https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108719
Bug ID: 108719
Summary: RFE: allow specifying argument indexes for
__attribute__((tainted_args))
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: analyzer
Assignee: dmalcolm at gcc dot gnu.org
Reporter: clopez at suse dot de
Target Milestone: ---
Consider allowing developers to specify which function arguments are tainted,
very much like the nonnull attribute, e.g.:
__attribute__((tainted_args (2, 3)))
When no indexes are specified, all arguments should be considered tainted -
this is the behavior currently implemented.
Specifically, there is a common pattern for callbacks where the first argument
corresponds to untainted data (often either a structure provided by caller of
the callback or some opaque pointer requested by the callee). A prime example
of this are Linux device drivers, where the first parameter is a
kernel-provided structure:
struct file_operations {
...
ssize_t (*read) (struct file *, char *, size_t, loff_t *);
ssize_t (*write) (struct file *, const char *, size_t, loff_t *);
...
}
Another example would be qemu MMIO callbacks:
struct MemoryRegionOps {
uint64_t (*read)(void *opaque, hwaddr addr, unsigned size);
void (*write)(void *opaque, hwaddr addr, uint64_t data, unsigned size);
...
}
