https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974
Bug ID: 112974 Summary: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_c ore.c Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c: In function ‘isst_if_get_tpmi_instance_count’: drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c:1118:47: warning: use of attacker-controlled value as offset without upper-bounds checking [CWE-823] [-Wanalyzer-tainted-offset] 1118 | tpmi_inst.count = isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains; | ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ ‘isst_if_get_tpmi_instance_count’: events 1-5 | | 1112 | if (copy_from_user(&tpmi_inst, argp, sizeof(tpmi_inst))) | | ^ | | | | | (1) following ‘false’ branch (when ‘n == 0’)... |...... | 1115 | if (tpmi_inst.socket_id >= topology_max_packages()) | | ~~ ~ | | | | | | | (3) following ‘false’ branch... | | (2) ...to here |...... | 1118 | tpmi_inst.count = isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains; | | ~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | (4) ...to here (5) use of attacker-controlled value as offset without upper-bounds checking | Value is sanitized at (3); am about to attach a reduced reproducer. Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer