I attempted to use the analyzer to detect CVE-2005-1689, a double-free in krb5-1.4.1's src/lib/krb5/krb/recvauth.c
With v1-v4 of the analyzer, it emits 11 double-free warnings: https://dmalcolm.fedorapeople.org/gcc/2019-11-13/CVE-2005-1689.html of which most were either false positives or duplicates. With this patch kit, the analyzer emits just 2 double-free warnings, both of which appear to be genuine problems: https://dmalcolm.fedorapeople.org/gcc/2019-12-17/CVE-2005-1689.html (the output is still very verbose, but that can wait to a follow-up) Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. I've pushed these patches to dmalcolm/analyzer on the GCC git mirror. David Malcolm (4): analyzer: add ChangeLog analyzer: better logging for dedupe_winners::add analyzer: fix dedupe issue seen with CVE-2005-1689 analyzer: purge state for unknown function calls gcc/analyzer/ChangeLog | 10 + gcc/analyzer/analyzer.h | 2 + gcc/analyzer/diagnostic-manager.cc | 37 ++- gcc/analyzer/diagnostic-manager.h | 13 +- gcc/analyzer/engine.cc | 28 ++- gcc/analyzer/exploded-graph.h | 2 + gcc/analyzer/pending-diagnostic.cc | 9 + gcc/analyzer/pending-diagnostic.h | 4 + gcc/analyzer/program-state.cc | 8 + gcc/analyzer/program-state.h | 2 + gcc/analyzer/region-model.cc | 217 +++++++++++++++++- gcc/analyzer/region-model.h | 16 +- gcc/analyzer/sm-file.cc | 2 +- gcc/analyzer/sm-malloc.cc | 8 +- gcc/analyzer/sm-pattern-test.cc | 4 +- gcc/analyzer/sm-sensitive.cc | 2 +- gcc/analyzer/sm-taint.cc | 2 +- .../analyzer/CVE-2005-1689-dedupe-issue.c | 26 +++ gcc/testsuite/gcc.dg/analyzer/data-model-1.c | 4 +- gcc/testsuite/gcc.dg/analyzer/data-model-5b.c | 3 +- gcc/testsuite/gcc.dg/analyzer/data-model-5c.c | 10 +- gcc/testsuite/gcc.dg/analyzer/setjmp-3.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-4.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-6.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-7.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-7a.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-8.c | 2 +- gcc/testsuite/gcc.dg/analyzer/setjmp-9.c | 2 +- gcc/testsuite/gcc.dg/analyzer/unknown-fns.c | 115 ++++++++++ 29 files changed, 476 insertions(+), 62 deletions(-) create mode 100644 gcc/analyzer/ChangeLog create mode 100644 gcc/testsuite/gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c create mode 100644 gcc/testsuite/gcc.dg/analyzer/unknown-fns.c -- 2.21.0
