Created
July 11, 2022 22:29
-
-
Save davidmalcolm/5771af86039bf57f144e935179bfe20e to your computer and use it in GitHub Desktop.
Reformatted output of gcc -fanalyzer -S ../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c -fanalyzer-checker=taint -fdiagnostics-format=sarif-stderr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", | |
"runs": [ | |
{ | |
"results": [ | |
{ | |
"level": "warning", | |
"ruleId": "warning", | |
"locations": [ | |
{ | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 58, | |
"snippet": { | |
"text": "\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"tainted\" } */\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 58, | |
"endColumn": 48, | |
"startColumn": 9 | |
} | |
} | |
} | |
], | |
"message": { | |
"text": "state: ‘tainted’" | |
} | |
}, | |
{ | |
"level": "warning", | |
"ruleId": "warning", | |
"locations": [ | |
{ | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 67, | |
"snippet": { | |
"text": "\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 67, | |
"endColumn": 56, | |
"startColumn": 17 | |
} | |
} | |
} | |
], | |
"message": { | |
"text": "state: ‘has_lb’" | |
} | |
}, | |
{ | |
"level": "warning", | |
"ruleId": "-Wanalyzer-tainted-size", | |
"locations": [ | |
{ | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 69, | |
"snippet": { | |
"text": "\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 69, | |
"endColumn": 56, | |
"startColumn": 21 | |
} | |
} | |
} | |
], | |
"message": { | |
"text": "use of attacker-controlled value ‘nbytes’ as size without upper-bounds checking" | |
}, | |
"taxa": [ | |
{ | |
"id": "129", | |
"toolComponent": { | |
"name": "cwe" | |
} | |
} | |
], | |
"relatedLocations": [ | |
{ | |
"message": { | |
"text": "parameter 3 of ‘copy_to_user’ marked as a size via attribute ‘access (write_only, 1, 3)’" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 13, | |
"snippet": { | |
"text": "extern long copy_to_user(void __user *to, const void *from, unsigned long n)\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/test-uaccess.h", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 13, | |
"endColumn": 25, | |
"startColumn": 13 | |
} | |
} | |
} | |
], | |
"codeFlows": [ | |
{ | |
"threadFlows": [ | |
{ | |
"locations": [ | |
{ | |
"nestingLevel": 0, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "function ‘sys_osf_getsysinfo’ marked with ‘__attribute__((tainted_args))’" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 53, | |
"snippet": { | |
"text": "SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 53, | |
"endColumn": 2, | |
"startColumn": 1 | |
} | |
} | |
} | |
}, | |
{ | |
"nestingLevel": 1, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "entry to ‘sys_osf_getsysinfo’" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 53, | |
"snippet": { | |
"text": "SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 53, | |
"endColumn": 2, | |
"startColumn": 1 | |
} | |
} | |
}, | |
"kinds": [ | |
"enter", | |
"function" | |
] | |
}, | |
{ | |
"nestingLevel": 1, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "‘nbytes’ has its lower bound checked here" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 64, | |
"snippet": { | |
"text": "\t\tif (nbytes < sizeof(*hwrpb))\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 64, | |
"endColumn": 21, | |
"startColumn": 20 | |
} | |
} | |
} | |
}, | |
{ | |
"nestingLevel": 1, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "following ‘false’ branch (when ‘nbytes > 31’)..." | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 64, | |
"snippet": { | |
"text": "\t\tif (nbytes < sizeof(*hwrpb))\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 64, | |
"endColumn": 21, | |
"startColumn": 20 | |
} | |
} | |
}, | |
"kinds": [ | |
"branch", | |
"false" | |
] | |
}, | |
{ | |
"nestingLevel": 1, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "...to here" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 67, | |
"snippet": { | |
"text": "\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 67, | |
"endColumn": 56, | |
"startColumn": 17 | |
} | |
} | |
}, | |
"kinds": [ | |
"branch", | |
"false" | |
] | |
}, | |
{ | |
"nestingLevel": 1, | |
"location": { | |
"logicalLocations": [ | |
{ | |
"decoratedName": "sys_osf_getsysinfo", | |
"kind": "function", | |
"name": "sys_osf_getsysinfo", | |
"fullyQualifiedName": "sys_osf_getsysinfo" | |
} | |
], | |
"message": { | |
"text": "use of attacker-controlled value ‘nbytes’ as size without upper-bounds checking" | |
}, | |
"physicalLocation": { | |
"contextRegion": { | |
"startLine": 69, | |
"snippet": { | |
"text": "\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n" | |
} | |
}, | |
"artifactLocation": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"region": { | |
"startLine": 69, | |
"endColumn": 56, | |
"startColumn": 21 | |
} | |
} | |
}, | |
"kinds": [ | |
"danger" | |
] | |
} | |
] | |
} | |
] | |
} | |
] | |
} | |
], | |
"artifacts": [ | |
{ | |
"location": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/test-uaccess.h", | |
"uriBaseId": "PWD" | |
}, | |
"sourceLanguage": "c", | |
"contents": { | |
"text": "/* Shared header for testcases for copy_from_user/copy_to_user. */\n\n/* Adapted from include/linux/compiler.h */\n\n#define __user\n\n/* Adapted from include/asm-generic/uaccess.h */\n\nextern int copy_from_user(void *to, const void __user *from, long n)\n __attribute__((access (write_only, 1, 3),\n\t\t access (read_only, 2, 3)));\n\nextern long copy_to_user(void __user *to, const void *from, unsigned long n)\n __attribute__((access (write_only, 1, 3),\n\t\t access (read_only, 2, 3)));\n" | |
} | |
}, | |
{ | |
"location": { | |
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c", | |
"uriBaseId": "PWD" | |
}, | |
"sourceLanguage": "c", | |
"contents": { | |
"text": "/* \"The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the\n Linux kernel before 2.6.39.4 on the Alpha platform does not properly\n restrict the data size for GSI_GET_HWRPB operations, which allows\n local users to obtain sensitive information from kernel memory via\n a crafted call.\"\n\n Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y\n in linux-stable. */\n\n// TODO: remove need for this option:\n/* { dg-additional-options \"-fanalyzer-checker=taint\" } */\n\n#include \"analyzer-decls.h\"\n#include \"test-uaccess.h\"\n\n/* Adapted from include/linux/linkage.h. */\n\n#define asmlinkage\n\n/* Adapted from include/linux/syscalls.h. */\n\n#define __SC_DECL1(t1, a1)\tt1 a1\n#define __SC_DECL2(t2, a2, ...) t2 a2, __SC_DECL1(__VA_ARGS__)\n#define __SC_DECL3(t3, a3, ...) t3 a3, __SC_DECL2(__VA_ARGS__)\n#define __SC_DECL4(t4, a4, ...) t4 a4, __SC_DECL3(__VA_ARGS__)\n#define __SC_DECL5(t5, a5, ...) t5 a5, __SC_DECL4(__VA_ARGS__)\n#define __SC_DECL6(t6, a6, ...) t6 a6, __SC_DECL5(__VA_ARGS__)\n\n#define SYSCALL_DEFINEx(x, sname, ...)\t\t\t\t\\\n\t__SYSCALL_DEFINEx(x, sname, __VA_ARGS__)\n\n#define SYSCALL_DEFINE(name) asmlinkage long sys_##name\n#define __SYSCALL_DEFINEx(x, name, ...)\t\t\t\t\t\\\n\tasmlinkage __attribute__((tainted_args)) \\\n\tlong sys##name(__SC_DECL##x(__VA_ARGS__))\n\n#define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)\n\n/* Adapted from arch/alpha/include/asm/hwrpb.h. */\n\nstruct hwrpb_struct {\n\tunsigned long phys_addr;\t/* check: physical address of the hwrpb */\n\tunsigned long id;\t\t/* check: \"HWRPB\\0\\0\\0\" */\n\tunsigned long revision;\n\tunsigned long size;\t\t/* size of hwrpb */\n\t/* [...snip...] */\n};\n\nextern struct hwrpb_struct *hwrpb;\n\n/* Adapted from arch/alpha/kernel/osf_sys.c. */\n\nSYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n\t\tunsigned long, nbytes, int __user *, start, void __user *, arg)\n{\n\t/* [...snip...] */\n\n\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"tainted\" } */\n\n\t/* TODO: should have an event explaining why \"nbytes\" is treated as\n\t attacker-controlled. */\n\n\t/* case GSI_GET_HWRPB: */\n\t\tif (nbytes < sizeof(*hwrpb))\n\t\t\treturn -1;\n\n\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n\n\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n\t\t\treturn -2;\n\n\t\treturn 1;\n\n\t/* [...snip...] */\n}\n\n/* With the fix for the sense of the size comparison. */\n\nSYSCALL_DEFINE5(osf_getsysinfo_fixed, unsigned long, op, void __user *, buffer,\n\t\tunsigned long, nbytes, int __user *, start, void __user *, arg)\n{\n\t/* [...snip...] */\n\n\t/* case GSI_GET_HWRPB: */\n\t\tif (nbytes > sizeof(*hwrpb))\n\t\t\treturn -1;\n\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-bogus \"attacker-controlled\" } */\n\t\t\treturn -2;\n\n\t\treturn 1;\n\n\t/* [...snip...] */\n}\n" | |
} | |
} | |
], | |
"tool": { | |
"driver": { | |
"fullName": "GNU C17 (GCC) version 13.0.0 20220707 (experimental) (x86_64-pc-linux-gnu)", | |
"name": "GNU C17", | |
"rules": [ | |
{ | |
"id": "-Wanalyzer-tainted-size", | |
"helpUri": "https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html#index-Wanalyzer-tainted-size" | |
} | |
], | |
"informationUri": "https://gcc.gnu.org/gcc-13/", | |
"version": "13.0.0 20220707 (experimental)" | |
} | |
}, | |
"originalUriBaseIds": { | |
"PWD": { | |
"uri": "file:///home/david/coding/gcc-newgit-clean/build/gcc/" | |
} | |
}, | |
"taxonomies": [ | |
{ | |
"organization": "MITRE", | |
"name": "CWE", | |
"version": "4.7", | |
"shortDescription": { | |
"text": "The MITRE Common Weakness Enumeration" | |
}, | |
"taxa": [ | |
{ | |
"id": "129", | |
"helpUri": "https://cwe.mitre.org/data/definitions/129.html" | |
} | |
] | |
} | |
] | |
} | |
], | |
"version": "2.1.0" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment