| /* See notes in this header. */ |
| #include "taint-CVE-2020-13143.h" |
| |
| // TODO: remove need for this option |
| /* { dg-additional-options "-fanalyzer-checker=taint" } */ |
| |
| struct configfs_attribute { |
| /* [...snip...] */ |
| ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */ |
| __attribute__((tainted_args)); /* (this is added). */ |
| }; |
| static inline struct gadget_info *to_gadget_info(struct config_item *item) |
| { |
| return container_of(to_config_group(item), struct gadget_info, group); |
| } |
| |
| static ssize_t gadget_dev_desc_UDC_store(struct config_item *item, |
| const char *page, size_t len) |
| { |
| struct gadget_info *gi = to_gadget_info(item); |
| char *name; |
| int ret; |
| |
| #if 0 |
| /* FIXME: this is the fix. */ |
| if (strlen(page) < len) |
| return -EOVERFLOW; |
| #endif |
| |
| name = kstrdup(page, GFP_KERNEL); |
| if (!name) |
| return -ENOMEM; |
| if (name[len - 1] == '\n') /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */ |
| name[len - 1] = '\0'; /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */ |
| /* [...snip...] */ \ |
| } |
| |
| CONFIGFS_ATTR(gadget_dev_desc_, UDC); /* { dg-message "\\(2\\) function 'gadget_dev_desc_UDC_store' used as initializer for field 'store' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */ |
