[pushed] analyzer kernel plugin: implement __check_object_size [PR112927]
Checks
Commit Message
PR analyzer/112927 reports a false positive from -Wanalyzer-tainted-size
seen on the Linux kernel's drivers/char/ipmi/ipmi_devintf.c with the
analyzer kernel plugin.
The issue is that in:
(A):
if (msg->data_len > 272) {
return -90;
}
(B):
n = msg->data_len;
__check_object_size(to, n);
n = copy_from_user(to, from, n);
the analyzer is treating __check_object_size as having arbitrary side
effects, and, in particular could modify msg->data_len. Hence the
sanitization that occurs at (A) above is treated as being for a
different value than the size obtained at (B), hence the bogus warning
at the call to copy_from_user.
Fixed by extending the analyzer kernel plugin to "teach" it that
__check_object_size has no side effects.
Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Successful run of analyzer integration tests on x86_64-pc-linux-gnu.
Pushed to trunk as r14-8390-gb6e537571c21d8.
gcc/testsuite/ChangeLog:
PR analyzer/112927
* gcc.dg/plugin/analyzer_kernel_plugin.c
(class known_function___check_object_size): New.
(kernel_analyzer_init_cb): Register it.
* gcc.dg/plugin/plugin.exp: Add taint-pr112927.c.
* gcc.dg/plugin/taint-pr112927.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---
.../gcc.dg/plugin/analyzer_kernel_plugin.c | 18 +++++++
gcc/testsuite/gcc.dg/plugin/plugin.exp | 3 +-
gcc/testsuite/gcc.dg/plugin/taint-pr112927.c | 49 +++++++++++++++++++
3 files changed, 69 insertions(+), 1 deletion(-)
create mode 100644 gcc/testsuite/gcc.dg/plugin/taint-pr112927.c
@@ -209,6 +209,22 @@ public:
}
};
+/* Implementation of "__check_object_size". */
+
+class known_function___check_object_size : public known_function
+{
+ public:
+ bool matches_call_types_p (const call_details &cd) const final override
+ {
+ return cd.num_args () == 2;
+ }
+
+ void impl_call_pre (const call_details &) const final override
+ {
+ /* No-op. */
+ }
+};
+
/* Callback handler for the PLUGIN_ANALYZER_INIT event. */
static void
@@ -224,6 +240,8 @@ kernel_analyzer_init_cb (void *gcc_data, void */*user_data*/)
make_unique<known_function_copy_from_user> ());
iface->register_known_function ("copy_to_user",
make_unique<known_function_copy_to_user> ());
+ iface->register_known_function ("__check_object_size",
+ make_unique<known_function___check_object_size> ());
}
} // namespace ana
@@ -169,7 +169,8 @@ set plugin_test_list [list \
taint-pr112850.c \
taint-pr112850-precise.c \
taint-pr112850-too-complex.c \
- taint-pr112850-unsanitized.c } \
+ taint-pr112850-unsanitized.c \
+ taint-pr112927.c } \
{ analyzer_cpython_plugin.c \
cpython-plugin-test-no-Python-h.c \
cpython-plugin-test-PyList_Append.c \
new file mode 100644
@@ -0,0 +1,49 @@
+/* Reduced from false positive in Linux kernel
+ in drivers/char/ipmi/ipmi_devintf.c. */
+
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
+/* { dg-require-effective-target analyzer } */
+
+typedef __SIZE_TYPE__ size_t;
+extern void
+__check_object_size(const void* ptr, unsigned long n);
+
+extern unsigned long
+copy_from_user(void*, const void*, unsigned long);
+
+__attribute__((__always_inline__)) unsigned long
+call_copy_from_user(void* to, const void* from, unsigned long n)
+{
+ __check_object_size(to, n);
+ n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
+ return n;
+}
+struct ipmi_msg
+{
+ unsigned short data_len;
+ unsigned char* data;
+};
+
+static int
+handle_send_req(struct ipmi_msg* msg)
+{
+ char buf[273];
+ if (msg->data_len > 272) {
+ return -90;
+ }
+ if (call_copy_from_user(buf, msg->data, msg->data_len)) {
+ return -14;
+ }
+ return 0;
+}
+long
+ipmi_ioctl(void* arg)
+{
+ struct ipmi_msg msg;
+ if (call_copy_from_user(&msg, arg, sizeof(msg))) {
+ return -14;
+ }
+
+ return handle_send_req(&msg);
+}