1  /* { dg-do compile } */
       2  // TODO: remove need for -fanalyzer-checker=taint here:
       3  // TODO: remove need for --param=analyzer-max-svalue-depth=25 here:
       4  /* { dg-options "-fanalyzer -fanalyzer-checker=taint --param=analyzer-max-svalue-depth=25" } */
       5  /* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
       6  /* { dg-require-effective-target analyzer } */
       7  
       8  /* See notes in this header.  */
       9  #include "taint-CVE-2011-0521.h"
      10  
      11  /* Adapted from dvb_ca_ioctl in drivers/media/dvb/ttpci/av7110_ca.c and
      12     dvb_usercopy in drivers/media/dvb/dvb-core/dvbdev.c
      13  
      14     Further simplified from -3; merge into a single function; drop the mutex,
      15     remove control flow.  */
      16  
      17  int test_1(struct file *file, unsigned int cmd, unsigned long arg)
      18  {
      19  	char    sbuf[128];
      20  	void    *parg = sbuf;
      21  
      22  	if (copy_from_user(parg, (void __user *)arg, sizeof(sbuf)))
      23  	  return -1;
      24  
      25  	{
      26  		struct dvb_device *dvbdev = file->private_data;
      27  		struct av7110 *av7110 = dvbdev->priv;
      28  		unsigned long arg = (unsigned long) parg;
      29  
      30  		/* case CA_GET_SLOT_INFO:  */
      31  		ca_slot_info_t *info=(ca_slot_info_t *)parg;
      32  
      33  		if (info->num > 1)
      34  			return -EINVAL;
      35  		av7110->ci_slot[info->num].num = info->num; /* { dg-warning "attacker-controlled value" "" { xfail *-*-* } } */
      36  		// TODO(xfail)
      37  		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
      38  							CA_CI_LINK : CA_CI;
      39  		memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));
      40  	}
      41  
      42  	copy_to_user((void __user *)arg, parg, sizeof(sbuf));
      43  
      44  	return 0;
      45  }