https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106235
Bug ID: 106235
Summary: RFE: -fanalyzer could complain about tainted data
triggering assertion failure
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: dmalcolm at gcc dot gnu.org
Target Milestone: ---
CWE-617: Reachable Assertion:
https://cwe.mitre.org/data/definitions/617.html
"The product contains an assert() or similar statement that can be triggered by
an attacker, which leads to an application exit or other behavior that is more
severe than necessary."
(e.g. remote triggering of denial-of-service)
Perhaps -fanalyzer could identify assertion failure routines, and see if
tainted data is used in an assertion. Presumably we'd want to see if a
conditional guarding an assertion handler involves tainted data.
Not sure if this is fully implementable; e.g. what to do about non-trivial
conditionals? (and how much can we reconstruct about "is this an assertion" vs
"is this a regular conditional" given how late we run)
