blob: a9beb00b88dc135d953f22d2c2c115416dd6811a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
/* Reduced from false positive in Linux kernel in
drivers/scsi/aacraid/aachba.c. */
/* { dg-do compile } */
/* { dg-options "-fanalyzer" } */
/* { dg-require-effective-target analyzer } */
typedef unsigned char u8;
typedef unsigned int u32;
extern unsigned long
copy_from_user(void* to, const void* from, unsigned long n);
struct fsa_dev_info
{
u8 valid;
u8 deleted;
};
struct aac_dev
{
int maximum_num_containers;
struct fsa_dev_info* fsa_dev;
};
struct aac_delete_disk
{
u32 disknum;
u32 cnum;
};
int
force_delete_disk(struct aac_dev* dev, void* arg)
{
struct aac_delete_disk dd;
struct fsa_dev_info* fsa_dev_ptr;
fsa_dev_ptr = dev->fsa_dev;
if (!fsa_dev_ptr)
return -16;
if (copy_from_user(&dd, arg, sizeof(struct aac_delete_disk)))
return -14;
if (dd.cnum >= dev->maximum_num_containers)
return -22;
fsa_dev_ptr[dd.cnum].deleted = 1;
fsa_dev_ptr[dd.cnum].valid = 0; /* { dg-bogus "use of attacker-controlled value as offset without upper-bounds checking" } */
return 0;
}
|
