analyzer: add more test coverage for tainted modulus

Add more test coverage for r14-6349-g0bef72539e585d.

gcc/testsuite/ChangeLog:
	* gcc.dg/plugin/plugin.exp: Add taint-modulus.c to
	analyzer_kernel_plugin.c tests.
	* gcc.dg/plugin/taint-modulus.c: New test.

Signed-off-by: David Malcolm <dmalcolm@redhat.com>

diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index d6cccb269df258b7cd0c01139ce6224574b86359..eebf96116ef8957e78d474afc48336ab532da955 100644 (file)
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -165,6 +165,7 @@ set plugin_test_list [list \
          taint-CVE-2011-0521-5-fixed.c \
          taint-CVE-2011-0521-6.c \
          taint-antipatterns-1.c \
+         taint-modulus.c \
          taint-pr112850.c \
          taint-pr112850-precise.c \
          taint-pr112850-too-complex.c \

diff --git a/gcc/testsuite/gcc.dg/plugin/taint-modulus.c b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c
new file mode 100644 (file)
index 0000000..81d9688
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c
@@ -0,0 +1,75 @@
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer" } */
+/* { dg-require-effective-target analyzer } */
+
+/* Reduced from a -Wanalyzer-tainted-array-index false +ve
+   seen in the Linux kernel's sound/drivers/opl3/opl3_synth.c.  */
+
+extern unsigned long
+copy_from_user(void* to, const void* from, unsigned long n);
+
+struct sbi_patch
+{
+  unsigned char prog;
+  unsigned char bank;
+};
+struct fm_patch
+{
+  unsigned char prog;
+  unsigned char bank;
+  struct fm_patch* next;
+};
+struct snd_opl3
+{
+  struct fm_patch* patch_table[32];
+};
+int
+snd_opl3_load_patch(struct snd_opl3* opl3,
+                    int prog,
+                    int bank);
+struct fm_patch*
+snd_opl3_find_patch(struct snd_opl3* opl3,
+                    int prog,
+                    int bank,
+                    int create_patch);
+long
+snd_opl3_write(struct snd_opl3* opl3,
+               const char* buf,
+               long count)
+{
+  long result = 0;
+  int err = 0;
+  struct sbi_patch inst;
+  while (count >= sizeof(inst)) {
+    if (copy_from_user(&inst, buf, sizeof(inst)))
+      return -14;
+    err = snd_opl3_load_patch(opl3, inst.prog, inst.bank);
+    if (err < 0)
+      break;
+    result += sizeof(inst);
+    count -= sizeof(inst);
+  }
+  return result > 0 ? result : err;
+}
+int
+snd_opl3_load_patch(struct snd_opl3* opl3,
+                    int prog,
+                    int bank)
+{
+  struct fm_patch* patch;
+  patch = snd_opl3_find_patch(opl3, prog, bank, 1);
+  if (!patch)
+    return -12;
+  return 0;
+}
+struct fm_patch*
+snd_opl3_find_patch(struct snd_opl3* opl3, int prog, int bank, int create_patch)
+{
+  unsigned int key = (prog + bank) % 32;
+  struct fm_patch* patch;
+  for (patch = opl3->patch_table[key]; patch; patch = patch->next) { /* { dg-bogus "use of attacker-controlled value in array lookup" } */
+    if (patch->prog == prog && patch->bank == bank)
+      return patch;
+  }
+  return ((void*)0);
+}