gcc/testsuite/gcc.dg/plugin/taint-pr112850-too-complex.c

   1 /* Reduced from false positive in Linux kernel in sound/core/rawmidi.c.
   2
   3    With --param=analyzer-max-svalue-depth=12, the value being compared
   4    at the sanitization is too complex and becomes UNKNOWN; make sure
   5    this doesn't lead to a false positive.  */
   6
   7 /* { dg-do compile } */
   8 /* { dg-options "-fanalyzer -O2 -Wanalyzer-symbol-too-complex --param=analyzer-max-svalue-depth=12" } */
   9 /* { dg-require-effective-target analyzer } */
  10
  11 typedef unsigned long __kernel_ulong_t;
  12 typedef __kernel_ulong_t __kernel_size_t;
  13 typedef __kernel_size_t size_t;
  14 typedef unsigned int gfp_t;
  15
  16 extern unsigned long copy_from_user(void* to, const void* from, unsigned long n);
  17
  18 extern
  19 __attribute__((__alloc_size__(1)))
  20 __attribute__((__malloc__)) void*
  21 kvzalloc(size_t size, gfp_t flags);
  22
  23 struct snd_rawmidi_params
  24 {
  25   int stream;
  26   size_t buffer_size;
  27 };
  28
  29 char *newbuf;
  30
  31 static int
  32 resize_runtime_buffer(struct snd_rawmidi_params* params)
  33 {
  34   if (params->buffer_size < 32 || params->buffer_size > 1024L * 1024L) /* { dg-warning "symbol too complicated" } */
  35     return -22;
  36   newbuf = kvzalloc(params->buffer_size, /* { dg-bogus "use of attacker-controlled value '\\*params.buffer_size' as allocation size without upper-bounds checking" "PR analyzer/112850" } */
  37                     (((gfp_t)(0x400u | 0x800u)) | ((gfp_t)0x40u) | ((gfp_t)0x80u)));
  38   if (!newbuf)
  39     return -12;
  40   return 0;
  41 }
  42
  43 long
  44 snd_rawmidi_ioctl(unsigned long arg)
  45 {
  46   void* argp = (void*)arg;
  47   struct snd_rawmidi_params params;
  48   if (copy_from_user(&params, argp, sizeof(struct snd_rawmidi_params)))
  49     return -14;
  50   return resize_runtime_buffer(&params);
  51 }