]> git.ipfire.org Git - thirdparty/gcc.git/blob - gcc/testsuite/gcc.dg/analyzer/memset-CVE-2017-18549-1.c
projects / thirdparty / gcc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
analyzer: eliminate enum binding_key [PR95006]
[thirdparty/gcc.git] / gcc / testsuite / gcc.dg / analyzer / memset-CVE-2017-18549-1.c
1 /* This is a very simplified version of CVE-2017-18549,
2 a use of uninitialized padding values affecting the Linux kernel
3 (and thus GPLv2).
4
5 It was fixed by e.g. 342ffc26693b528648bdc9377e51e4f2450b4860 on linux-4.13.y
6 in linux-stable. */
7
8 #include "analyzer-decls.h"
9 #include <string.h>
10
11 typedef unsigned int __u32;
12 typedef unsigned int u32;
13 typedef unsigned char u8;
14
15 /* Adapted from include/uapi/linux/types.h */
16
17 #define __bitwise
18 typedef __u32 __bitwise __le32;
19
20 /* Adapted from drivers/scsi/aacraid/aacraid.h */
21
22 #define AAC_SENSE_BUFFERSIZE 30
23
24 struct aac_srb_reply
25 {
26 __le32 status;
27 __le32 srb_status;
28 __le32 scsi_status;
29 __le32 data_xfer_length;
30 __le32 sense_data_size;
31 u8 sense_data[AAC_SENSE_BUFFERSIZE];
32
33 /* Manually added to help verify the fix. */
34 u8 padding[2];
35 };
36
37 #define ST_OK 0
38 #define SRB_STATUS_SUCCESS 0x01
39
40 /* Adapted from drivers/scsi/aacraid/commctrl.c */
41
42 static int aac_send_raw_srb(/* [...snip...] */)
43 {
44 u32 byte_count = 0;
45
46 /* [...snip...] */
47
48 struct aac_srb_reply reply;
49
50 reply.status = ST_OK;
51
52 /* [...snip...] */
53
54 reply.srb_status = SRB_STATUS_SUCCESS;
55 reply.scsi_status = 0;
56 reply.data_xfer_length = byte_count;
57 reply.sense_data_size = 0;
58 memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
59
60 /* [...snip...] */
61
62 __analyzer_eval (reply.status == ST_OK); /* { dg-warning "TRUE" } */
63 __analyzer_eval (reply.srb_status == SRB_STATUS_SUCCESS); /* { dg-warning "TRUE" } */
64 __analyzer_eval (reply.scsi_status == 0); /* { dg-warning "TRUE" } */
65 __analyzer_eval (reply.data_xfer_length == byte_count); /* { dg-warning "TRUE" } */
66 __analyzer_eval (reply.sense_data_size == 0); /* { dg-warning "TRUE" } */
67 __analyzer_eval (reply.sense_data[0] == 0); /* { dg-warning "TRUE" } */
68 __analyzer_eval (reply.sense_data[AAC_SENSE_BUFFERSIZE - 1] == 0); /* { dg-warning "TRUE" } */
69 /* TODO: the following should be detected as uninitialized, when
70 that diagnostic is reimplemented. */
71 __analyzer_eval (reply.padding[0] == 0); /* { dg-warning "UNKNOWN" } */
72 __analyzer_eval (reply.padding[1] == 0); /* { dg-warning "UNKNOWN" } */
73 }
74
75 static int aac_send_raw_srb_fixed(/* [...snip...] */)
76 {
77 u32 byte_count = 0;
78
79 /* [...snip...] */
80
81 struct aac_srb_reply reply;
82
83 /* This is the fix. */
84 memset(&reply, 0, sizeof(reply));
85
86 reply.status = ST_OK;
87
88 /* [...snip...] */
89
90 reply.srb_status = SRB_STATUS_SUCCESS;
91 reply.scsi_status = 0;
92 reply.data_xfer_length = byte_count;
93 reply.sense_data_size = 0;
94 memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
95
96 /* [...snip...] */
97
98 __analyzer_eval (reply.status == ST_OK); /* { dg-warning "TRUE" } */
99 __analyzer_eval (reply.srb_status == SRB_STATUS_SUCCESS); /* { dg-warning "TRUE" } */
100 __analyzer_eval (reply.scsi_status == 0); /* { dg-warning "TRUE" } */
101 __analyzer_eval (reply.data_xfer_length == byte_count); /* { dg-warning "TRUE" } */
102 __analyzer_eval (reply.sense_data_size == 0); /* { dg-warning "TRUE" } */
103 __analyzer_eval (reply.sense_data[0] == 0); /* { dg-warning "TRUE" } */
104 __analyzer_eval (reply.sense_data[AAC_SENSE_BUFFERSIZE - 1] == 0); /* { dg-warning "TRUE" } */
105 __analyzer_eval (reply.padding[0] == 0); /* { dg-warning "TRUE" } */
106 __analyzer_eval (reply.padding[1] == 0); /* { dg-warning "TRUE" } */
107 }
Mirror of https://gcc.gnu.org/git/gcc.git