Skip to content

Instantly share code, notes, and snippets.

@davidmalcolm

davidmalcolm/taint-CVE-2011-2210-1.c.sarif

Created July 11, 2022 22:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davidmalcolm/5771af86039bf57f144e935179bfe20e to your computer and use it in GitHub Desktop.
Save davidmalcolm/5771af86039bf57f144e935179bfe20e to your computer and use it in GitHub Desktop.
Download ZIP
Reformatted output of gcc -fanalyzer -S ../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c -fanalyzer-checker=taint -fdiagnostics-format=sarif-stderr
Raw
taint-CVE-2011-2210-1.c.sarif
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"results": [
{
"level": "warning",
"ruleId": "warning",
"locations": [
{
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"physicalLocation": {
"contextRegion": {
"startLine": 58,
"snippet": {
"text": "\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"tainted\" } */\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 58,
"endColumn": 48,
"startColumn": 9
}
}
}
],
"message": {
"text": "state: ‘tainted’"
}
},
{
"level": "warning",
"ruleId": "warning",
"locations": [
{
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"physicalLocation": {
"contextRegion": {
"startLine": 67,
"snippet": {
"text": "\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 67,
"endColumn": 56,
"startColumn": 17
}
}
}
],
"message": {
"text": "state: ‘has_lb’"
}
},
{
"level": "warning",
"ruleId": "-Wanalyzer-tainted-size",
"locations": [
{
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"physicalLocation": {
"contextRegion": {
"startLine": 69,
"snippet": {
"text": "\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 69,
"endColumn": 56,
"startColumn": 21
}
}
}
],
"message": {
"text": "use of attacker-controlled value ‘nbytes’ as size without upper-bounds checking"
},
"taxa": [
{
"id": "129",
"toolComponent": {
"name": "cwe"
}
}
],
"relatedLocations": [
{
"message": {
"text": "parameter 3 of ‘copy_to_user’ marked as a size via attribute ‘access (write_only, 1, 3)’"
},
"physicalLocation": {
"contextRegion": {
"startLine": 13,
"snippet": {
"text": "extern long copy_to_user(void __user *to, const void *from, unsigned long n)\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/test-uaccess.h",
"uriBaseId": "PWD"
},
"region": {
"startLine": 13,
"endColumn": 25,
"startColumn": 13
}
}
}
],
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"nestingLevel": 0,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "function ‘sys_osf_getsysinfo’ marked with ‘__attribute__((tainted_args))’"
},
"physicalLocation": {
"contextRegion": {
"startLine": 53,
"snippet": {
"text": "SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 53,
"endColumn": 2,
"startColumn": 1
}
}
}
},
{
"nestingLevel": 1,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "entry to ‘sys_osf_getsysinfo’"
},
"physicalLocation": {
"contextRegion": {
"startLine": 53,
"snippet": {
"text": "SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 53,
"endColumn": 2,
"startColumn": 1
}
}
},
"kinds": [
"enter",
"function"
]
},
{
"nestingLevel": 1,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "‘nbytes’ has its lower bound checked here"
},
"physicalLocation": {
"contextRegion": {
"startLine": 64,
"snippet": {
"text": "\t\tif (nbytes < sizeof(*hwrpb))\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 64,
"endColumn": 21,
"startColumn": 20
}
}
}
},
{
"nestingLevel": 1,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "following ‘false’ branch (when ‘nbytes > 31’)..."
},
"physicalLocation": {
"contextRegion": {
"startLine": 64,
"snippet": {
"text": "\t\tif (nbytes < sizeof(*hwrpb))\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 64,
"endColumn": 21,
"startColumn": 20
}
}
},
"kinds": [
"branch",
"false"
]
},
{
"nestingLevel": 1,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "...to here"
},
"physicalLocation": {
"contextRegion": {
"startLine": 67,
"snippet": {
"text": "\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 67,
"endColumn": 56,
"startColumn": 17
}
}
},
"kinds": [
"branch",
"false"
]
},
{
"nestingLevel": 1,
"location": {
"logicalLocations": [
{
"decoratedName": "sys_osf_getsysinfo",
"kind": "function",
"name": "sys_osf_getsysinfo",
"fullyQualifiedName": "sys_osf_getsysinfo"
}
],
"message": {
"text": "use of attacker-controlled value ‘nbytes’ as size without upper-bounds checking"
},
"physicalLocation": {
"contextRegion": {
"startLine": 69,
"snippet": {
"text": "\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n"
}
},
"artifactLocation": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"region": {
"startLine": 69,
"endColumn": 56,
"startColumn": 21
}
}
},
"kinds": [
"danger"
]
}
]
}
]
}
]
}
],
"artifacts": [
{
"location": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/test-uaccess.h",
"uriBaseId": "PWD"
},
"sourceLanguage": "c",
"contents": {
"text": "/* Shared header for testcases for copy_from_user/copy_to_user. */\n\n/* Adapted from include/linux/compiler.h */\n\n#define __user\n\n/* Adapted from include/asm-generic/uaccess.h */\n\nextern int copy_from_user(void *to, const void __user *from, long n)\n __attribute__((access (write_only, 1, 3),\n\t\t access (read_only, 2, 3)));\n\nextern long copy_to_user(void __user *to, const void *from, unsigned long n)\n __attribute__((access (write_only, 1, 3),\n\t\t access (read_only, 2, 3)));\n"
}
},
{
"location": {
"uri": "../../src/gcc/testsuite/gcc.dg/analyzer/taint-CVE-2011-2210-1.c",
"uriBaseId": "PWD"
},
"sourceLanguage": "c",
"contents": {
"text": "/* \"The osf_getsysinfo function in arch/alpha/kernel/osf_sys.c in the\n Linux kernel before 2.6.39.4 on the Alpha platform does not properly\n restrict the data size for GSI_GET_HWRPB operations, which allows\n local users to obtain sensitive information from kernel memory via\n a crafted call.\"\n\n Fixed in 3d0475119d8722798db5e88f26493f6547a4bb5b on linux-2.6.39.y\n in linux-stable. */\n\n// TODO: remove need for this option:\n/* { dg-additional-options \"-fanalyzer-checker=taint\" } */\n\n#include \"analyzer-decls.h\"\n#include \"test-uaccess.h\"\n\n/* Adapted from include/linux/linkage.h. */\n\n#define asmlinkage\n\n/* Adapted from include/linux/syscalls.h. */\n\n#define __SC_DECL1(t1, a1)\tt1 a1\n#define __SC_DECL2(t2, a2, ...) t2 a2, __SC_DECL1(__VA_ARGS__)\n#define __SC_DECL3(t3, a3, ...) t3 a3, __SC_DECL2(__VA_ARGS__)\n#define __SC_DECL4(t4, a4, ...) t4 a4, __SC_DECL3(__VA_ARGS__)\n#define __SC_DECL5(t5, a5, ...) t5 a5, __SC_DECL4(__VA_ARGS__)\n#define __SC_DECL6(t6, a6, ...) t6 a6, __SC_DECL5(__VA_ARGS__)\n\n#define SYSCALL_DEFINEx(x, sname, ...)\t\t\t\t\\\n\t__SYSCALL_DEFINEx(x, sname, __VA_ARGS__)\n\n#define SYSCALL_DEFINE(name) asmlinkage long sys_##name\n#define __SYSCALL_DEFINEx(x, name, ...)\t\t\t\t\t\\\n\tasmlinkage __attribute__((tainted_args)) \\\n\tlong sys##name(__SC_DECL##x(__VA_ARGS__))\n\n#define SYSCALL_DEFINE5(name, ...) SYSCALL_DEFINEx(5, _##name, __VA_ARGS__)\n\n/* Adapted from arch/alpha/include/asm/hwrpb.h. */\n\nstruct hwrpb_struct {\n\tunsigned long phys_addr;\t/* check: physical address of the hwrpb */\n\tunsigned long id;\t\t/* check: \"HWRPB\\0\\0\\0\" */\n\tunsigned long revision;\n\tunsigned long size;\t\t/* size of hwrpb */\n\t/* [...snip...] */\n};\n\nextern struct hwrpb_struct *hwrpb;\n\n/* Adapted from arch/alpha/kernel/osf_sys.c. */\n\nSYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,\n\t\tunsigned long, nbytes, int __user *, start, void __user *, arg)\n{\n\t/* [...snip...] */\n\n\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"tainted\" } */\n\n\t/* TODO: should have an event explaining why \"nbytes\" is treated as\n\t attacker-controlled. */\n\n\t/* case GSI_GET_HWRPB: */\n\t\tif (nbytes < sizeof(*hwrpb))\n\t\t\treturn -1;\n\n\t\t__analyzer_dump_state (\"taint\", nbytes); /* { dg-warning \"has_lb\" } */\n\n\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-warning \"use of attacker-controlled value 'nbytes' as size without upper-bounds checking\" } */\n\t\t\treturn -2;\n\n\t\treturn 1;\n\n\t/* [...snip...] */\n}\n\n/* With the fix for the sense of the size comparison. */\n\nSYSCALL_DEFINE5(osf_getsysinfo_fixed, unsigned long, op, void __user *, buffer,\n\t\tunsigned long, nbytes, int __user *, start, void __user *, arg)\n{\n\t/* [...snip...] */\n\n\t/* case GSI_GET_HWRPB: */\n\t\tif (nbytes > sizeof(*hwrpb))\n\t\t\treturn -1;\n\t\tif (copy_to_user(buffer, hwrpb, nbytes) != 0) /* { dg-bogus \"attacker-controlled\" } */\n\t\t\treturn -2;\n\n\t\treturn 1;\n\n\t/* [...snip...] */\n}\n"
}
}
],
"tool": {
"driver": {
"fullName": "GNU C17 (GCC) version 13.0.0 20220707 (experimental) (x86_64-pc-linux-gnu)",
"name": "GNU C17",
"rules": [
{
"id": "-Wanalyzer-tainted-size",
"helpUri": "https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html#index-Wanalyzer-tainted-size"
}
],
"informationUri": "https://gcc.gnu.org/gcc-13/",
"version": "13.0.0 20220707 (experimental)"
}
},
"originalUriBaseIds": {
"PWD": {
"uri": "file:///home/david/coding/gcc-newgit-clean/build/gcc/"
}
},
"taxonomies": [
{
"organization": "MITRE",
"name": "CWE",
"version": "4.7",
"shortDescription": {
"text": "The MITRE Common Weakness Enumeration"
},
"taxa": [
{
"id": "129",
"helpUri": "https://cwe.mitre.org/data/definitions/129.html"
}
]
}
]
}
],
"version": "2.1.0"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment