From: David Malcolm <dmalcolm@redhat.com>
Date: Fri, 8 Dec 2023 20:59:48 +0000 (-0500)
Subject: analyzer: avoid taint for (TAINTED % NON_TAINTED)
X-Git-Tag: basepoints/gcc-15~3790
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bef72539e585d13941987369cf34726a7ac5b2e;p=thirdparty%2Fgcc.git

analyzer: avoid taint for (TAINTED % NON_TAINTED)

gcc/analyzer/ChangeLog:
	* sm-taint.cc (taint_state_machine::alt_get_inherited_state): Fix
	handling of TRUNC_MOD_EXPR.

gcc/testsuite/ChangeLog:
	* c-c++-common/analyzer/taint-modulus-1.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>
---

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index 6b5d51c62af9..597e8e55609a 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -891,7 +891,6 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
 	  case MULT_EXPR:
 	  case POINTER_PLUS_EXPR:
 	  case TRUNC_DIV_EXPR:
-	  case TRUNC_MOD_EXPR:
 	    {
 	      state_t arg0_state = map.get_state (arg0, ext_state);
 	      state_t arg1_state = map.get_state (arg1, ext_state);
@@ -899,6 +898,14 @@ taint_state_machine::alt_get_inherited_state (const sm_state_map &map,
 	    }
 	    break;
 
+	  case TRUNC_MOD_EXPR:
+	    {
+	      /* The left-hand side of X % Y can be sanitized by
+		 the operation.  */
+	      return map.get_state (arg1, ext_state);
+	    }
+	    break;
+
 	  case BIT_AND_EXPR:
 	  case RSHIFT_EXPR:
 	    return NULL;
diff --git a/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
new file mode 100644
index 000000000000..ed286fa341cd
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/analyzer/taint-modulus-1.c
@@ -0,0 +1,8 @@
+#define SIZE 16
+char buf[SIZE];
+
+__attribute__ ((tainted_args))
+char test_sanitized_by_modulus (int val)
+{
+  return buf[val % SIZE]; /* { dg-bogus "use of attacker-controlled value" } */
+}