gcc/testsuite/gcc.dg/plugin/infoleak-CVE-2011-1078-2.c - gcc - Git at Google

 /* Simplified versions of infoleak-CVE-2011-1078-1.c.  */

 /* { dg-do compile } */
 /* { dg-options "-fanalyzer" } */
 /* { dg-require-effective-target analyzer } */

 #include <string.h>

 typedef unsigned char __u8;
 typedef unsigned short __u16;

 #include "test-uaccess.h"

 /* Adapted from include/net/bluetooth/sco.h.  */

 struct sco_conninfo {
 	__u16 hci_handle;
 	__u8  dev_class[3]; /* { dg-message "padding after field 'dev_class' is uninitialized \\(1 byte\\)" } */
 };

 /* Adapted from sco_sock_getsockopt_old in net/bluetooth/sco.c.  */

 int test_1 (char __user *optval, const struct sco_conninfo *in)
 {
 	struct sco_conninfo cinfo; /* { dg-message "region created on stack here" "where" } */
 				   /* { dg-message "capacity: 6 bytes" "capacity" { target *-*-* } .-1 } */
 	/* Note: 40 bits of fields, padded to 48.  */

 	cinfo.hci_handle = in->hci_handle;
 	memcpy(cinfo.dev_class, in->dev_class, 3);

 	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-warning "potential exposure of sensitive information by copying uninitialized data from stack" "warning" } */
 	/* { dg-message "1 byte is uninitialized" "how much note" { target *-*-* } .-1 } */
 }

 int test_2 (char __user *optval, const struct sco_conninfo *in)
 {
 	struct sco_conninfo cinfo;
 	/* Note: 40 bits of fields, padded to 48.  */

 	memset(&cinfo, 0, sizeof(cinfo));
 	cinfo.hci_handle = in->hci_handle;
 	memcpy(cinfo.dev_class, in->dev_class, 3);

 	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-bogus "" } */
 }
	/* Simplified versions of infoleak-CVE-2011-1078-1.c. */

	/* { dg-do compile } */
	/* { dg-options "-fanalyzer" } */
	/* { dg-require-effective-target analyzer } */

	#include <string.h>

	typedef unsigned char __u8;
	typedef unsigned short __u16;

	#include "test-uaccess.h"

	/* Adapted from include/net/bluetooth/sco.h. */

	struct sco_conninfo {
	__u16 hci_handle;
	__u8 dev_class[3]; /* { dg-message "padding after field 'dev_class' is uninitialized \\(1 byte\\)" } */
	};

	/* Adapted from sco_sock_getsockopt_old in net/bluetooth/sco.c. */

	int test_1 (char __user optval, const struct sco_conninfo in)
	{
	struct sco_conninfo cinfo; /* { dg-message "region created on stack here" "where" } */
	/* { dg-message "capacity: 6 bytes" "capacity" { target --* } .-1 } */
	/* Note: 40 bits of fields, padded to 48. */

	cinfo.hci_handle = in->hci_handle;
	memcpy(cinfo.dev_class, in->dev_class, 3);

	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-warning "potential exposure of sensitive information by copying uninitialized data from stack" "warning" } */
	/* { dg-message "1 byte is uninitialized" "how much note" { target --* } .-1 } */
	}

	int test_2 (char __user optval, const struct sco_conninfo in)
	{
	struct sco_conninfo cinfo;
	/* Note: 40 bits of fields, padded to 48. */

	memset(&cinfo, 0, sizeof(cinfo));
	cinfo.hci_handle = in->hci_handle;
	memcpy(cinfo.dev_class, in->dev_class, 3);

	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-bogus "" } */
	}