Re: [PATCH] libsepol/cil: silence GCC 12 array-bounds false positive

James Carter <jwcart2@xxxxxxxxx> · Fri, 1 Apr 2022 12:53:09 -0400



On Thu, Mar 31, 2022 at 11:34 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> GCC 12 produces an array-bounds warning:
>
>     In file included from ../include/sepol/policydb/context.h:23,
>                      from ../include/sepol/policydb/policydb.h:62,
>                      from ../cil/src/cil_binary.c:41:
>     In function ‘mls_level_init’,
>         inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:99:2,
>         inlined from ‘mls_level_destroy’ at ../include/sepol/policydb/mls_types.h:92:20,
>         inlined from ‘mls_range_destroy’ at ../include/sepol/policydb/mls_types.h:149:2,
>         inlined from ‘cil_rangetransition_to_policydb’ at ../cil/src/cil_binary.c:3231:6:
>     ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
>        89 |         memset(level, 0, sizeof(mls_level_t));
>           |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>     ../include/sepol/policydb/mls_types.h:89:9: error: ‘memset’ offset [0, 23] is out of the bounds [0, 0] [-Werror=array-bounds]
>     cc1: all warnings being treated as errors
>
> This is a false positive, by inspecting the code and compiling with -O3
> and -flto.
>
> Closes: https://github.com/SELinuxProject/selinux/issues/339
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/cil/src/cil_binary.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index 53017e2d..d5211f69 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -3222,7 +3222,16 @@ int cil_rangetransition_to_policydb(policydb_t *pdb, const struct cil_db *db, st
>                                         } else {
>                                                 cil_log(CIL_ERR, "Out of memory\n");
>                                         }
> +// TODO: add upper version bound once fixed in upstream GCC
> +#if defined(__GNUC__) && (__GNUC__ >= 12)
> +# pragma GCC diagnostic push
> +# pragma GCC diagnostic ignored "-Warray-bounds"
> +# pragma GCC diagnostic ignored "-Wstringop-overflow"
> +#endif
>                                         mls_range_destroy(newdatum);
> +#if defined(__GNUC__) && (__GNUC__ >= 12)
> +# pragma GCC diagnostic pop
> +#endif
>                                         free(newdatum);
>                                         free(newkey);
>                                         if (rc != SEPOL_OK) {
> --
> 2.35.1
>