]>
git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/testsuite/gcc.dg/analyzer/memset-CVE-2017-18549-1.c
1 /* This is a very simplified version of CVE-2017-18549,
2 a use of uninitialized padding values affecting the Linux kernel
5 It was fixed by e.g. 342ffc26693b528648bdc9377e51e4f2450b4860 on linux-4.13.y
8 #include "analyzer-decls.h"
11 typedef unsigned int __u32
;
12 typedef unsigned int u32
;
13 typedef unsigned char u8
;
15 /* Adapted from include/uapi/linux/types.h */
18 typedef __u32 __bitwise __le32
;
20 /* Adapted from drivers/scsi/aacraid/aacraid.h */
22 #define AAC_SENSE_BUFFERSIZE 30
29 __le32 data_xfer_length
;
30 __le32 sense_data_size
;
31 u8 sense_data
[AAC_SENSE_BUFFERSIZE
];
33 /* Manually added to help verify the fix. */
38 #define SRB_STATUS_SUCCESS 0x01
40 /* Adapted from drivers/scsi/aacraid/commctrl.c */
42 static int aac_send_raw_srb(/* [...snip...] */)
48 struct aac_srb_reply reply
;
54 reply
.srb_status
= SRB_STATUS_SUCCESS
;
55 reply
.scsi_status
= 0;
56 reply
.data_xfer_length
= byte_count
;
57 reply
.sense_data_size
= 0;
58 memset(reply
.sense_data
, 0, AAC_SENSE_BUFFERSIZE
);
62 __analyzer_eval (reply
.status
== ST_OK
); /* { dg-warning "TRUE" } */
63 __analyzer_eval (reply
.srb_status
== SRB_STATUS_SUCCESS
); /* { dg-warning "TRUE" } */
64 __analyzer_eval (reply
.scsi_status
== 0); /* { dg-warning "TRUE" } */
65 __analyzer_eval (reply
.data_xfer_length
== byte_count
); /* { dg-warning "TRUE" } */
66 __analyzer_eval (reply
.sense_data_size
== 0); /* { dg-warning "TRUE" } */
67 __analyzer_eval (reply
.sense_data
[0] == 0); /* { dg-warning "TRUE" } */
68 __analyzer_eval (reply
.sense_data
[AAC_SENSE_BUFFERSIZE
- 1] == 0); /* { dg-warning "TRUE" } */
69 /* TODO: the following should be detected as uninitialized, when
70 that diagnostic is reimplemented. */
71 __analyzer_eval (reply
.padding
[0] == 0); /* { dg-warning "UNKNOWN" } */
72 __analyzer_eval (reply
.padding
[1] == 0); /* { dg-warning "UNKNOWN" } */
75 static int aac_send_raw_srb_fixed(/* [...snip...] */)
81 struct aac_srb_reply reply
;
83 /* This is the fix. */
84 memset(&reply
, 0, sizeof(reply
));
90 reply
.srb_status
= SRB_STATUS_SUCCESS
;
91 reply
.scsi_status
= 0;
92 reply
.data_xfer_length
= byte_count
;
93 reply
.sense_data_size
= 0;
94 memset(reply
.sense_data
, 0, AAC_SENSE_BUFFERSIZE
);
98 __analyzer_eval (reply
.status
== ST_OK
); /* { dg-warning "TRUE" } */
99 __analyzer_eval (reply
.srb_status
== SRB_STATUS_SUCCESS
); /* { dg-warning "TRUE" } */
100 __analyzer_eval (reply
.scsi_status
== 0); /* { dg-warning "TRUE" } */
101 __analyzer_eval (reply
.data_xfer_length
== byte_count
); /* { dg-warning "TRUE" } */
102 __analyzer_eval (reply
.sense_data_size
== 0); /* { dg-warning "TRUE" } */
103 __analyzer_eval (reply
.sense_data
[0] == 0); /* { dg-warning "TRUE" } */
104 __analyzer_eval (reply
.sense_data
[AAC_SENSE_BUFFERSIZE
- 1] == 0); /* { dg-warning "TRUE" } */
105 __analyzer_eval (reply
.padding
[0] == 0); /* { dg-warning "TRUE" } */
106 __analyzer_eval (reply
.padding
[1] == 0); /* { dg-warning "TRUE" } */