From 708646de75cba2e3855bde09d21816ca66239a67 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Thu, 10 Mar 2022 09:02:18 -0500 Subject: [PATCH] analyzer: fix duplicates in check_for_tainted_size_arg gcc/analyzer/ChangeLog: * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg): Avoid generating duplicate saved_diagnostics by only handling the rdwr_map entry for the ptrarg, not the duplicate entry for the sizarg. gcc/testsuite/ChangeLog: * gcc.dg/analyzer/taint-size-access-attr-1.c: Add -fanalyzer-show-duplicate-count to options; verify that a duplicate was not created for the tainted size. Signed-off-by: David Malcolm --- gcc/analyzer/sm-taint.cc | 4 ++++ gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index c7b2832..a13c2fe 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -904,6 +904,10 @@ taint_state_machine::check_for_tainted_size_arg (sm_context *sm_ctxt, if (!access) continue; + /* Ignore any duplicate entry in the map for the size argument. */ + if (access->ptrarg != argno) + continue; + if (access->sizarg == UINT_MAX) continue; diff --git a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c index 724679a..7d243a9 100644 --- a/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c +++ b/gcc/testsuite/gcc.dg/analyzer/taint-size-access-attr-1.c @@ -1,8 +1,8 @@ /* Passing tainted sizes to external functions with attribute ((access)) with a size-index. */ -// TODO: remove need for this option: -/* { dg-additional-options "-fanalyzer-checker=taint" } */ +// TODO: remove need for the explicit taint option: +/* { dg-additional-options "-fanalyzer-checker=taint -fanalyzer-show-duplicate-count" } */ #include "analyzer-decls.h" #include @@ -27,7 +27,8 @@ void test_fn_read_only (FILE *f, void *p) __analyzer_dump_state ("taint", tmp.sz); /* { dg-warning "state: 'tainted'" } */ /* { dg-message "\\(\[0-9\]+\\) \\.\\.\\.to here" "event: to here" { target *-*-* } .-1 } */ - extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" } */ + extern_fn_read_only (p, tmp.sz); /* { dg-warning "use of attacker-controlled value 'tmp.sz' as size without upper-bounds checking" "warning" } */ + /* { dg-bogus "duplicate" "duplicate" { target *-*-* } .-1 } */ } } -- 2.7.4