1  /* Simplified versions of infoleak-CVE-2011-1078-1.c.  */
       2  
       3  /* { dg-do compile } */
       4  /* { dg-options "-fanalyzer" } */
       5  /* { dg-require-effective-target analyzer } */
       6  /* { dg-skip-if "structure layout assumption not met" { default_packed } } */
       7  
       8  #include <string.h>
       9  
      10  typedef unsigned char __u8;
      11  typedef unsigned short __u16;
      12  
      13  #include "test-uaccess.h"
      14  
      15  /* Adapted from include/net/bluetooth/sco.h.  */
      16  
      17  struct sco_conninfo {
      18  	__u16 hci_handle;
      19  	__u8  dev_class[3]; /* { dg-message "padding after field 'dev_class' is uninitialized \\(1 byte\\)" } */
      20  };
      21  
      22  /* Adapted from sco_sock_getsockopt_old in net/bluetooth/sco.c.  */
      23  
      24  int test_1 (char __user *optval, const struct sco_conninfo *in)
      25  {
      26  	struct sco_conninfo cinfo; /* { dg-message "region created on stack here" "where" } */
      27  				   /* { dg-message "capacity: 6 bytes" "capacity" { target *-*-* } .-1 } */
      28  	/* Note: 40 bits of fields, padded to 48.  */
      29  
      30  	cinfo.hci_handle = in->hci_handle;
      31  	memcpy(cinfo.dev_class, in->dev_class, 3);
      32  
      33  	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-warning "potential exposure of sensitive information by copying uninitialized data from stack" "warning" } */
      34  	/* { dg-message "1 byte is uninitialized" "how much note" { target *-*-* } .-1 } */
      35  }
      36  
      37  int test_2 (char __user *optval, const struct sco_conninfo *in)
      38  {
      39  	struct sco_conninfo cinfo;
      40  	/* Note: 40 bits of fields, padded to 48.  */
      41  
      42  	memset(&cinfo, 0, sizeof(cinfo));
      43  	cinfo.hci_handle = in->hci_handle;
      44  	memcpy(cinfo.dev_class, in->dev_class, 3);
      45  
      46  	copy_to_user(optval, &cinfo, sizeof(cinfo)); /* { dg-bogus "" } */
      47  }