diff options
| author | David Malcolm <dmalcolm@redhat.com> | 2019-12-13 19:36:11 -0500 |
|---|---|---|
| committer | David Malcolm <dmalcolm@redhat.com> | 2020-01-14 18:38:23 -0500 |
| commit | 14f9d7b9a708ebca57257059bda40986bb1e82a7 (patch) | |
| tree | 4589d5e9c89465d4328e8f44dfd9ced286de7547 /gcc/analyzer/sm-pattern-test.cc | |
| parent | 000c7a93bdf4040d7d0672fbb9b064eae3d78f5d (diff) | |
analyzer: fix dedupe issue seen with CVE-2005-1689
Whilst analyzing the reproducer for detecting CVE-2005-1689
(krb5-1.4.1's src/lib/krb5/krb/recvauth.c), the analyzer reported
11 double-free diagnostics on lines of the form:
krb5_xfree(inbuf.data);
with no deduplication occcurring.
The root cause is that the diagnostics each have a COMPONENT_REF for
the inbuf.data, but they are different trees, and the de-duplication
logic was using pointer equality.
This patch replaces the pointer equality tests with calls to a new
pending_diagnostic::same_tree_p, implemented using simple_cst_equal.
With this patch, de-duplication occurs, and only 3 diagnostics are
reported. The 11 diagnostics are partitioned into 3 dedupe keys,
2 with 2 duplicates and 1 with 7 duplicates.
gcc/analyzer/ChangeLog:
* diagnostic-manager.cc (saved_diagnostic::operator==): Move here
from header. Replace pointer equality test on m_var with call to
pending_diagnostic::same_tree_p.
* diagnostic-manager.h (saved_diagnostic::operator==): Move to
diagnostic-manager.cc.
* pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
* pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
* sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
equality on m_arg with call to pending_diagnostic::same_tree_p.
* sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
(possible_null_arg::subclass_equal_p): Likewise.
(null_arg::subclass_equal_p): Likewise.
(free_of_non_heap::subclass_equal_p): Likewise.
* sm-pattern-test.cc (pattern_match::operator==): Likewise.
* sm-sensitive.cc (exposure_through_output_file::operator==):
Likewise.
* sm-taint.cc (tainted_array_index::operator==): Likewise.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/CVE-2005-1689-dedupe-issue.c: New test.
Diffstat (limited to 'gcc/analyzer/sm-pattern-test.cc')
| -rw-r--r-- | gcc/analyzer/sm-pattern-test.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/gcc/analyzer/sm-pattern-test.cc b/gcc/analyzer/sm-pattern-test.cc index 8c70858e938..571e13eb47c 100644 --- a/gcc/analyzer/sm-pattern-test.cc +++ b/gcc/analyzer/sm-pattern-test.cc @@ -78,9 +78,9 @@ public: bool operator== (const pattern_match &other) const { - return (m_lhs == other.m_lhs + return (same_tree_p (m_lhs, other.m_lhs) && m_op == other.m_op - && m_rhs == other.m_rhs); + && same_tree_p (m_rhs, other.m_rhs)); } bool emit (rich_location *rich_loc) FINAL OVERRIDE |