gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521-6.c

   1 /* { dg-do compile } */
   2 // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
   3 /* { dg-options "-fanalyzer --param=analyzer-max-svalue-depth=25" } */
   4 /* { dg-additional-options "-Wno-pedantic" } */
   5 /* { dg-require-effective-target analyzer } */
   6
   7 /* On darwin, system headers are fortified, which defeats the analysis.  Turn it off.  */
   8 /* { dg-additional-options "-D_FORTIFY_SOURCE=0" { target *-*-darwin* } } */
   9
  10 /* See notes in this header.  */
  11 #include "taint-CVE-2011-0521.h"
  12
  13 /* Adapted from dvb_ca_ioctl in drivers/media/dvb/ttpci/av7110_ca.c and
  14    dvb_usercopy in drivers/media/dvb/dvb-core/dvbdev.c
  15
  16    Further simplified from -5; remove all control flow.  */
  17
  18 int test_1(struct file *file, unsigned int cmd, unsigned long arg)
  19 {
  20         ca_slot_info_t sbuf;
  21
  22         if (copy_from_user(&sbuf, (void __user *)arg, sizeof(sbuf)) != 0)
  23                 return -1;
  24
  25         {
  26                 struct dvb_device *dvbdev = file->private_data;
  27                 struct av7110 *av7110 = dvbdev->priv;
  28
  29                 /* case CA_GET_SLOT_INFO:  */
  30                 ca_slot_info_t *info= &sbuf;
  31
  32                 __analyzer_dump_state ("taint", info->num); /* { dg-warning "tainted" } */
  33
  34                 //__analyzer_break ();
  35
  36                 av7110->ci_slot[info->num].num = info->num; /* { dg-warning "use of attacker-controlled value '\\*info\\.num' in array lookup without bounds checking" } */
  37                 av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?  /* { dg-warning "use of attacker-controlled value '\\*info\\.num' in array lookup without bounds checking" } */
  38                                                         CA_CI_LINK : CA_CI;
  39                 memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));  /* { dg-warning "use of attacker-controlled value in array lookup without bounds checking" } */
  40         }
  41
  42         copy_to_user((void __user *)arg, &sbuf, sizeof(sbuf));
  43
  44         return 0;
  45 }