https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112792
Bug ID: 112792 Summary: -Wanalyzer-out-of-bounds seen on Linux kernel with certain unions Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV typedef unsigned int u32; union msix_perm { struct { u32 rsvd2 : 8; u32 pasid : 20; }; u32 bits; } __attribute__((__packed__)); union msix_perm mperm; void idxd_device_set_perm_entry(u32 pasid) { mperm.pasid = pasid; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ False positive with -fanalyzer: t.c: In function ‘idxd_device_set_perm_entry’: t.c:14:15: warning: buffer overflow [CWE-787] [-Wanalyzer-out-of-bounds] 14 | mperm.pasid = pasid; | ~~~~~~~~~~~~^~~~~~~ event 1 | | 11 | union msix_perm mperm; | | ^~~~~ | | | | | (1) capacity: 4 bytes | +--> ‘idxd_device_set_perm_entry’: event 2 | | 14 | mperm.pasid = pasid; | | ~~~~~~~~~~~~^~~~~~~ | | | | | (2) out-of-bounds write at byte 4 but ‘mperm’ ends at byte 4 | t.c:14:15: note: write of 1 byte to beyond the end of ‘mperm’ ┌─────────────────────────────────────────┐ │ write from ‘pasid’ (type: ‘u32’) │ └─────────────────────────────────────────┘ │ │ v ┌──────────────────────────────────────────────────────────────────────┐ │ ‘mperm’ (type: ‘union msix_perm’) │ └──────────────────────────────────────────────────────────────────────┘ ├──────────────────────────────────┬───────────────────────────────────┤ │ ╭────────┴────────╮ │capacity: 4 bytes│ ╰─────────────────╯ Affects trunk: https://godbolt.org/z/oWoY7j6eY Affects 13.2: https://godbolt.org/z/vzdEbq6E1 (reduced from drivers/dma/idxd/device.c) Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer