blob: 239c7d1df5d3b09230ca469cafed5bc4673183cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
/* "An issue was discovered in drivers/scsi/aacraid/commctrl.c in the
Linux kernel before 4.13. There is potential exposure of kernel stack
memory because aac_send_raw_srb does not initialize the reply structure."
Fixed e.g. by 342ffc26693b528648bdc9377e51e4f2450b4860 on linux-4.13.y
in linux-stable.
This is a very simplified version of that code (before and after the fix). */
/* { dg-do compile } */
/* { dg-options "-fanalyzer" } */
/* { dg-require-effective-target analyzer } */
/* { dg-skip-if "structure layout assumption not met" { default_packed } } */
#include <string.h>
typedef unsigned int __u32;
typedef unsigned int u32;
typedef unsigned char u8;
#include "test-uaccess.h"
/* Adapted from include/uapi/linux/types.h */
#define __bitwise
typedef __u32 __bitwise __le32;
/* Adapted from drivers/scsi/aacraid/aacraid.h */
#define AAC_SENSE_BUFFERSIZE 30
struct aac_srb_reply
{
__le32 status;
__le32 srb_status;
__le32 scsi_status;
__le32 data_xfer_length;
__le32 sense_data_size;
u8 sense_data[AAC_SENSE_BUFFERSIZE]; /* { dg-message "padding after field 'sense_data' is uninitialized \\(2 bytes\\)" } */
};
#define ST_OK 0
#define SRB_STATUS_SUCCESS 0x01
/* Adapted from drivers/scsi/aacraid/commctrl.c */
static int aac_send_raw_srb(/* [...snip...] */
void __user *user_reply)
{
u32 byte_count = 0;
/* [...snip...] */
struct aac_srb_reply reply; /* { dg-message "region created on stack here" "memspace message" } */
/* { dg-message "capacity: 52 bytes" "capacity message" { target *-*-* } .-1 } */
reply.status = ST_OK;
/* [...snip...] */
reply.srb_status = SRB_STATUS_SUCCESS;
reply.scsi_status = 0;
reply.data_xfer_length = byte_count;
reply.sense_data_size = 0;
memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
/* [...snip...] */
if (copy_to_user(user_reply, &reply, /* { dg-warning "potential exposure of sensitive information by copying uninitialized data from stack" } */
/* { dg-message "2 bytes are uninitialized" "note how much" { target *-*-* } .-1 } */
sizeof(struct aac_srb_reply))) {
/* [...snip...] */
}
/* [...snip...] */
}
static int aac_send_raw_srb_fixed(/* [...snip...] */
void __user *user_reply)
{
u32 byte_count = 0;
/* [...snip...] */
struct aac_srb_reply reply;
/* This is the fix. */
memset(&reply, 0, sizeof(reply));
reply.status = ST_OK;
/* [...snip...] */
reply.srb_status = SRB_STATUS_SUCCESS;
reply.scsi_status = 0;
reply.data_xfer_length = byte_count;
reply.sense_data_size = 0;
memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
/* [...snip...] */
if (copy_to_user(user_reply, &reply, /* { dg-bogus "" } */
sizeof(struct aac_srb_reply))) {
/* [...snip...] */
}
/* [...snip...] */
}
|
