Testsuite: fix analyzer tests on Darwin

[official-gcc.git] / gcc / testsuite / gcc.dg / analyzer / memset-CVE-2017-18549-1.c

/* This is a very simplified version of CVE-2017-18549,
   a use of uninitialized padding values affecting the Linux kernel
   (and thus GPLv2).

   It was fixed by e.g. 342ffc26693b528648bdc9377e51e4f2450b4860 on linux-4.13.y
   in linux-stable.  */

/* { dg-additional-options "-fno-analyzer-suppress-followups" } */

#include "analyzer-decls.h"
#include <string.h>

typedef unsigned int __u32;
typedef unsigned int u32;
typedef unsigned char u8;

/* Adapted from include/uapi/linux/types.h  */

#define __bitwise
typedef __u32 __bitwise __le32;

/* Adapted from drivers/scsi/aacraid/aacraid.h  */

#define         AAC_SENSE_BUFFERSIZE     30

struct aac_srb_reply
{
        __le32          status;
        __le32          srb_status;
        __le32          scsi_status;
        __le32          data_xfer_length;
        __le32          sense_data_size;
        u8              sense_data[AAC_SENSE_BUFFERSIZE];

        /* Manually added to help verify the fix.  */
        u8 padding[2];
};

#define         ST_OK           0
#define SRB_STATUS_SUCCESS                  0x01

extern void check_uninit (u8 v);

/* Adapted from drivers/scsi/aacraid/commctrl.c  */

static int aac_send_raw_srb(/* [...snip...] */)
{
        u32 byte_count = 0;

        /* [...snip...] */

        struct aac_srb_reply reply; /* { dg-message "region created on stack here" } */

        reply.status = ST_OK;

        /* [...snip...] */

        reply.srb_status = SRB_STATUS_SUCCESS;
        reply.scsi_status = 0;
        reply.data_xfer_length = byte_count;
        reply.sense_data_size = 0;
        memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);

        /* [...snip...] */

        __analyzer_eval (reply.status == ST_OK); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.srb_status == SRB_STATUS_SUCCESS); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.scsi_status == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.data_xfer_length == byte_count); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data_size == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data[0] == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data[AAC_SENSE_BUFFERSIZE - 1] == 0); /* { dg-warning "TRUE" } */
        check_uninit (reply.padding[0]); /* { dg-warning "uninitialized value" } */
        check_uninit (reply.padding[1]); /* { dg-warning "uninitialized value" } */
}

static int aac_send_raw_srb_fixed(/* [...snip...] */)
{
        u32 byte_count = 0;

        /* [...snip...] */

        struct aac_srb_reply reply;

        /* This is the fix.  */
        memset(&reply, 0, sizeof(reply));

        reply.status = ST_OK;

        /* [...snip...] */

        reply.srb_status = SRB_STATUS_SUCCESS;
        reply.scsi_status = 0;
        reply.data_xfer_length = byte_count;
        reply.sense_data_size = 0;
        memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);

        /* [...snip...] */

        __analyzer_eval (reply.status == ST_OK); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.srb_status == SRB_STATUS_SUCCESS); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.scsi_status == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.data_xfer_length == byte_count); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data_size == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data[0] == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.sense_data[AAC_SENSE_BUFFERSIZE - 1] == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.padding[0] == 0); /* { dg-warning "TRUE" } */
        __analyzer_eval (reply.padding[1] == 0); /* { dg-warning "TRUE" } */
}