gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-2-fixed.c

   1 /* { dg-do compile } */
   2 /* { dg-additional-options "-Wno-pedantic" } */
   3 /* { dg-require-effective-target analyzer } */
   4
   5 /* See notes in this header.  */
   6 #include "taint-CVE-2011-0521.h"
   7
   8 /* Adapted from drivers/media/dvb/ttpci/av7110_ca.c  */
   9
  10 int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
  11 {
  12         struct dvb_device *dvbdev = file->private_data;
  13         struct av7110 *av7110 = dvbdev->priv;
  14         unsigned long arg = (unsigned long) parg;
  15
  16         /* case CA_GET_SLOT_INFO:  */
  17         {
  18                 ca_slot_info_t *info=(ca_slot_info_t *)parg;
  19
  20                 if (info->num < 0 || info->num > 1)
  21                         return -EINVAL;
  22                 av7110->ci_slot[info->num].num = info->num; /* { dg-bogus "attacker-controlled value" } */
  23                 av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
  24                                                         CA_CI_LINK : CA_CI;
  25                 memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));
  26         }
  27         return 0;
  28 }
  29
  30 /* Adapted from drivers/media/dvb/dvb-core/dvbdev.c
  31    Somewhat simplified: rather than pass in a callback that can
  32    be dvb_ca_ioctl, call dvb_ca_ioctl directly.  */
  33
  34 static DEFINE_MUTEX(dvbdev_mutex);
  35
  36 int dvb_usercopy(struct file *file,
  37                  unsigned int cmd, unsigned long arg)
  38 {
  39         char    sbuf[128];
  40         void    *mbuf = NULL;
  41         void    *parg = NULL;
  42         int     err  = -1;
  43
  44         /*  Copy arguments into temp kernel buffer  */
  45         switch (_IOC_DIR(cmd)) {
  46         case _IOC_NONE:
  47                 /*
  48                  * For this command, the pointer is actually an integer
  49                  * argument.
  50                  */
  51                 parg = (void *) arg;
  52                 break;
  53         case _IOC_READ: /* some v4l ioctls are marked wrong ... */
  54         case _IOC_WRITE:
  55         case (_IOC_WRITE | _IOC_READ):
  56                 if (_IOC_SIZE(cmd) <= sizeof(sbuf)) {
  57                         parg = sbuf;
  58                 } else {
  59                         /* too big to allocate from stack */
  60                         mbuf = kmalloc(_IOC_SIZE(cmd),GFP_KERNEL);
  61                         if (NULL == mbuf)
  62                                 return -ENOMEM;
  63                         parg = mbuf;
  64                 }
  65
  66                 err = -EFAULT;
  67                 if (copy_from_user(parg, (void __user *)arg, _IOC_SIZE(cmd)))
  68                         goto out;
  69                 break;
  70         }
  71
  72         /* call driver */
  73         mutex_lock(&dvbdev_mutex);
  74         if ((err = dvb_ca_ioctl(file, cmd, parg)) == -ENOIOCTLCMD)
  75                 err = -EINVAL;
  76         mutex_unlock(&dvbdev_mutex);
  77
  78         if (err < 0)
  79                 goto out;
  80
  81         /*  Copy results into user buffer  */
  82         switch (_IOC_DIR(cmd))
  83         {
  84         case _IOC_READ:
  85         case (_IOC_WRITE | _IOC_READ):
  86                 if (copy_to_user((void __user *)arg, parg, _IOC_SIZE(cmd)))
  87                         err = -EFAULT;
  88                 break;
  89         }
  90
  91 out:
  92         kfree(mbuf);
  93         return err;
  94 }