https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112792
Bug ID: 112792
Summary: -Wanalyzer-out-of-bounds seen on Linux kernel with
certain unions
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Blocks: 106358
Target Milestone: ---
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
typedef unsigned int u32;
union msix_perm {
struct {
u32 rsvd2 : 8;
u32 pasid : 20;
};
u32 bits;
} __attribute__((__packed__));
union msix_perm mperm;
void idxd_device_set_perm_entry(u32 pasid) {
mperm.pasid = pasid;
}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
False positive with -fanalyzer:
t.c: In function ‘idxd_device_set_perm_entry’:
t.c:14:15: warning: buffer overflow [CWE-787] [-Wanalyzer-out-of-bounds]
14 | mperm.pasid = pasid;
| ~~~~~~~~~~~~^~~~~~~
event 1
|
| 11 | union msix_perm mperm;
| | ^~~~~
| | |
| | (1) capacity: 4 bytes
|
+--> ‘idxd_device_set_perm_entry’: event 2
|
| 14 | mperm.pasid = pasid;
| | ~~~~~~~~~~~~^~~~~~~
| | |
| | (2) out-of-bounds write at byte 4 but ‘mperm’
ends at byte 4
|
t.c:14:15: note: write of 1 byte to beyond the end of ‘mperm’
┌─────────────────────────────────────────┐
│ write from ‘pasid’ (type: ‘u32’) │
└─────────────────────────────────────────┘
│
│
v
┌──────────────────────────────────────────────────────────────────────┐
│ ‘mperm’ (type: ‘union msix_perm’) │
└──────────────────────────────────────────────────────────────────────┘
├──────────────────────────────────┬───────────────────────────────────┤
│
╭────────┴────────╮
│capacity: 4 bytes│
╰─────────────────╯
Affects trunk: https://godbolt.org/z/oWoY7j6eY
Affects 13.2: https://godbolt.org/z/vzdEbq6E1
(reduced from drivers/dma/idxd/device.c)
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer
