gcc/testsuite/gcc.dg/plugin/taint-pr112977.c

   1 /* Reduced from false positive in Linux kernel in
   2    drivers/scsi/aacraid/aachba.c.  */
   3
   4 /* { dg-do compile } */
   5 /* { dg-options "-fanalyzer" } */
   6 /* { dg-require-effective-target analyzer } */
   7
   8 typedef unsigned char u8;
   9 typedef unsigned int u32;
  10
  11 extern unsigned long
  12 copy_from_user(void* to, const void* from, unsigned long n);
  13
  14 struct fsa_dev_info
  15 {
  16   u8 valid;
  17   u8 deleted;
  18 };
  19 struct aac_dev
  20 {
  21   int maximum_num_containers;
  22   struct fsa_dev_info* fsa_dev;
  23 };
  24 struct aac_delete_disk
  25 {
  26   u32 disknum;
  27   u32 cnum;
  28 };
  29 int
  30 force_delete_disk(struct aac_dev* dev, void* arg)
  31 {
  32   struct aac_delete_disk dd;
  33   struct fsa_dev_info* fsa_dev_ptr;
  34   fsa_dev_ptr = dev->fsa_dev;
  35   if (!fsa_dev_ptr)
  36     return -16;
  37   if (copy_from_user(&dd, arg, sizeof(struct aac_delete_disk)))
  38     return -14;
  39   if (dd.cnum >= dev->maximum_num_containers)
  40     return -22;
  41   fsa_dev_ptr[dd.cnum].deleted = 1;
  42   fsa_dev_ptr[dd.cnum].valid = 0; /* { dg-bogus "use of attacker-controlled value as offset without upper-bounds checking" } */
  43   return 0;
  44 }