1 /* { dg-do compile } */
2 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
3 /* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
4 /* { dg-additional-options "-Wno-pedantic" } */
5 /* { dg-require-effective-target analyzer } */
7 /* On darwin, system headers are fortified, which defeats the analysis. Turn it off. */
8 /* { dg-additional-options "-D_FORTIFY_SOURCE=0" { target *-*-darwin* } } */
10 /* See notes in this header. */
11 #include "taint-CVE-2011-0521.h"
13 /* Adapted from dvb_ca_ioctl in drivers/media/dvb/ttpci/av7110_ca.c and
14 dvb_usercopy in drivers/media/dvb/dvb-core/dvbdev.c
16 Further simplified from -4; avoid parg and the cast to char[128]. */
18 int test_1(struct file
*file
, unsigned int cmd
, unsigned long arg
)
22 if (copy_from_user(&sbuf
, (void __user
*)arg
, sizeof(sbuf
)) != 0)
26 struct dvb_device
*dvbdev
= file
->private_data
;
27 struct av7110
*av7110
= dvbdev
->priv
;
29 /* case CA_GET_SLOT_INFO: */
30 ca_slot_info_t
*info
= &sbuf
;
32 __analyzer_dump_state ("taint", info
->num
); /* { dg-warning "tainted" } */
37 __analyzer_dump_state ("taint", info
->num
); /* { dg-warning "has_ub" } */
39 av7110
->ci_slot
[info
->num
].num
= info
->num
; /* { dg-warning "use of attacker-controlled value '\\*info\\.num' in array lookup without checking for negative" } */
40 av7110
->ci_slot
[info
->num
].type
= FW_CI_LL_SUPPORT(av7110
->arm_app
) ? /* { dg-warning "use of attacker-controlled value '\\*info\\.num' in array lookup without checking for negative" } */
42 memcpy(info
, &av7110
->ci_slot
[info
->num
], sizeof(ca_slot_info_t
)); /* { dg-warning "use of attacker-controlled value in array lookup without bounds checking" } */
45 copy_to_user((void __user
*)arg
, &sbuf
, sizeof(sbuf
));