gcc/testsuite/gcc.dg/plugin/taint-pr112975.c

   1 /* Reduced from false positive in Linux kernel in
   2    drivers/xen/privcmd.c.  */
   3
   4 /* { dg-do compile } */
   5 /* { dg-options "-fanalyzer" } */
   6 /* { dg-require-effective-target analyzer } */
   7
   8 typedef __SIZE_TYPE__ size_t;
   9 typedef unsigned short __u16;
  10 typedef unsigned int gfp_t;
  11 void
  12 kfree(const void* objp);
  13
  14 extern void *
  15 __attribute__((__alloc_size__(1, 2)))
  16 __attribute__((__malloc__))
  17 kcalloc(size_t n, size_t size, gfp_t flags);
  18
  19 extern unsigned long
  20 copy_from_user(void*, const void*, unsigned long);
  21
  22 typedef __u16 domid_t;
  23 struct privcmd_dm_op_buf
  24 {
  25   void* uptr;
  26   size_t size;
  27 };
  28 struct privcmd_dm_op
  29 {
  30   domid_t dom;
  31   __u16 num;
  32 };
  33 static unsigned int privcmd_dm_op_max_num = 16;
  34 long
  35 privcmd_ioctl_dm_op(void* udata)
  36 {
  37   struct privcmd_dm_op kdata;
  38   struct privcmd_dm_op_buf* kbufs;
  39   if (copy_from_user(&kdata, udata, sizeof(kdata)))
  40     return -14;
  41   if (kdata.num == 0)
  42     return 0;
  43   if (kdata.num > privcmd_dm_op_max_num)
  44     return -7;
  45   kbufs =
  46     kcalloc(kdata.num,  /* { dg-bogus "attacker-controlled value" }  */
  47             sizeof(*kbufs),
  48             (((gfp_t)(0x400u | 0x800u)) | ((gfp_t)0x40u) | ((gfp_t)0x80u)));
  49   if (!kbufs)
  50     return -12;
  51   kfree(kbufs);
  52   return 0;
  53 }