gcc/testsuite/gcc.dg/plugin/taint-pr112850-precise.c

   1 /* Reduced from false positive in Linux kernel in sound/core/rawmidi.c.
   2
   3    Use a value of --param=analyzer-max-svalue-depth= high enough to avoid
   4    UNKNOWN svalues; make sure we don't get false positives with this case.  */
   5
   6 /* { dg-do compile } */
   7 /* { dg-options "-fanalyzer -O2 -Wanalyzer-symbol-too-complex --param=analyzer-max-svalue-depth=13" } */
   8 /* { dg-require-effective-target analyzer } */
   9
  10 typedef unsigned long __kernel_ulong_t;
  11 typedef __kernel_ulong_t __kernel_size_t;
  12 typedef __kernel_size_t size_t;
  13 typedef unsigned int gfp_t;
  14
  15 extern unsigned long copy_from_user(void* to, const void* from, unsigned long n);
  16
  17 extern
  18 __attribute__((__alloc_size__(1)))
  19 __attribute__((__malloc__)) void*
  20 kvzalloc(size_t size, gfp_t flags);
  21
  22 struct snd_rawmidi_params
  23 {
  24   int stream;
  25   size_t buffer_size;
  26 };
  27
  28 char *newbuf;
  29
  30 static int
  31 resize_runtime_buffer(struct snd_rawmidi_params* params)
  32 {
  33   if (params->buffer_size < 32 || params->buffer_size > 1024L * 1024L) /* { dg-bogus "symbol too complicated" } */
  34     return -22;
  35   newbuf = kvzalloc(params->buffer_size, /* { dg-bogus "use of attacker-controlled value '\\*params.buffer_size' as allocation size without upper-bounds checking" "PR analyzer/112850" } */
  36                     (((gfp_t)(0x400u | 0x800u)) | ((gfp_t)0x40u) | ((gfp_t)0x80u)));
  37   if (!newbuf)
  38     return -12;
  39   return 0;
  40 }
  41
  42 long
  43 snd_rawmidi_ioctl(unsigned long arg)
  44 {
  45   void* argp = (void*)arg;
  46   struct snd_rawmidi_params params;
  47   if (copy_from_user(&params, argp, sizeof(struct snd_rawmidi_params)))
  48     return -14;
  49   return resize_runtime_buffer(&params);
  50 }