search

checkedc / checkedc-llvm-project

This repo contains a version of clang that is modified to support Checked C. Checked C is an extension to C that lets programmers write C code with bounds checking and improved type-safety.
13 stars 19 forks source link

Checked-pointer local variable can be initialized with itself (unsound) #1190

Open secure-sw-dev-bot opened 2 years ago

secure-sw-dev-bot commented 2 years ago

This issue was copied from https://github.com/microsoft/checkedc-clang/issues/1194

While testing another issue, I made a typo and initialized a checked-pointer local variable with itself and was surprised to find that that compiles without error. An example:

#pragma CHECKED_SCOPE on

int main(void) {
  {
    // Put an invalid pointer in the memory that will be reused by `p`.
    long x = 1;
  }
  {
    _Ptr<char> p = p;
    (*p)++;  // SIGSEGV
  }
  return 0;
}

With -Wall, I get a compiler warning:

self_init.c:9:20: warning: variable 'p' is uninitialized when used within its own initialization [-Wuninitialized]
    _Ptr<char> p = p;
               ~   ^

Maybe this warning just needs to be made into an error when it occurs in the initializer of a checked-pointer variable?

secure-sw-dev-bot commented 2 years ago

Comment from @mattmccutchen-cci:

Maybe this warning just needs to be made into an error when it occurs in the initializer of a checked-pointer variable?

Apparently that isn't good enough. The following produces no warning with -Wall:

#pragma CHECKED_SCOPE on

_Ptr<char> foo(_Ptr<_Ptr<char>> pp) {
  return *pp;
}

int main(void) {
  {
    // Put an invalid pointer in the memory that will be reused by `p`.
    long x = 1;
  }
  {
    _Ptr<char> p = foo(&p);
    (*p)++;  // SIGSEGV
  }
  return 0;
}

I guess we should disallow any use of p in its own initializer.