[pushed] analyzer: avoid taint for (TAINTED % NON_TAINTED)
Checks
Commit Message
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r14-6349-g0bef72539e585d.
gcc/analyzer/ChangeLog:
* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
handling of TRUNC_MOD_EXPR.
gcc/testsuite/ChangeLog:
* c-c++-common/analyzer/taint-modulus-1.c: New test.
---
gcc/analyzer/sm-taint.cc | 9 ++++++++-
gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c | 8 ++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
@@ -891,7 +891,6 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
case MULT_EXPR:
case POINTER_PLUS_EXPR:
case TRUNC_DIV_EXPR:
- case TRUNC_MOD_EXPR:
{
state_t arg0_state = map.get_state (arg0, ext_state);
state_t arg1_state = map.get_state (arg1, ext_state);
@@ -899,6 +898,14 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
}
break;
+ case TRUNC_MOD_EXPR:
+ {
+ /* The left-hand side of X % Y can be sanitized by
+ the operation. */
+ return map.get_state (arg1, ext_state);
+ }
+ break;
+
case BIT_AND_EXPR:
case RSHIFT_EXPR:
return NULL;
new file mode 100644
@@ -0,0 +1,8 @@
+#define SIZE 16
+char buf[SIZE];
+
+__attribute__ ((tainted_args))
+char test_sanitized_by_modulus (int val)
+{
+ return buf[val % SIZE]; /* { dg-bogus "use of attacker-controlled value" } */
+}