* [pushed] analyzer: add more test coverage for tainted modulus
@ 2023-12-12 2:32 David Malcolm
0 siblings, 0 replies; only message in thread
From: David Malcolm @ 2023-12-12 2:32 UTC (permalink / raw)
To: gcc-patches; +Cc: David Malcolm
Add more test coverage for r14-6349-g0bef72539e585d.
Pushed to trunk as r14-6444-g2900a77fe4e7d2.
gcc/testsuite/ChangeLog:
* gcc.dg/plugin/plugin.exp: Add taint-modulus.c to
analyzer_kernel_plugin.c tests.
* gcc.dg/plugin/taint-modulus.c: New test.
---
gcc/testsuite/gcc.dg/plugin/plugin.exp | 1 +
gcc/testsuite/gcc.dg/plugin/taint-modulus.c | 75 +++++++++++++++++++++
2 files changed, 76 insertions(+)
create mode 100644 gcc/testsuite/gcc.dg/plugin/taint-modulus.c
diff --git a/gcc/testsuite/gcc.dg/plugin/plugin.exp b/gcc/testsuite/gcc.dg/plugin/plugin.exp
index d6cccb269df..eebf96116ef 100644
--- a/gcc/testsuite/gcc.dg/plugin/plugin.exp
+++ b/gcc/testsuite/gcc.dg/plugin/plugin.exp
@@ -165,6 +165,7 @@ set plugin_test_list [list \
taint-CVE-2011-0521-5-fixed.c \
taint-CVE-2011-0521-6.c \
taint-antipatterns-1.c \
+ taint-modulus.c \
taint-pr112850.c \
taint-pr112850-precise.c \
taint-pr112850-too-complex.c \
diff --git a/gcc/testsuite/gcc.dg/plugin/taint-modulus.c b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c
new file mode 100644
index 00000000000..81d968864e6
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/plugin/taint-modulus.c
@@ -0,0 +1,75 @@
+/* { dg-do compile } */
+/* { dg-options "-fanalyzer" } */
+/* { dg-require-effective-target analyzer } */
+
+/* Reduced from a -Wanalyzer-tainted-array-index false +ve
+ seen in the Linux kernel's sound/drivers/opl3/opl3_synth.c. */
+
+extern unsigned long
+copy_from_user(void* to, const void* from, unsigned long n);
+
+struct sbi_patch
+{
+ unsigned char prog;
+ unsigned char bank;
+};
+struct fm_patch
+{
+ unsigned char prog;
+ unsigned char bank;
+ struct fm_patch* next;
+};
+struct snd_opl3
+{
+ struct fm_patch* patch_table[32];
+};
+int
+snd_opl3_load_patch(struct snd_opl3* opl3,
+ int prog,
+ int bank);
+struct fm_patch*
+snd_opl3_find_patch(struct snd_opl3* opl3,
+ int prog,
+ int bank,
+ int create_patch);
+long
+snd_opl3_write(struct snd_opl3* opl3,
+ const char* buf,
+ long count)
+{
+ long result = 0;
+ int err = 0;
+ struct sbi_patch inst;
+ while (count >= sizeof(inst)) {
+ if (copy_from_user(&inst, buf, sizeof(inst)))
+ return -14;
+ err = snd_opl3_load_patch(opl3, inst.prog, inst.bank);
+ if (err < 0)
+ break;
+ result += sizeof(inst);
+ count -= sizeof(inst);
+ }
+ return result > 0 ? result : err;
+}
+int
+snd_opl3_load_patch(struct snd_opl3* opl3,
+ int prog,
+ int bank)
+{
+ struct fm_patch* patch;
+ patch = snd_opl3_find_patch(opl3, prog, bank, 1);
+ if (!patch)
+ return -12;
+ return 0;
+}
+struct fm_patch*
+snd_opl3_find_patch(struct snd_opl3* opl3, int prog, int bank, int create_patch)
+{
+ unsigned int key = (prog + bank) % 32;
+ struct fm_patch* patch;
+ for (patch = opl3->patch_table[key]; patch; patch = patch->next) { /* { dg-bogus "use of attacker-controlled value in array lookup" } */
+ if (patch->prog == prog && patch->bank == bank)
+ return patch;
+ }
+ return ((void*)0);
+}
--
2.26.3
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-12-12 2:33 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-12 2:32 [pushed] analyzer: add more test coverage for tainted modulus David Malcolm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).