1 /* { dg-do compile } */
2 /* { dg-additional-options "-Wno-pedantic" } */
3 /* { dg-require-effective-target analyzer } */
5 /* See notes in this header. */
6 #include "taint-CVE-2011-0521.h"
8 /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c */
10 int dvb_ca_ioctl(struct file
*file
, unsigned int cmd
, void *parg
)
12 struct dvb_device
*dvbdev
= file
->private_data
;
13 struct av7110
*av7110
= dvbdev
->priv
;
14 unsigned long arg
= (unsigned long) parg
;
16 /* case CA_GET_SLOT_INFO: */
18 ca_slot_info_t
*info
=(ca_slot_info_t
*)parg
;
20 if (info
->num
< 0 || info
->num
> 1)
22 av7110
->ci_slot
[info
->num
].num
= info
->num
; /* { dg-bogus "attacker-controlled value" } */
23 av7110
->ci_slot
[info
->num
].type
= FW_CI_LL_SUPPORT(av7110
->arm_app
) ?
25 memcpy(info
, &av7110
->ci_slot
[info
->num
], sizeof(ca_slot_info_t
));
30 /* Adapted from drivers/media/dvb/dvb-core/dvbdev.c
31 Somewhat simplified: rather than pass in a callback that can
32 be dvb_ca_ioctl, call dvb_ca_ioctl directly. */
34 static DEFINE_MUTEX(dvbdev_mutex
);
36 int dvb_usercopy(struct file
*file
,
37 unsigned int cmd
, unsigned long arg
)
44 /* Copy arguments into temp kernel buffer */
45 switch (_IOC_DIR(cmd
)) {
48 * For this command, the pointer is actually an integer
53 case _IOC_READ
: /* some v4l ioctls are marked wrong ... */
55 case (_IOC_WRITE
| _IOC_READ
):
56 if (_IOC_SIZE(cmd
) <= sizeof(sbuf
)) {
59 /* too big to allocate from stack */
60 mbuf
= kmalloc(_IOC_SIZE(cmd
),GFP_KERNEL
);
67 if (copy_from_user(parg
, (void __user
*)arg
, _IOC_SIZE(cmd
)))
73 mutex_lock(&dvbdev_mutex
);
74 if ((err
= dvb_ca_ioctl(file
, cmd
, parg
)) == -ENOIOCTLCMD
)
76 mutex_unlock(&dvbdev_mutex
);
81 /* Copy results into user buffer */
82 switch (_IOC_DIR(cmd
))
85 case (_IOC_WRITE
| _IOC_READ
):
86 if (copy_to_user((void __user
*)arg
, parg
, _IOC_SIZE(cmd
)))