analyzer: avoid taint for (TAINTED % NON_TAINTED)

gcc/analyzer/ChangeLog:
	* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
	handling of TRUNC_MOD_EXPR.

gcc/testsuite/ChangeLog:
	* c-c++-common/analyzer/taint-modulus-1.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 6b5d51c62af92f5d97f8a034e29ee12701847e0e..597e8e55609abddbf22492cb8ea50de20f86b9fc 100644 (file)
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -891,7 +891,6 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
          case MULT_EXPR:
          case POINTER_PLUS_EXPR:
          case TRUNC_DIV_EXPR:
-         case TRUNC_MOD_EXPR:
            {
              state_t arg0_state = map.get_state (arg0, ext_state);
              state_t arg1_state = map.get_state (arg1, ext_state);
@@ -899,6 +898,14 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
            }
            break;
 
+         case TRUNC_MOD_EXPR:
+           {
+             /* The left-hand side of X % Y can be sanitized by
+                the operation.  */
+             return map.get_state (arg1, ext_state);
+           }
+           break;
+
          case BIT_AND_EXPR:
          case RSHIFT_EXPR:
            return NULL;

diff --git a/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
new file mode 100644 (file)
index 0000000..ed286fa
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
@@ -0,0 +1,8 @@
+#define SIZE 16
+char buf[SIZE];
+
+__attribute__ ((tainted_args))
+char test_sanitized_by_modulus (int val)
+{
+  return buf[val % SIZE]; /* { dg-bogus "use of attacker-controlled value" } */
+}