1  /* See notes in this header.  */
       2  #include "taint-CVE-2020-13143.h"
       3  
       4  // TODO: remove need for this option
       5  /* { dg-additional-options "-fanalyzer-checker=taint" } */
       6  
       7  struct configfs_attribute {
       8  	/* [...snip...] */
       9  	ssize_t (*store)(struct config_item *, const char *, size_t) /* { dg-message "\\(1\\) field 'store' of 'struct configfs_attribute' is marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
      10  		__attribute__((tainted_args)); /* (this is added).  */
      11  };
      12  
      13  /* Highly simplified version.  */
      14  
      15  static ssize_t gadget_dev_desc_UDC_store(struct config_item *item,
      16  		const char *page, size_t len)
      17  {
      18  	/* TODO: ought to have state_change_event talking about where the tainted value comes from.  */
      19  
      20  	char *name;
      21  	/* [...snip...] */
      22  
      23  	name = kstrdup(page, GFP_KERNEL);
      24  	if (!name)
      25  		return -ENOMEM;
      26  	if (name[len - 1] == '\n') /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */
      27  		name[len - 1] = '\0';  /* { dg-warning "use of attacker-controlled value 'len \[^\n\r\]+' as offset without upper-bounds checking" } */
      28  	/* [...snip...] */
      29  	return 0;
      30  }
      31  
      32  CONFIGFS_ATTR(gadget_dev_desc_, UDC); /* { dg-message "\\(2\\) function 'gadget_dev_desc_UDC_store' used as initializer for field 'store' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */