[pushed] analyzer: avoid taint for (TAINTED % NON_TAINTED)

Message ID 20231208210304.2705943-1-dmalcolm@redhat.com
State Committed
Commit 0bef72539e585d13941987369cf34726a7ac5b2e
Headers
Series [pushed] analyzer: avoid taint for (TAINTED % NON_TAINTED) |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_gcc_build--master-aarch64 warning Patch is already merged
linaro-tcwg-bot/tcwg_gcc_build--master-arm warning Patch is already merged

Commit Message

David Malcolm Dec. 8, 2023, 9:03 p.m. UTC
  Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu.
Pushed to trunk as r14-6349-g0bef72539e585d.

gcc/analyzer/ChangeLog:
	* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
	handling of TRUNC_MOD_EXPR.

gcc/testsuite/ChangeLog:
	* c-c++-common/analyzer/taint-modulus-1.c: New test.
---
 gcc/analyzer/sm-taint.cc                              | 9 ++++++++-
 gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c | 8 ++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
  

Patch

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 6b5d51c62af..597e8e55609 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -891,7 +891,6 @@  taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
 	  case MULT_EXPR:
 	  case POINTER_PLUS_EXPR:
 	  case TRUNC_DIV_EXPR:
-	  case TRUNC_MOD_EXPR:
 	    {
 	      state_t arg0_state = map.get_state (arg0, ext_state);
 	      state_t arg1_state = map.get_state (arg1, ext_state);
@@ -899,6 +898,14 @@  taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
 	    }
 	    break;
 
+	  case TRUNC_MOD_EXPR:
+	    {
+	      /* The left-hand side of X % Y can be sanitized by
+		 the operation.  */
+	      return map.get_state (arg1, ext_state);
+	    }
+	    break;
+
 	  case BIT_AND_EXPR:
 	  case RSHIFT_EXPR:
 	    return NULL;
diff --git a/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
new file mode 100644
index 00000000000..ed286fa341c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
@@ -0,0 +1,8 @@ 
+#define SIZE 16
+char buf[SIZE];
+
+__attribute__ ((tainted_args))
+char test_sanitized_by_modulus (int val)
+{
+  return buf[val % SIZE]; /* { dg-bogus "use of attacker-controlled value" } */
+}