From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2209) id 76D723858C2A; Tue, 12 Dec 2023 02:32:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 76D723858C2A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1702348324; bh=E513cWFdZT5bTpnpUTKJvPvTDa5qfh05Yu6qm/oSm0I=; h=From:To:Subject:Date:From; b=NJNwTtbxrDw5fcDtx5SL0JvKIcfTVRKgw9I1RhEHA05ygHnfQRf5Dpi1oYNWujsj0 wDq/Tjd8jUwvocBZlUKZhETDUMVsJbNu6YsejTnjMrvAIwpKwzBHua8nHdDSyXrpjy 4OFKlAlprq/Q6u72FbHT6q/2/wVwITYrrOlcdIuM= MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" From: David Malcolm To: gcc-cvs@gcc.gnu.org Subject: [gcc r14-6444] analyzer: add more test coverage for tainted modulus X-Act-Checkin: gcc X-Git-Author: David Malcolm X-Git-Refname: refs/heads/master X-Git-Oldrev: 3e93a3f09dc9af7155cc4760bc65d5be4571addf X-Git-Newrev: 2900a77fe4e7d2211a785d427794544fe3d01960 Message-Id: <20231212023204.76D723858C2A@sourceware.org> Date: Tue, 12 Dec 2023 02:32:04 +0000 (GMT) List-Id: https://gcc.gnu.org/g:2900a77fe4e7d2211a785d427794544fe3d01960 commit r14-6444-g2900a77fe4e7d2211a785d427794544fe3d01960 Author: David Malcolm Date: Mon Dec 11 21:29:39 2023 -0500 analyzer: add more test coverage for tainted modulus Add more test coverage for r14-6349-g0bef72539e585d. gcc/testsuite/ChangeLog: * gcc.dg/plugin/plugin.exp: Add taint-modulus.c to analyzer_kernel_plugin.c tests. * gcc.dg/plugin/taint-modulus.c: New test. Signed-off-by: David Malcolm Diff: --- gcc/testsuite/gcc.dg/plugin/plugin.exp | 1 + gcc/testsuite/gcc.dg/plugin/taint-modulus.c | 75 +++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp index d6cccb269df..eebf96116ef 100644 --- a/gcc/testsuite/gcc.dg/plugin/plugin.exp +++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp @@ -165,6 +165,7 @@ set plugin_test_list [list \ taint-CVE-2011-0521-5-fixed.c \ taint-CVE-2011-0521-6.c \ taint-antipatterns-1.c \ + taint-modulus.c \ taint-pr112850.c \ taint-pr112850-precise.c \ taint-pr112850-too-complex.c \ diff --git a/gcc/testsuite/gcc.dg/plugin/taint-modulus.c b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c new file mode 100644 index 00000000000..81d968864e6 --- /dev/null +++ b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c @@ -0,0 +1,75 @@ +/* { dg-do compile } */ +/* { dg-options "-fanalyzer" } */ +/* { dg-require-effective-target analyzer } */ + +/* Reduced from a -Wanalyzer-tainted-array-index false +ve + seen in the Linux kernel's sound/drivers/opl3/opl3_synth.c. */ + +extern unsigned long +copy_from_user(void* to, const void* from, unsigned long n); + +struct sbi_patch +{ + unsigned char prog; + unsigned char bank; +}; +struct fm_patch +{ + unsigned char prog; + unsigned char bank; + struct fm_patch* next; +}; +struct snd_opl3 +{ + struct fm_patch* patch_table[32]; +}; +int +snd_opl3_load_patch(struct snd_opl3* opl3, + int prog, + int bank); +struct fm_patch* +snd_opl3_find_patch(struct snd_opl3* opl3, + int prog, + int bank, + int create_patch); +long +snd_opl3_write(struct snd_opl3* opl3, + const char* buf, + long count) +{ + long result = 0; + int err = 0; + struct sbi_patch inst; + while (count >= sizeof(inst)) { + if (copy_from_user(&inst, buf, sizeof(inst))) + return -14; + err = snd_opl3_load_patch(opl3, inst.prog, inst.bank); + if (err < 0) + break; + result += sizeof(inst); + count -= sizeof(inst); + } + return result > 0 ? result : err; +} +int +snd_opl3_load_patch(struct snd_opl3* opl3, + int prog, + int bank) +{ + struct fm_patch* patch; + patch = snd_opl3_find_patch(opl3, prog, bank, 1); + if (!patch) + return -12; + return 0; +} +struct fm_patch* +snd_opl3_find_patch(struct snd_opl3* opl3, int prog, int bank, int create_patch) +{ + unsigned int key = (prog + bank) % 32; + struct fm_patch* patch; + for (patch = opl3->patch_table[key]; patch; patch = patch->next) { /* { dg-bogus "use of attacker-controlled value in array lookup" } */ + if (patch->prog == prog && patch->bank == bank) + return patch; + } + return ((void*)0); +}