1 /* Shared header for the various taint-CVE-2011-0521-*.c tests.
2 These are a series of successively simpler reductions of the reproducer.
3 Ideally the analyzer would detect the issue in all of the testcases,
4 but currently requires some simplification of the code to do so.
5
6 "The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the
7 Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer
8 field, which allows local users to cause a denial of service (memory
9 corruption) or possibly have unspecified other impact via a negative value."
10
11 Adapted from Linux 2.6.38, which is under the GPLv2.
12
13 Fixed in e.g. cb26a24ee9706473f31d34cc259f4dcf45cd0644 on linux-2.6.38.y */
14
15 #include <string.h>
16 #include "test-uaccess.h"
17 #include "../analyzer/analyzer-decls.h"
18
19 typedef unsigned int u32;
20
21 /* Adapted from include/linux/compiler.h */
22
23 #define __force
24
25 /* Adapted from include/asm-generic/errno-base.h */
26
27 #define ENOMEM 12 /* Out of memory */
28 #define EFAULT 14 /* Bad address */
29 #define ENODEV 19 /* No such device */
30 #define EINVAL 22 /* Invalid argument */
31
32 /* Adapted from include/linux/errno.h */
33
34 #define ENOIOCTLCMD 515 /* No ioctl command */
35
36 /* Adapted from include/linux/fs.h */
37
38 struct file {
39 /* [...snip...] */
40 void *private_data;
41 /* [...snip...] */
42 };
43
44 /* Adapted from drivers/media/dvb/dvb-core/dvbdev.h */
45
46 struct dvb_device {
47 /* [...snip...] */
48 int (*kernel_ioctl)(struct file *file, unsigned int cmd, void *arg);
49
50 void *priv;
51 };
52
53
54 /* Adapted from include/linux/dvb/ca.h */
55
56 typedef struct ca_slot_info {
57 int num; /* slot number */
58
59 int type; /* CA interface this slot supports */
60 #define CA_CI 1 /* CI high level interface */
61 #define CA_CI_LINK 2 /* CI link layer level interface */
62 /* [...snip...] */
63 } ca_slot_info_t;
64
65
66 /* Adapted from drivers/media/dvb/ttpci/av7110.h */
67
68 struct av7110 {
69 /* [...snip...] */
70 ca_slot_info_t ci_slot[2];
71 /* [...snip...] */
72 u32 arm_app;
73 /* [...snip...] */
74 };
75
76 /* Adapted from drivers/media/dvb/ttpci/av7110_hw.h */
77
78 #define FW_CI_LL_SUPPORT(arm_app) ((arm_app) & 0x80000000)
79
80 /* Adapted from include/asm-generic/ioctl.h */
81
82 #define _IOC_NRBITS 8
83 #define _IOC_TYPEBITS 8
84
85 #define _IOC_SIZEBITS 14
86 #define _IOC_DIRBITS 2
87
88 #define _IOC_SIZEMASK ((1 << _IOC_SIZEBITS)-1)
89 #define _IOC_DIRMASK ((1 << _IOC_DIRBITS)-1)
90 #define _IOC_NRSHIFT 0
91 #define _IOC_TYPESHIFT (_IOC_NRSHIFT+_IOC_NRBITS)
92 #define _IOC_SIZESHIFT (_IOC_TYPESHIFT+_IOC_TYPEBITS)
93 #define _IOC_DIRSHIFT (_IOC_SIZESHIFT+_IOC_SIZEBITS)
94
95 #define _IOC_NONE 0U
96 #define _IOC_WRITE 1U
97 #define _IOC_READ 2U
98
99 #define _IOC_DIR(nr) (((nr) >> _IOC_DIRSHIFT) & _IOC_DIRMASK)
100 #define _IOC_SIZE(nr) (((nr) >> _IOC_SIZESHIFT) & _IOC_SIZEMASK)
101
102 /* Adapted from include/linux/mutex.h */
103
104 struct mutex {
105 /* [...snip...] */
106 };
107
108 #define __MUTEX_INITIALIZER(lockname) \
109 { /* [...snip...] */ }
110
111 #define DEFINE_MUTEX(mutexname) \
112 struct mutex mutexname = __MUTEX_INITIALIZER(mutexname)
113
114 extern void mutex_lock(struct mutex *lock);
115 extern void mutex_unlock(struct mutex *lock);
116
117 /* Adapted from include/linux/types.h */
118
119 #define __bitwise__
120 typedef unsigned __bitwise__ gfp_t;
121
122 /* Adapted from include/linux/gfp.h */
123
124 #define ___GFP_WAIT 0x10u
125 #define ___GFP_IO 0x40u
126 #define ___GFP_FS 0x80u
127 #define __GFP_WAIT ((__force gfp_t)___GFP_WAIT)
128 #define __GFP_IO ((__force gfp_t)___GFP_IO)
129 #define __GFP_FS ((__force gfp_t)___GFP_FS)
130 #define GFP_KERNEL (__GFP_WAIT | __GFP_IO | __GFP_FS)
131
132 /* Adapted from include/linux/slab.h */
133
134 void kfree(const void *);
135 void *kmalloc(size_t size, gfp_t flags)
136 __attribute__((malloc (kfree)));