Compiling mbedtls with latest GCC (master/HEAD) shows alarming out of bound warnings #4130
Comments
|
TLS only uses SHA-384, which has 48 bytes of output, but SHA-384 is provided by the SHA-512 module, and SHA-512 produces 64 bytes of output. This sometimes leads static analysis to believe that a 64-byte buffer is required, because it doesn't know that the calling code only wants a SHA-384 and so 48 bytes are enough. There's already a workaround to avoid warnings with released versions of gcc (or clang?) in Please note that we're unlikely to start testing with unreleased compilers, or to spend energy on warnings from unreleased compilers. But if you have a patch that silences this particular build of GCC and seems ok from a readability perspective, please submit it. |
|
Thanks for the prompt answer. |
|
While the questions still stands (why no merged into 2.17, 2.18), even on branch 2.16 (where mentioend PR is merged into), I'm still getting part of above issues: which can obviously be silenced by: though I believe that's not the way to go here, as from your comment 48 bytes really should be enough in this context(?) |
|
Mbed TLS 2.17 and 2.18 are old releases. We only maintain the long-time support releases: 2.7 (until next month), 2.16, and the development branch. #3848 took care of one case. I guess newer builds of gcc find more occurrences of the same root cause. Allocating an extra 16 bytes would silence gcc, but these bytes aren't used, so we'd rather avoid this solution. |
|
GCC 11 has been released and still emits the false positives. Ideas to fix this without changing the prototype of |
gilles-peskine-arm
added
help-wanted
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
|
How about https://github.com/gilles-peskine-arm/mbedtls/tree/ssl-sha384-stringop-overflow-warning? Which could get in through #4493. |
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Building with the latest gcc (11.1) leads to this error: Mbed-TLS/mbedtls#4130 /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/library/ssl_tls.c: In Funktion »ssl_calc_verify_tls_sha384«: /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/library/ssl_tls.c:1845:5: Fehler: »mbedtls_sha512_finish_ret« greift auf 64 Byte in einer Region der Größe 48 zu [-Werror=stringop-overflow=] 1845 | mbedtls_sha512_finish_ret( &sha512, hash ); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/library/ssl_tls.c:1845:5: Anmerkung: das verweisende Argument 2 vom Typ »unsigned char *« In Datei, eingebunden von /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/include/mbedtls/ssl_internal.h:53, von /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/library/ssl_tls.c:47: /home/neonew/.conan/data/mbedtls/2.23.0/_/_/build/f34868f16603ab1572661da51e4f3294771a98bf/source_subfolder/include/mbedtls/sha512.h:147:5: Anmerkung: in einem Aufruf der Funktion »mbedtls_sha512_finish_ret« 147 | int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, | ^~~~~~~~~~~~~~~~~~~~~~~~~
gilles-peskine-arm
added
fix available
and removed
help-wanted
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A previous fix in d596ca8 worked with beta versions of GCC 11, but not with the final 11.1 release. This time, just disable the warning locally. Fix Mbed-TLS#4130 Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Description
Bug
OS
linux
mbed TLS build:
Version: tag: mbedtls-2.18.1,
OS version: Debian Linux (buster)
Configuration: please attach config.h file where possible
Compiler: gcc (57d705da)
Compiler configure options: ./configure --build=x86_64-linux-gnu --enable-languages=c,c++ --enable-multiarch
Environment: mbedtls in above version (vanilla) as part of the micropython project (UNIX port)
Compiling with above mentioned GCC version, I'm getting alarming warnings about out of bound accesses:
I know those checks/warnings can be false positives and I've seen that with OpenSSL quite a few times. For mbedtls this is new to me, though. I wasn't able to properly verify this being an actual bug or a false alarm.
The text was updated successfully, but these errors were encountered: