Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 36926f4ca8183375e96c81db879a6f185ef92dff / . / tests / clang_fortify_tests.cpp
blob: 2838ab249aa9f22f0386adfbf9c724dab1e319ea [file] [log] [blame]
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef __clang__
18#error "Non-clang isn't supported"
19#endif
20
21// Clang compile-time and run-time tests for Bionic's FORTIFY.
22//
23// This file is compiled in two configurations ways to give us a sane set of tests for clang's
24// FORTIFY implementation.
25//
26// One configuration uses clang's diagnostic consumer
27// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
28// to check diagnostics (e.g. the expected-* comments everywhere).
29//
30// Please note that this test does things like leaking memory. That's WAI.
31
32// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
33// for this test case, and their line numbers may change over time.
34// expected-note@* 0+{{from 'diagnose_if'}}
35//
36// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
37// expected-note@* 0+{{candidate function}}
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]38//
39// And finally, all explicitly-unavailable-here complaints from headers are
40// uninteresting
Yi Kongbf67ea52019-08-03 18:26:05 -0700[diff] [blame]41// expected-note@* 0+{{has been explicitly marked unavailable here}}
42
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]43// Note that some of these diags come from clang itself, while others come from
44// `diagnose_if`s sprinkled throughout Bionic.
45
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]46#ifndef _FORTIFY_SOURCE
47#error "_FORTIFY_SOURCE must be defined"
48#endif
49
50#include <sys/cdefs.h>
51
52// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
53#ifndef __BIONIC__
54// expected-no-diagnostics
55#else
56
57// As alluded to above, we're going to be doing some obviously very broken things in this file.
58// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
59// let's wipe out any build-time errors.
60#ifndef COMPILATION_TESTS
61#undef __clang_error_if
62#define __clang_error_if(...)
63#undef __clang_warning_if
64#define __clang_warning_if(...)
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]65#pragma clang diagnostic ignored "-Wfortify-source"
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]66
67// SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
68// blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
69#define SOMETIMES_CONST volatile
70#else
71#define SOMETIMES_CONST const
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]72#pragma clang diagnostic error "-Wfortify-source"
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]73#endif
74
75#include <err.h>
76#include <fcntl.h>
77#include <limits.h>
78#include <poll.h>
79#include <signal.h>
80#include <stdio.h>
81#include <stdlib.h>
82#include <string.h>
83#include <sys/socket.h>
84#include <sys/stat.h>
85#include <sys/wait.h>
86#include <syslog.h>
87#include <unistd.h>
88#include <wchar.h>
89
90#ifndef COMPILATION_TESTS
91#include <gtest/gtest.h>
92#include "BionicDeathTest.h"
93
94#define CONCAT2(x, y) x##y
95#define CONCAT(x, y) CONCAT2(x, y)
96#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE)
97
98namespace {
99struct FORTIFY_TEST_NAME : BionicDeathTest {
100 protected:
101 void SetUp() override {
102 stdin_saved = dup(STDIN_FILENO);
103 if (stdin_saved < 0) err(1, "failed to dup stdin");
104
105 int devnull = open("/dev/null", O_RDONLY);
106 if (devnull < 0) err(1, "failed to open /dev/null");
107
108 if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin");
109 static_cast<void>(close(devnull));
110
111 BionicDeathTest::SetUp();
112 }
113
114 void TearDown() override {
115 if (stdin_saved == -1) return;
116 if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin");
117
118 static_cast<void>(close(stdin_saved));
119
120 BionicDeathTest::TearDown();
121 }
122
123 private:
124 int stdin_saved = -1;
125};
126} // namespace
127
128template <typename Fn>
129__attribute__((noreturn)) static void ExitAfter(Fn&& f) {
130 f();
131 // No need to tear things down; our parent process should handle that.
132 _exit(0);
133}
134
135// In any case (including failing tests), we always want to die after this.
136#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
137
138// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
139// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
140// the *_STRUCT variants below.)
141#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
142#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
143// Expecting death, but only if we're doing a "strict" struct-checking mode.
144#if _FORTIFY_SOURCE > 1
145#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
146#else
147#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
148#endif
149
150#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name)
151
152#else // defined(COMPILATION_TESTS)
153
154#define EXPECT_NO_DEATH(expr) expr
155#define EXPECT_FORTIFY_DEATH(expr) expr
156#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
157#define FORTIFY_TEST(test_name) void test_name()
158#endif
159
160const static int kBogusFD = -1;
161
162FORTIFY_TEST(string) {
163 char small_buffer[8] = {};
164
165 {
166 char large_buffer[sizeof(small_buffer) + 1] = {};
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]167 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]168 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]169 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]170 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV849c0b92019-06-10 16:22:09 -0700[diff] [blame]171 // expected-error@+1{{size bigger than buffer}}
172 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]173 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]174 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
175 // expected-warning@+1{{arguments got flipped?}}
176 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]177 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]178 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]179 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]180 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
181 }
182
183 {
184 const char large_string[] = "Hello!!!";
185 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
186
187 // expected-error@+1{{string bigger than buffer}}
188 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
189 // expected-error@+1{{string bigger than buffer}}
190 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]191 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]192 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]193 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]194 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]195 // expected-error@+1{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]196 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]197 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]198 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]199 // expected-error@+1{{size bigger than buffer}}
200 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
201 // expected-error@+1{{size bigger than buffer}}
202 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]203 }
204
205 {
206 struct {
207 char tiny_buffer[4];
208 char tiny_buffer2[4];
209 } split = {};
210
211 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
212 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
213 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
214 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
215 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
216
217 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
218 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
219
220 const char small_string[] = "Hi!!";
221 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
222
223#if _FORTIFY_SOURCE > 1
224 // expected-error@+2{{string bigger than buffer}}
225#endif
226 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
227
228#if _FORTIFY_SOURCE > 1
229 // expected-error@+2{{string bigger than buffer}}
230#endif
231 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
232
233#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]234 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]235#endif
236 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
237
238#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]239 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]240#endif
241 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
242
243#if _FORTIFY_SOURCE > 1
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]244 // expected-error@+2{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]245#endif
246 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
247
248#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]249 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]250#endif
251 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]252
253#if _FORTIFY_SOURCE > 1
254 // expected-error@+2{{size bigger than buffer}}
255#endif
256 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
257
258#if _FORTIFY_SOURCE > 1
259 // expected-error@+2{{size bigger than buffer}}
260#endif
261 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]262 }
263}
264
George Burgess IV2356c932019-06-06 17:18:13 -0700[diff] [blame]265FORTIFY_TEST(fcntl) {
266 const char target[] = "/dev/null";
267 int dirfd = 0;
268
269 // These all emit hard errors without diagnose_if, so running them is a bit
270 // more involved.
271#ifdef COMPILATION_TESTS
272 // expected-error@+1{{too many arguments}}
273 open("/", 0, 0, 0);
274 // expected-error@+1{{too many arguments}}
275 open64("/", 0, 0, 0);
276 // expected-error@+1{{too many arguments}}
277 openat(0, "/", 0, 0, 0);
278 // expected-error@+1{{too many arguments}}
279 openat64(0, "/", 0, 0, 0);
280#endif
281
282 // expected-error@+1{{missing mode}}
283 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
284 // expected-error@+1{{missing mode}}
285 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
286 // expected-error@+1{{missing mode}}
287 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
288 // expected-error@+1{{missing mode}}
289 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
290 // expected-error@+1{{missing mode}}
291 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
292 // expected-error@+1{{missing mode}}
293 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
294 // expected-error@+1{{missing mode}}
295 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
296 // expected-error@+1{{missing mode}}
297 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
298
299 // expected-warning@+1{{superfluous mode bits}}
300 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
301 // expected-warning@+1{{superfluous mode bits}}
302 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
303 // expected-warning@+1{{superfluous mode bits}}
304 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
305 // expected-warning@+1{{superfluous mode bits}}
306 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
307}
308
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]309// Since these emit hard errors, it's sort of hard to run them...
310#ifdef COMPILATION_TESTS
311namespace compilation_tests {
312template <typename T>
313static T declval() {
314 __builtin_unreachable();
315}
316
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]317static void testFormatStrings() {
318 const auto unsigned_value = declval<unsigned long long>();
319 const auto* unknown_string = declval<const char*>();
George Burgess IV06bb4ce2019-06-13 15:13:02 -0700[diff] [blame]320 const auto va = *declval<va_list*>();
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]321
322 {
323 auto some_fd = declval<int>();
324 // expected-warning@+1{{format specifies type 'int'}}
325 dprintf(some_fd, "%d", unsigned_value);
326 // expected-warning@+1{{format string is not a string literal}}
327 dprintf(some_fd, unknown_string, unsigned_value);
328 // expected-warning@+1{{format string is not a string literal}}
329 vdprintf(1, unknown_string, va);
330 }
331
332 {
333 auto* retval = declval<char*>();
334#if 0
335 // expected-error@+2{{ignoring return value}}
336#endif
337 // expected-warning@+1{{format specifies type 'int'}}
338 asprintf(&retval, "%d", unsigned_value);
339#if 0
340 // expected-error@+2{{ignoring return value}}
341#endif
342 // expected-warning@+1{{format string is not a string literal}}
343 asprintf(&retval, unknown_string, unsigned_value);
344#if 0
345 // expected-error@+2{{ignoring return value}}
346#endif
347 // expected-warning@+1{{format string is not a string literal}}
348 vasprintf(&retval, unknown_string, va);
349 }
350
351 // expected-warning@+1{{format specifies type 'int'}}
352 syslog(0, "%d", unsigned_value);
353 // expected-warning@+1{{format string is not a string literal}}
354 syslog(0, unknown_string, unsigned_value);
355 // expected-warning@+1{{format string is not a string literal}}
356 vsyslog(0, unknown_string, va);
357
358 {
359 auto* file = declval<FILE*>();
360 // expected-warning@+1{{format specifies type 'int'}}
361 fprintf(file, "%d", unsigned_value);
362 // expected-warning@+1{{format string is not a string literal}}
363 fprintf(file, unknown_string, unsigned_value);
364 // expected-warning@+1{{format string is not a string literal}}
365 vfprintf(file, unknown_string, va);
366 }
367
368 // expected-warning@+1{{format specifies type 'int'}}
369 printf("%d", unsigned_value);
370 // expected-warning@+1{{format string is not a string literal}}
371 printf(unknown_string, unsigned_value);
372 // expected-warning@+1{{format string is not a string literal}}
373 vprintf(unknown_string, va);
374
375 {
376 char buf[128];
377 // expected-warning@+1{{format specifies type 'int'}}
378 sprintf(buf, "%d", unsigned_value);
379 // expected-warning@+1{{format string is not a string literal}}
380 sprintf(buf, unknown_string, unsigned_value);
381 // expected-warning@+1{{format string is not a string literal}}
382 sprintf(buf, unknown_string, va);
383
384 // expected-warning@+1{{format specifies type 'int'}}
385 snprintf(buf, sizeof(buf), "%d", unsigned_value);
386 // expected-warning@+1{{format string is not a string literal}}
387 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
388 // expected-warning@+1{{format string is not a string literal}}
389 vsnprintf(buf, sizeof(buf), unknown_string, va);
390 }
391
392 // FIXME: below are general format string cases where clang should probably try to warn.
393 {
394 char buf[4];
395 sprintf(buf, "%s", "1234");
396 sprintf(buf, "1%s4", "23");
397 sprintf(buf, "%d", 1234);
398
399 // Similar thoughts for strncpy, etc.
400 }
401}
402
403static void testStdlib() {
404 char path_buffer[PATH_MAX - 1];
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]405 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]406 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
407 realpath("/", path_buffer);
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]408 // expected-warning@+1{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]409 realpath("/", nullptr);
410
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]411 // expected-warning@+2{{ignoring return value of function}}
412 // expected-error@+1{{flipped arguments?}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]413 realpath(nullptr, path_buffer);
414
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]415 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]416 // expected-error@+1{{flipped arguments?}}
417 realpath(nullptr, nullptr);
418}
419} // namespace compilation_tests
420#endif
421
422FORTIFY_TEST(poll) {
423 int pipe_fds[2];
424 if (pipe(pipe_fds)) err(1, "pipe failed");
425
426 // after this, pipe_fds[0] should always report RDHUP
427 if (close(pipe_fds[1])) err(1, "close failed");
428
429 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
430 {
431 struct pollfd few_fds[] = { poll_fd, poll_fd };
432 // expected-error@+1{{fd_count is larger than the given buffer}}
433 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
434 // expected-error@+1{{fd_count is larger than the given buffer}}
435 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
436 // expected-error@+1{{fd_count is larger than the given buffer}}
437 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
438 }
439
440 {
441 struct {
442 struct pollfd few[2];
443 struct pollfd extra[1];
444 } fds = { { poll_fd, poll_fd }, { poll_fd } };
445 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
446
447#if _FORTIFY_SOURCE > 1
448 // expected-error@+2{{fd_count is larger than the given buffer}}
449#endif
450 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
451
452 struct timespec timeout = {};
453#if _FORTIFY_SOURCE > 1
454 // expected-error@+2{{fd_count is larger than the given buffer}}
455#endif
456 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
457
458#if _FORTIFY_SOURCE > 1
459 // expected-error@+2{{fd_count is larger than the given buffer}}
460#endif
461 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
462 }
463}
464
465FORTIFY_TEST(socket) {
466 {
467 char small_buffer[8];
468 // expected-error@+1{{size bigger than buffer}}
469 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
470 // expected-error@+1{{size bigger than buffer}}
471 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
472
473 // expected-error@+1{{size bigger than buffer}}
474 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
475 // expected-error@+1{{size bigger than buffer}}
476 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
477 }
478
479 {
480 struct {
481 char tiny_buffer[4];
482 char tiny_buffer2;
483 } split = {};
484
485 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
486 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
487 }
488}
489
490FORTIFY_TEST(sys_stat) {
491 // expected-error@+1{{'umask' called with invalid mode}}
492 EXPECT_FORTIFY_DEATH(umask(01777));
493}
494
495FORTIFY_TEST(stdio) {
496 char small_buffer[8] = {};
497 {
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]498 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]499 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
500
501 va_list va;
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame^]502 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]503 // expected-warning@+1{{format string is empty}}
504 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]505
506 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
507
508 // expected-error@+1{{format string will always overflow}}
509 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]510 }
511
512 // expected-error@+1{{size should not be negative}}
513 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
514 // expected-error@+1{{size is larger than the destination buffer}}
515 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
516
517 // expected-error@+1{{size * count overflows}}
518 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
519 // expected-error@+1{{size * count is too large for the given buffer}}
520 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
521
522 // expected-error@+1{{size * count overflows}}
523 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
524 // expected-error@+1{{size * count is too large for the given buffer}}
525 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
526}
527
528FORTIFY_TEST(unistd) {
529 char small_buffer[8];
530
531 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
532#if 0
533 // expected-error@+2{{ignoring return value of function}}
534#endif
535 // expected-error@+1{{bytes overflows the given object}}
536 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
537#if 0
538 // expected-error@+2{{ignoring return value of function}}
539#endif
540 // expected-error@+1{{bytes overflows the given object}}
541 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
542#if 0
543 // expected-error@+2{{ignoring return value of function}}
544#endif
545 // expected-error@+1{{bytes overflows the given object}}
546 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
547#if 0
548 // expected-error@+2{{ignoring return value of function}}
549#endif
550 // expected-error@+1{{bytes overflows the given object}}
551 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
552#if 0
553 // expected-error@+2{{ignoring return value of function}}
554#endif
555 // expected-error@+1{{bytes overflows the given object}}
556 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
557#if 0
558 // expected-error@+2{{ignoring return value of function}}
559#endif
560 // expected-error@+1{{bytes overflows the given object}}
561 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
562#if 0
563 // expected-error@+2{{ignoring return value of function}}
564#endif
565 // expected-error@+1{{bytes overflows the given object}}
566 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
567#if 0
568 // expected-error@+2{{ignoring return value of function}}
569#endif
570 // expected-error@+1{{bytes overflows the given object}}
571 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
572
573 // getcwd allocates and returns a buffer if you pass null to getcwd
574 EXPECT_NO_DEATH(getcwd(nullptr, 0));
575 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
576
577 struct {
578 char tiny_buffer[4];
579 char tiny_buffer2[4];
580 } split;
581
582 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
583 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
584 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
585 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
586 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
587 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
588
589#if _FORTIFY_SOURCE > 1
590 // expected-error@+2{{bytes overflows the given object}}
591#endif
592 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
593#if _FORTIFY_SOURCE > 1
594 // expected-error@+2{{bytes overflows the given object}}
595#endif
596 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
597
598 {
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]599 char* volatile unknown = small_buffer;
600 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
601 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
602 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
603 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
604 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
605 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
606 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
607 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
608 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
609 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
610 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
611 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
612 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]613 }
614}
615
616#endif // defined(__BIONIC__)