gcc/testsuite/gcc.dg/plugin/taint-pr112927.c

   1 /* Reduced from false positive in Linux kernel
   2    in drivers/char/ipmi/ipmi_devintf.c.  */
   3
   4 /* { dg-do compile } */
   5 /* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
   6 /* { dg-require-effective-target analyzer } */
   7
   8 typedef __SIZE_TYPE__ size_t;
   9 extern void
  10 __check_object_size(const void* ptr, unsigned long n);
  11
  12 extern unsigned long
  13 copy_from_user(void*, const void*, unsigned long);
  14
  15 __attribute__((__always_inline__)) unsigned long
  16 call_copy_from_user(void* to, const void* from, unsigned long n)
  17 {
  18   __check_object_size(to, n);
  19   n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
  20   return n;
  21 }
  22 struct ipmi_msg
  23 {
  24   unsigned short data_len;
  25   unsigned char* data;
  26 };
  27
  28 static int
  29 handle_send_req(struct ipmi_msg* msg)
  30 {
  31   char buf[273];
  32   if (msg->data_len > 272) {
  33     return -90;
  34   }
  35   if (call_copy_from_user(buf, msg->data, msg->data_len)) {
  36     return -14;
  37   }
  38   return 0;
  39 }
  40 long
  41 ipmi_ioctl(void* arg)
  42 {
  43   struct ipmi_msg msg;
  44   if (call_copy_from_user(&msg, arg, sizeof(msg))) {
  45     return -14;
  46   }
  47
  48   return handle_send_req(&msg);
  49 }