gcc/testsuite/gcc.dg/plugin/taint-CVE-2011-0521.h

   1 /* Shared header for the various taint-CVE-2011-0521-*.c tests.
   2    These are a series of successively simpler reductions of the reproducer.
   3    Ideally the analyzer would detect the issue in all of the testcases,
   4    but currently requires some simplification of the code to do so.
   5
   6    "The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the
   7    Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer
   8    field, which allows local users to cause a denial of service (memory
   9    corruption) or possibly have unspecified other impact via a negative value."
  10
  11    Adapted from Linux 2.6.38, which is under the GPLv2.
  12
  13    Fixed in e.g. cb26a24ee9706473f31d34cc259f4dcf45cd0644 on linux-2.6.38.y  */
  14
  15 #include <string.h>
  16 #include "test-uaccess.h"
  17 #include "../analyzer/analyzer-decls.h"
  18
  19 typedef unsigned int u32;
  20
  21 /* Adapted from include/linux/compiler.h  */
  22
  23 #define __force
  24
  25 /* Adapted from include/asm-generic/errno-base.h  */
  26
  27 #define ENOMEM          12      /* Out of memory */
  28 #define EFAULT          14      /* Bad address */
  29 #define ENODEV          19      /* No such device */
  30 #define EINVAL          22      /* Invalid argument */
  31
  32 /* Adapted from include/linux/errno.h  */
  33
  34 #define ENOIOCTLCMD     515     /* No ioctl command */
  35
  36 /* Adapted from include/linux/fs.h  */
  37
  38 struct file {
  39         /* [...snip...] */
  40         void                    *private_data;
  41         /* [...snip...] */
  42 };
  43
  44 /* Adapted from drivers/media/dvb/dvb-core/dvbdev.h  */
  45
  46 struct dvb_device {
  47         /* [...snip...] */
  48         int (*kernel_ioctl)(struct file *file, unsigned int cmd, void *arg);
  49
  50         void *priv;
  51 };
  52
  53
  54 /* Adapted from include/linux/dvb/ca.h  */
  55
  56 typedef struct ca_slot_info {
  57         int num;               /* slot number */
  58
  59         int type;              /* CA interface this slot supports */
  60 #define CA_CI            1     /* CI high level interface */
  61 #define CA_CI_LINK       2     /* CI link layer level interface */
  62         /* [...snip...] */
  63 } ca_slot_info_t;
  64
  65
  66 /* Adapted from drivers/media/dvb/ttpci/av7110.h  */
  67
  68 struct av7110 {
  69         /* [...snip...] */
  70         ca_slot_info_t          ci_slot[2];
  71         /* [...snip...] */
  72         u32                 arm_app;
  73         /* [...snip...] */
  74 };
  75
  76 /* Adapted from drivers/media/dvb/ttpci/av7110_hw.h  */
  77
  78 #define FW_CI_LL_SUPPORT(arm_app) ((arm_app) & 0x80000000)
  79
  80 /* Adapted from include/asm-generic/ioctl.h  */
  81
  82 #define _IOC_NRBITS     8
  83 #define _IOC_TYPEBITS   8
  84
  85 #define _IOC_SIZEBITS   14
  86 #define _IOC_DIRBITS    2
  87
  88 #define _IOC_SIZEMASK   ((1 << _IOC_SIZEBITS)-1)
  89 #define _IOC_DIRMASK    ((1 << _IOC_DIRBITS)-1)
  90 #define _IOC_NRSHIFT    0
  91 #define _IOC_TYPESHIFT  (_IOC_NRSHIFT+_IOC_NRBITS)
  92 #define _IOC_SIZESHIFT  (_IOC_TYPESHIFT+_IOC_TYPEBITS)
  93 #define _IOC_DIRSHIFT   (_IOC_SIZESHIFT+_IOC_SIZEBITS)
  94
  95 #define _IOC_NONE       0U
  96 #define _IOC_WRITE      1U
  97 #define _IOC_READ       2U
  98
  99 #define _IOC_DIR(nr)            (((nr) >> _IOC_DIRSHIFT) & _IOC_DIRMASK)
 100 #define _IOC_SIZE(nr)           (((nr) >> _IOC_SIZESHIFT) & _IOC_SIZEMASK)
 101
 102 /* Adapted from include/linux/mutex.h  */
 103
 104 struct mutex {
 105         /* [...snip...] */
 106 };
 107
 108 #define __MUTEX_INITIALIZER(lockname) \
 109                 { /* [...snip...] */ }
 110
 111 #define DEFINE_MUTEX(mutexname) \
 112         struct mutex mutexname = __MUTEX_INITIALIZER(mutexname)
 113
 114 extern void mutex_lock(struct mutex *lock);
 115 extern void mutex_unlock(struct mutex *lock);
 116
 117 /* Adapted from include/linux/types.h  */
 118
 119 #define __bitwise__
 120 typedef unsigned __bitwise__ gfp_t;
 121
 122 /* Adapted from include/linux/gfp.h  */
 123
 124 #define ___GFP_WAIT             0x10u
 125 #define ___GFP_IO               0x40u
 126 #define ___GFP_FS               0x80u
 127 #define __GFP_WAIT      ((__force gfp_t)___GFP_WAIT)
 128 #define __GFP_IO        ((__force gfp_t)___GFP_IO)
 129 #define __GFP_FS        ((__force gfp_t)___GFP_FS)
 130 #define GFP_KERNEL  (__GFP_WAIT | __GFP_IO | __GFP_FS)
 131
 132 /* Adapted from include/linux/slab.h  */
 133
 134 void kfree(const void *);
 135 void *kmalloc(size_t size, gfp_t flags)
 136   __attribute__((malloc (kfree)));