without upper-bounds checking", + m_arg); + break; + } + else + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value" + " in array lookup without bounds checking"); + break; + case BOUNDS_UPPER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value" + " in array lookup without checking for" + " negative"); + break; + case BOUNDS_LOWER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value" + " in array lookup without upper-bounds" + " checking"); + break; + } } label_text describe_final_event (const evdesc::final_event &ev) final override { - switch (m_has_bounds) - { - default: - gcc_unreachable (); - case BOUNDS_NONE: - return ev.formatted_print - ("use of attacker-controlled value %qE in array lookup" - " without bounds checking", - m_arg); - case BOUNDS_UPPER: - return ev.formatted_print - ("use of attacker-controlled value %qE" - " in array lookup without checking for negative", - m_arg); - case BOUNDS_LOWER: - return ev.formatted_print - ("use of attacker-controlled value %qE" - " in array lookup without upper-bounds checking", - m_arg); - } + if (m_arg) + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return ev.formatted_print + ("use of attacker-controlled value %qE in array lookup" + " without bounds checking", + m_arg); + case BOUNDS_UPPER: + return ev.formatted_print + ("use of attacker-controlled value %qE" + " in array lookup without checking for negative", + m_arg); + case BOUNDS_LOWER: + return ev.formatted_print + ("use of attacker-controlled value %qE" + " in array lookup without upper-bounds checking", + m_arg); + } + else + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return ev.formatted_print + ("use of attacker-controlled value in array lookup" + " without bounds checking"); + case BOUNDS_UPPER: + return ev.formatted_print + ("use of attacker-controlled value" + " in array lookup without checking for negative"); + case BOUNDS_LOWER: + return ev.formatted_print + ("use of attacker-controlled value" + " in array lookup without upper-bounds checking"); + } } }; @@ -394,50 +437,88 @@ public: { diagnostic_metadata m; m.add_cwe (129); - switch (m_has_bounds) - { - default: - gcc_unreachable (); - case BOUNDS_NONE: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE as size" - " without bounds checking", - m_arg); - break; - case BOUNDS_UPPER: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE as size" - " without lower-bounds checking", - m_arg); - break; - case BOUNDS_LOWER: - return warning_meta (rich_loc, m, get_controlling_option (), - "use of attacker-controlled value %qE as size" - " without upper-bounds checking", - m_arg); - break; - } + if (m_arg) + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE as size" + " without bounds checking", + m_arg); + break; + case BOUNDS_UPPER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE as size" + " without lower-bounds checking", + m_arg); + break; + case BOUNDS_LOWER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value %qE as size" + " without upper-bounds checking", + m_arg); + break; + } + else + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value as size" + " without bounds checking"); + break; + case BOUNDS_UPPER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value as size" + " without lower-bounds checking"); + break; + case BOUNDS_LOWER: + return warning_meta (rich_loc, m, get_controlling_option (), + "use of attacker-controlled value as size" + " without upper-bounds checking"); + break; + } } label_text describe_final_event (const evdesc::final_event &ev) final override { - switch (m_has_bounds) - { - default: - gcc_unreachable (); - case BOUNDS_NONE: - return ev.formatted_print ("use of attacker-controlled value %qE" - " as size without bounds checking", - m_arg); - case BOUNDS_UPPER: - return ev.formatted_print ("use of attacker-controlled value %qE" - " as size without lower-bounds checking", - m_arg); - case BOUNDS_LOWER: - return ev.formatted_print ("use of attacker-controlled value %qE" - " as size without upper-bounds checking", - m_arg); - } + if (m_arg) + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return ev.formatted_print ("use of attacker-controlled value %qE" + " as size without bounds checking", + m_arg); + case BOUNDS_UPPER: + return ev.formatted_print ("use of attacker-controlled value %qE" + " as size without lower-bounds checking", + m_arg); + case BOUNDS_LOWER: + return ev.formatted_print ("use of attacker-controlled value %qE" + " as size without upper-bounds checking", + m_arg); + } + else + switch (m_has_bounds) + { + default: + gcc_unreachable (); + case BOUNDS_NONE: + return ev.formatted_print ("use of attacker-controlled value" + " as size without bounds checking"); + case BOUNDS_UPPER: + return ev.formatted_print ("use of attacker-controlled value" + " as size without lower-bounds checking"); + case BOUNDS_LOWER: + return ev.formatted_print ("use of attacker-controlled value" + " as size without upper-bounds checking"); + } } };