[Bug analyzer/112974] New: -Wanalyzer-tainted-array-index false positive seen on Linux kernel drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c

[dmalcolm at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112974

            Bug ID: 112974
           Summary: -Wanalyzer-tainted-array-index false positive seen on
                    Linux kernel
                    drivers/platform/x86/intel/speed_select_if/isst_tpmi_c
                    ore.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c: In function
‘isst_if_get_tpmi_instance_count’:
drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c:1118:47: warning:
use of attacker-controlled value as offset without upper-bounds checking
[CWE-823] [-Wanalyzer-tainted-offset]
 1118 |         tpmi_inst.count =
isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains;
      |                           ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
  ‘isst_if_get_tpmi_instance_count’: events 1-5
    |
    | 1112 |         if (copy_from_user(&tpmi_inst, argp, sizeof(tpmi_inst)))
    |      |            ^
    |      |            |
    |      |            (1) following ‘false’ branch (when ‘n == 0’)...
    |......
    | 1115 |         if (tpmi_inst.socket_id >= topology_max_packages())
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (3) following ‘false’ branch...
    |      |         (2) ...to here
    |......
    | 1118 |         tpmi_inst.count =
isst_common.sst_inst[tpmi_inst.socket_id]->number_of_power_domains;
    |      |         ~~~~~~~~~        
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |                                     |
    |      |         (4) ...to here                        (5) use of
attacker-controlled value as offset without upper-bounds checking
    |

Value is sanitized at (3); am about to attach a reduced reproducer.


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer