ice_ptp.c

dmalcolm at gcc dot gnu.org via Gcc-bugs Mon, 11 Dec 2023 12:07:25 -0800

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112969


            Bug ID: 112969
           Summary: -Wanalyzer-exposure-through-uninit-copy false positive
                    seen on Linux kernel's
                    drivers/net/ethernet/intel/ice/ice_ptp.c
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dmalcolm at gcc dot gnu.org
            Blocks: 106358
  Target Milestone: ---

Created attachment 56852
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56852&action=edit
Patch adding reproducer

False positive here:

src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:46:7:
warning: potential exposure of sensitive information by copying uninitialized
data from stack across trust boundary [CWE-200]
[-Wanalyzer-exposure-through-uninit-copy]
   46 |   if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config)))
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ‘ice_ptp_set_ts_config’: events 1-5
    |
    |   39 |   struct hwtstamp_config config;
    |      |                          ^~~~~~
    |      |                          |
    |      |                          (1) region created on stack here
    |      |                          (2) capacity: 12 bytes
    |   40 |   int err;
    |   41 |   if (copy_from_user(&config, ifr->ifr_ifru.ifru_data,
sizeof(config)))
    |      |      ~                    
    |      |      |
    |      |      (3) following ‘false’ branch...
    |   42 |     return -14;
    |   43 |   pf->ptp.tstamp_config.tx_type = 0;
    |      |   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                 |
    |      |                                 (4) ...to here
    |......
    |   46 |   if (copy_to_user(ifr->ifr_ifru.ifru_data, &config,
sizeof(config)))
    |      |      
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |       |
    |      |       (5) uninitialized data copied from stack here
    |
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:46:7:
note: 4 bytes are uninitialized
   46 |   if (copy_to_user(ifr->ifr_ifru.ifru_data, &config, sizeof(config)))
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:21:7:
note: field ‘flags’ is uninitialized (4 bytes)
   21 |   int flags;
      |       ^~~~~
src/gcc/testsuite/gcc.dg/plugin/infoleak-drivers-net-ethernet-intel-ice-ice_ptp.c:39:26:
note: suggest forcing zero-initialization by providing a ‘{0}’ initializer
   39 |   struct hwtstamp_config config;
      |                          ^~~~~~
      |                                 = {0}

Looks like it doesn't notice that the copy here:
  config = pf->ptp.tstamp_config;
initializes config.flag

Also, config was fully initialized at the copy_from_user.

Reduced from examples seen on drivers/net/ethernet/intel/ice/ice_ptp.c


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106358
[Bug 106358] [meta-bug] tracker bug for building the Linux kernel with
-fanalyzer

[Bug analyzer/112969] New: -Wanalyzer-exposure-through-uninit-copy false positive seen on Linux kernel's drivers/net/ethernet/intel/ice/ice_ptp.c

Reply via email to