gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c

   1 /* "The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the
   2    Linux kernel before 2.6.39.4 on the Alpha platform does not properly
   3    restrict the data size for GSI_GET_HWRPB operations, which allows
   4    local users to obtain sensitive information from kernel memory via
   5    a crafted call."
   6
   7    Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y
   8    in linux-stable.  */
   9
  10 #include "analyzer-decls.h"
  11 #include "test-uaccess.h"
  12
  13 /* Adapted from include/linux/linkage.h.  */
  14
  15 #define asmlinkage
  16
  17 /* Adapted from include/linux/syscalls.h.  */
  18
  19 #define __SC_DECL1(t1, a1)      t1 a1
  20 #define __SC_DECL2(t2, a2, ...) t2 a2, __SC_DECL1(__VA_ARGS__)
  21 #define __SC_DECL3(t3, a3, ...) t3 a3, __SC_DECL2(__VA_ARGS__)
  22 #define __SC_DECL4(t4, a4, ...) t4 a4, __SC_DECL3(__VA_ARGS__)
  23 #define __SC_DECL5(t5, a5, ...) t5 a5, __SC_DECL4(__VA_ARGS__)
  24 #define __SC_DECL6(t6, a6, ...) t6 a6, __SC_DECL5(__VA_ARGS__)
  25
  26 #define SYSCALL_DEFINEx(x, sname, ...)                          \
  27         __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
  28
  29 #define SYSCALL_DEFINE(name) asmlinkage long sys_##name
  30 #define __SYSCALL_DEFINEx(x, name, ...)                                 \
  31         asmlinkage __attribute__((tainted_args)) \
  32         long sys##name(__SC_DECL##x(__VA_ARGS__))
  33
  34 #define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)
  35
  36 /* Adapted from arch/alpha/include/asm/hwrpb.h.  */
  37
  38 struct hwrpb_struct {
  39         unsigned long phys_addr;        /* check: physical address of the hwrpb */
  40         unsigned long id;               /* check: "HWRPB\0\0\0" */
  41         unsigned long revision;
  42         unsigned long size;             /* size of hwrpb */
  43         /* [...snip...] */
  44 };
  45
  46 extern struct hwrpb_struct *hwrpb;
  47
  48 /* Adapted from arch/alpha/kernel/osf_sys.c.  */
  49
  50 SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
  51                 unsigned long, nbytes, int __user *, start, void __user *, arg)
  52 {
  53         /* [...snip...] */
  54
  55         __analyzer_dump_state ("taint", nbytes);  /* { dg-warning "tainted" } */
  56
  57         /* TODO: should have an event explaining why "nbytes" is treated as
  58            attacker-controlled.  */
  59
  60         /* case GSI_GET_HWRPB: */
  61                 if (nbytes < sizeof(*hwrpb))
  62                         return -1;
  63
  64                 __analyzer_dump_state ("taint", nbytes);  /* { dg-warning "has_lb" } */
  65
  66                 if (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning "use of attacker-controlled value 'nbytes' as size without upper-bounds checking" } */
  67                         return -2;
  68
  69                 return 1;
  70
  71         /* [...snip...] */
  72 }
  73
  74 /* With the fix for the sense of the size comparison.  */
  75
  76 SYSCALL_DEFINE5(osf_getsysinfo_fixed, unsigned long, op, void __user *, buffer,
  77                 unsigned long, nbytes, int __user *, start, void __user *, arg)
  78 {
  79         /* [...snip...] */
  80
  81         /* case GSI_GET_HWRPB: */
  82                 if (nbytes > sizeof(*hwrpb))
  83                         return -1;
  84                 if (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-bogus "attacker-controlled" } */
  85                         return -2;
  86
  87                 return 1;
  88
  89         /* [...snip...] */
  90 }