https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112977
Bug ID: 112977 Summary: -Wanalyzer-tainted-offset false positive seen on Linux kernel's drivers/scsi/aacraid/aachba.c Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: analyzer Assignee: dmalcolm at gcc dot gnu.org Reporter: dmalcolm at gcc dot gnu.org Blocks: 106358 Target Milestone: --- drivers/scsi/aacraid/aachba.c: In function ‘force_delete_disk’: drivers/scsi/aacraid/aachba.c:3307:36: warning: use of attacker-controlled value as offset without upper-bounds checking [CWE-823] [-Wanalyzer-tainted-offset] 3307 | fsa_dev_ptr[dd.cnum].valid = 0; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~ ‘force_delete_disk’: events 1-7 | | 3292 | if (!fsa_dev_ptr) | | ^ | | | | | (1) following ‘false’ branch (when ‘fsa_dev_ptr’ is non-NULL)... |...... | 3295 | if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk))) | | ~~ ~ | | | | | | | (3) following ‘false’ branch (when ‘n == 0’)... | | (2) ...to here |...... | 3298 | if (dd.cnum >= dev->maximum_num_containers) | | ~~ ~ | | | | | | | (5) following ‘false’ branch... | | (4) ...to here |...... | 3303 | fsa_dev_ptr[dd.cnum].deleted = 1; | | ~~~~~~~~~~~ | | | | | (6) ...to here |...... | 3307 | fsa_dev_ptr[dd.cnum].valid = 0; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (7) use of attacker-controlled value as offset without upper-bounds checking | drivers/scsi/aacraid/aachba.c: In function ‘delete_disk’: drivers/scsi/aacraid/aachba.c:3335:49: warning: use of attacker-controlled value as offset without upper-bounds checking [CWE-823] [-Wanalyzer-tainted-offset] 3335 | fsa_dev_ptr[dd.cnum].devname[0] = '\0'; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ ‘delete_disk’: events 1-9 | | 3317 | if (!fsa_dev_ptr) | | ^ | | | | | (1) following ‘false’ branch (when ‘fsa_dev_ptr’ is non-NULL)... |...... | 3320 | if (copy_from_user(&dd, arg, sizeof (struct aac_delete_disk))) | | ~~ ~ | | | | | | | (3) following ‘false’ branch (when ‘n == 0’)... | | (2) ...to here |...... | 3323 | if (dd.cnum >= dev->maximum_num_containers) | | ~~ ~ | | | | | | | (5) following ‘false’ branch... | | (4) ...to here |...... | 3328 | if (fsa_dev_ptr[dd.cnum].locked) | | ~~ ~ | | | | | | | (7) following ‘false’ branch... | | (6) ...to here |...... | 3334 | fsa_dev_ptr[dd.cnum].valid = 0; | | ~~~~~~~~~~~ | | | | | (8) ...to here | 3335 | fsa_dev_ptr[dd.cnum].devname[0] = '\0'; | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (9) use of attacker-controlled value as offset without upper-bounds checking | In both of these, dd.cnum is clearly checked, both at event (5) Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358 [Bug 106358] [meta-bug] tracker bug for building the Linux kernel with -fanalyzer