clang-tidy clang-analyzer TaintedAlloc bug

[colin-pm]

I found an issue where TaintedAlloc flags this code

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups > NGROUPS_MAX) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

However, the following code resolves the warning

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups * sizeof(gid_t) > NGROUPS_MAX * sizeof(gid_t)) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

In the second example I essentially have x * c > y * c, which is equivalent to x > y. I'm just implicitly bounds checking groups * sizeof(gid_t) by checking groups, knowing that sizeof(gid_t) is a constant.

[llvmbot]

@llvm/issue-subscribers-clang-tidy

Author: Colin McAllister (colin-pm)

Details

I found an issue where TaintedAlloc flags this code

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups > NGROUPS_MAX) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

However, the following code resolves the warning

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups * sizeof(gid_t) > NGROUPS_MAX * sizeof(gid_t)) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

In the second example I essentially have x * c > y * c, which is equivalent to x > y. I'm just implicitly bounds checking groups * sizeof(gid_t) by checking groups, knowing that sizeof(gid_t) is a constant.

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Colin McAllister (colin-pm)

Details

I found an issue where TaintedAlloc flags this code

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups > NGROUPS_MAX) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

However, the following code resolves the warning

#include <limits.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
  int groups = getgroups(0, NULL);
  if (groups < 0) {
    return -1;
  }
  if (groups * sizeof(gid_t) > NGROUPS_MAX * sizeof(gid_t)) {
    return -1;
  }
  malloc(groups * sizeof(gid_t));
  return 0;
}

In the second example I essentially have x * c > y * c, which is equivalent to x > y. I'm just implicitly bounds checking groups * sizeof(gid_t) by checking groups, knowing that sizeof(gid_t) is a constant.

[flovent]

confirmed: https://godbolt.org/z/odb7r36ad

This checker don't warn when the tainted parameter is less than SIZE_MAX/4.

Seems because analyzer can't get groups * 4 < SIZE_MAX / 4 from 0 <= groups <= NGROUPS_MAX(65536), so it gives a warn in the first function and not in the second function.

sizeof(gid_t) is 4 in my linux environment.