[cfe-dev] Static check on memcpy() (original) (raw)

Chris Hamilton via cfe-dev cfe-dev at lists.llvm.org
Thu Dec 3 14:34:46 PST 2020

Previous message: [cfe-dev] clang not observing -fno-signed-char, and other triple realted issues
Next message: [cfe-dev] Static check on memcpy()
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks,

Its easy to see how memcpy (and other mem* functions) can cause out-of-bounds reads/writes, such as in this simplified reproducer for a real case weve seen:

#include <string.h>

struct S {

  int x;

  int xx;

  int y[];

};

char dst[100];

int main(void) {

  struct S src = {0};

  src.x = 9999;

  src.xx = 8888;

  memcpy(dst, &src, sizeof(struct S) + 1);

}

Here, the size argument to memcpy is clearly just wrong. But consider that when FAMs are in play (as is hinted at here), designers can get confused and use the wrong size value probably there are plenty of other circumstances where such coding errors are easy to make, and not easy to spot during review. At present, CFE cant catch this during compilation (unless Ive missed something). It can be caught by the static analysis check alpha.unix.cstring.OutOfBounds but thats rather late, rather costly, and rather noisy (which Im sure is why its an alpha check and not a core check). This seems like something that could be caught and flagged by either a diagnostic or a tidy-check Is that reasonable? If not, why not?

Regards,

<https://www.ericsson.com/>

Chris Hamilton

Compiler Developer

BNEW DNEW 4G5G BI BBI 10

Mobile: +1-512-955-0143

<mailto:chris.hamilton at ericsson.com> chris.hamilton at ericsson.com

Without inclusion, diversity is only a statistic. -- Börje Ekholm, CEO of Ericsson

Ericsson

1703 W. 5th Street Suite 600

78703,Austin, Texas

United States

<https://www.ericsson.com/> ericsson.com

<https://www.ericsson.com/current_campaign>

Our commitment to <https://www.ericsson.com/thecompany/sustainability-corporateresponsibility> Technology for Good and <https://www.ericsson.com/thecompany/diversity-inclusion> Diversity and Inclusion contributes to positive change. Follow us on: <https://www.facebook.com/ericsson> Facebook <https://www.linkedin.com/company/ericsson> LinkedIn <https://twitter.com/Ericsson> Twitter

Legal entity:ERICSSON AB registration number 556056-6258, registered office in Stockholm. This communication is confidential. Our email terms: <https://www.ericsson.com/en/legal/privacy/email-disclaimer> www.ericsson.com/en/legal/privacy/email-disclaimer

-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201203/c12001b5/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6394 bytes Desc: not available URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20201203/c12001b5/attachment.bin>

Previous message: [cfe-dev] clang not observing -fno-signed-char, and other triple realted issues
Next message: [cfe-dev] Static check on memcpy()
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the cfe-dev mailing list