gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c

   1 /* "The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the
   2    Linux kernel before 2.6.39.4 on the Alpha platform does not properly
   3    restrict the data size for GSI_GET_HWRPB operations, which allows
   4    local users to obtain sensitive information from kernel memory via
   5    a crafted call."
   6
   7    Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y
   8    in linux-stable.  */
   9
  10 // TODO: remove need for this option:
  11 /* { dg-additional-options "-fanalyzer-checker=taint" } */
  12
  13 #include "analyzer-decls.h"
  14 #include "test-uaccess.h"
  15
  16 /* Adapted from include/linux/linkage.h.  */
  17
  18 #define asmlinkage
  19
  20 /* Adapted from include/linux/syscalls.h.  */
  21
  22 #define __SC_DECL1(t1, a1)      t1 a1
  23 #define __SC_DECL2(t2, a2, ...) t2 a2, __SC_DECL1(__VA_ARGS__)
  24 #define __SC_DECL3(t3, a3, ...) t3 a3, __SC_DECL2(__VA_ARGS__)
  25 #define __SC_DECL4(t4, a4, ...) t4 a4, __SC_DECL3(__VA_ARGS__)
  26 #define __SC_DECL5(t5, a5, ...) t5 a5, __SC_DECL4(__VA_ARGS__)
  27 #define __SC_DECL6(t6, a6, ...) t6 a6, __SC_DECL5(__VA_ARGS__)
  28
  29 #define SYSCALL_DEFINEx(x, sname, ...)                          \
  30         __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
  31
  32 #define SYSCALL_DEFINE(name) asmlinkage long sys_##name
  33 #define __SYSCALL_DEFINEx(x, name, ...)                                 \
  34         asmlinkage __attribute__((tainted_args)) \
  35         long sys##name(__SC_DECL##x(__VA_ARGS__))
  36
  37 #define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)
  38
  39 /* Adapted from arch/alpha/include/asm/hwrpb.h.  */
  40
  41 struct hwrpb_struct {
  42         unsigned long phys_addr;        /* check: physical address of the hwrpb */
  43         unsigned long id;               /* check: "HWRPB\0\0\0" */
  44         unsigned long revision;
  45         unsigned long size;             /* size of hwrpb */
  46         /* [...snip...] */
  47 };
  48
  49 extern struct hwrpb_struct *hwrpb;
  50
  51 /* Adapted from arch/alpha/kernel/osf_sys.c.  */
  52
  53 SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
  54                 unsigned long, nbytes, int __user *, start, void __user *, arg)
  55 {
  56         /* [...snip...] */
  57
  58         __analyzer_dump_state ("taint", nbytes);  /* { dg-warning "tainted" } */
  59
  60         /* TODO: should have an event explaining why "nbytes" is treated as
  61            attacker-controlled.  */
  62
  63         /* case GSI_GET_HWRPB: */
  64                 if (nbytes < sizeof(*hwrpb))
  65                         return -1;
  66
  67                 __analyzer_dump_state ("taint", nbytes);  /* { dg-warning "has_lb" } */
  68
  69                 if (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning "use of attacker-controlled value 'nbytes' as size without upper-bounds checking" } */
  70                         return -2;
  71
  72                 return 1;
  73
  74         /* [...snip...] */
  75 }
  76
  77 /* With the fix for the sense of the size comparison.  */
  78
  79 SYSCALL_DEFINE5(osf_getsysinfo_fixed, unsigned long, op, void __user *, buffer,
  80                 unsigned long, nbytes, int __user *, start, void __user *, arg)
  81 {
  82         /* [...snip...] */
  83
  84         /* case GSI_GET_HWRPB: */
  85                 if (nbytes > sizeof(*hwrpb))
  86                         return -1;
  87                 if (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-bogus "attacker-controlled" } */
  88                         return -2;
  89
  90                 return 1;
  91
  92         /* [...snip...] */
  93 }