1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
/* Simplified versions of infoleak-CVE-2011-1078-1.c. */
/* { dg-do compile } */
/* { dg-options "-fanalyzer" } */
/* { dg-require-effective-target analyzer } */
#include <string.h>
typedef unsigned char __u8;
typedef unsigned short __u16;
#include "test-uaccess.h"
/* Adapted from include/net/bluetooth/sco.h. */
struct sco_conninfo {
__u16 hci_handle;
__u8 dev_class[3]; /* { dg-message "padding after field 'dev_class' is uninitialized \\(1 byte\\)" } */
};
/* Adapted from sco_sock_getsockopt_old in net/bluetooth/sco.c. */
int test_1 (char __user *optval, const struct sco_conninfo *in)
{
struct sco_conninfo cinfo; /* { dg-message "region created on stack here" "where" } */
/* { dg-message "capacity: 6 bytes" "capacity" { target *-*-* } .-1 } */
/* Note: 40 bits of fields, padded to 48. */
cinfo.hci_handle = in->hci_handle;
memcpy(cinfo.dev_class, in->dev_class, 3);
copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-warning "potential exposure of sensitive information by copying uninitialized data from stack" "warning" } */
/* { dg-message "1 byte is uninitialized" "how much note" { target *-*-* } .-1 } */
}
int test_2 (char __user *optval, const struct sco_conninfo *in)
{
struct sco_conninfo cinfo;
/* Note: 40 bits of fields, padded to 48. */
memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = in->hci_handle;
memcpy(cinfo.dev_class, in->dev_class, 3);
copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-bogus "" } */
}
|
