gcc/testsuite/gcc.dg/plugin/taint-pr112850.c

   1 /* Reduced from false positive in Linux kernel in sound/core/rawmidi.c.  */
   2
   3 /* { dg-do compile } */
   4 /* { dg-options "-fanalyzer -O2 -Wanalyzer-symbol-too-complex" } */
   5 /* { dg-require-effective-target analyzer } */
   6
   7 typedef unsigned long __kernel_ulong_t;
   8 typedef __kernel_ulong_t __kernel_size_t;
   9 typedef __kernel_size_t size_t;
  10 typedef unsigned int gfp_t;
  11
  12 extern unsigned long copy_from_user(void* to, const void* from, unsigned long n);
  13
  14 extern
  15 __attribute__((__alloc_size__(1)))
  16 __attribute__((__malloc__)) void*
  17 kvzalloc(size_t size, gfp_t flags);
  18
  19 struct snd_rawmidi_params
  20 {
  21   int stream;
  22   size_t buffer_size;
  23 };
  24
  25 char *newbuf;
  26
  27 static int
  28 resize_runtime_buffer(struct snd_rawmidi_params* params)
  29 {
  30   if (params->buffer_size < 32 || params->buffer_size > 1024L * 1024L) /* { dg-bogus "symbol too complicated" } */
  31     return -22;
  32   newbuf = kvzalloc(params->buffer_size, /* { dg-bogus "use of attacker-controlled value '\\*params.buffer_size' as allocation size without upper-bounds checking" "PR analyzer/112850" } */
  33                     (((gfp_t)(0x400u | 0x800u)) | ((gfp_t)0x40u) | ((gfp_t)0x80u)));
  34   if (!newbuf)
  35     return -12;
  36   return 0;
  37 }
  38
  39 long
  40 snd_rawmidi_ioctl(unsigned long arg)
  41 {
  42   void* argp = (void*)arg;
  43   struct snd_rawmidi_params params;
  44   if (copy_from_user(&params, argp, sizeof(struct snd_rawmidi_params)))
  45     return -14;
  46   return resize_runtime_buffer(&params);
  47 }