1  /* See notes in this header.  */
       2  #include "taint-CVE-2020-13143.h"
       3  
       4  // TODO: remove need for this option
       5  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       6  
       7  struct configfs_attribute {
       8  	/* [...snip...] */
       9  	ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
      10  		__attribute__((tainted_args)); /* (this is added).  */
      11  };
      12  static inline struct gadget_info *to_gadget_info(struct config_item *item)
      13  {
      14  	 return container_of(to_config_group(item), struct gadget_info, group);
      15  }
      16  
      17  static ssize_t gadget_dev_desc_UDC_store(struct config_item *item,
      18  		const char *page, size_t len)
      19  {
      20  	struct gadget_info *gi = to_gadget_info(item);
      21  	char *name;
      22  	int ret;
      23  
      24  #if 0
      25  	/* FIXME: this is the fix.  */
      26  	if (strlen(page) < len)
      27  		return -EOVERFLOW;
      28  #endif
      29  
      30  	name = kstrdup(page, GFP_KERNEL);
      31  	if (!name)
      32  		return -ENOMEM;
      33  	if (name[len - 1] == '\n') /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */
      34  		name[len - 1] = '\0'; /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */
      35  	/* [...snip...] */				\
      36  }
      37  
      38  CONFIGFS_ATTR(gadget_dev_desc_, UDC); /* { dg-message "\\(2\\) function 'gadget_dev_desc_UDC_store' used as initializer for field 'store' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */