Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 332065d57e734b65f56474d136d22d767e36cbcd / . / tests / clang_fortify_tests.cpp
blob: 0d17284fb17e67254607e09e5d2b63d9fb76b4cc [file] [log] [blame]
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef __clang__
18#error "Non-clang isn't supported"
19#endif
20
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]21//
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]22// Clang compile-time and run-time tests for Bionic's FORTIFY.
23//
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]24
25// This file is compiled in two configurations to give us reasonable coverage of clang's
26// FORTIFY implementation:
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]27//
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]28// 1. For compile-time checks, we use clang's diagnostic consumer
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]29// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
30// to check diagnostics (e.g. the expected-* comments everywhere).
31//
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]32// 2. For run-time checks, we build and run as regular gtests.
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]33
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]34// Note that these tests do things like leaking memory. That's WAI.
35
36//
37// Configuration for the compile-time checks. (These comments have side effects!)
38//
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]39// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
40// for this test case, and their line numbers may change over time.
41// expected-note@* 0+{{from 'diagnose_if'}}
42//
43// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
44// expected-note@* 0+{{candidate function}}
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]45//
46// And finally, all explicitly-unavailable-here complaints from headers are
47// uninteresting
Yi Kongbf67ea52019-08-03 18:26:05 -0700[diff] [blame]48// expected-note@* 0+{{has been explicitly marked unavailable here}}
Elliott Hughescfd8f582020-07-23 13:40:39 -0700[diff] [blame]49//
50// Note that some of these diagnostics come from clang itself, while others come from
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]51// `diagnose_if`s sprinkled throughout Bionic.
52
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]53#ifndef _FORTIFY_SOURCE
54#error "_FORTIFY_SOURCE must be defined"
55#endif
56
57#include <sys/cdefs.h>
58
59// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
60#ifndef __BIONIC__
61// expected-no-diagnostics
62#else
63
64// As alluded to above, we're going to be doing some obviously very broken things in this file.
65// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
66// let's wipe out any build-time errors.
67#ifndef COMPILATION_TESTS
68#undef __clang_error_if
69#define __clang_error_if(...)
70#undef __clang_warning_if
71#define __clang_warning_if(...)
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]72#pragma clang diagnostic ignored "-Wfortify-source"
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]73
74// SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
75// blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
76#define SOMETIMES_CONST volatile
77#else
78#define SOMETIMES_CONST const
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]79#endif
80
81#include <err.h>
82#include <fcntl.h>
83#include <limits.h>
84#include <poll.h>
85#include <signal.h>
86#include <stdio.h>
87#include <stdlib.h>
88#include <string.h>
89#include <sys/socket.h>
90#include <sys/stat.h>
91#include <sys/wait.h>
92#include <syslog.h>
93#include <unistd.h>
94#include <wchar.h>
95
96#ifndef COMPILATION_TESTS
97#include <gtest/gtest.h>
98#include "BionicDeathTest.h"
99
100#define CONCAT2(x, y) x##y
101#define CONCAT(x, y) CONCAT2(x, y)
102#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE)
103
104namespace {
105struct FORTIFY_TEST_NAME : BionicDeathTest {
106 protected:
107 void SetUp() override {
108 stdin_saved = dup(STDIN_FILENO);
109 if (stdin_saved < 0) err(1, "failed to dup stdin");
110
111 int devnull = open("/dev/null", O_RDONLY);
112 if (devnull < 0) err(1, "failed to open /dev/null");
113
114 if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin");
115 static_cast<void>(close(devnull));
116
117 BionicDeathTest::SetUp();
118 }
119
120 void TearDown() override {
121 if (stdin_saved == -1) return;
122 if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin");
123
124 static_cast<void>(close(stdin_saved));
125
126 BionicDeathTest::TearDown();
127 }
128
129 private:
130 int stdin_saved = -1;
131};
132} // namespace
133
134template <typename Fn>
135__attribute__((noreturn)) static void ExitAfter(Fn&& f) {
136 f();
137 // No need to tear things down; our parent process should handle that.
138 _exit(0);
139}
140
141// In any case (including failing tests), we always want to die after this.
142#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
143
144// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
145// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
146// the *_STRUCT variants below.)
147#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
148#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
149// Expecting death, but only if we're doing a "strict" struct-checking mode.
150#if _FORTIFY_SOURCE > 1
151#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
152#else
153#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
154#endif
155
156#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name)
157
158#else // defined(COMPILATION_TESTS)
159
160#define EXPECT_NO_DEATH(expr) expr
161#define EXPECT_FORTIFY_DEATH(expr) expr
162#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
163#define FORTIFY_TEST(test_name) void test_name()
164#endif
165
166const static int kBogusFD = -1;
167
168FORTIFY_TEST(string) {
169 char small_buffer[8] = {};
170
171 {
172 char large_buffer[sizeof(small_buffer) + 1] = {};
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]173 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]174 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]175 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]176 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
Yabin Cuiae1745d2020-04-16 15:07:28 -0700[diff] [blame]177 // FIXME(gbiv): look into removing mempcpy's diagnose_if bits once the b/149839606 roll sticks.
178 // expected-error@+2{{will always overflow}}
George Burgess IV849c0b92019-06-10 16:22:09 -0700[diff] [blame]179 // expected-error@+1{{size bigger than buffer}}
180 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]181 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]182 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
183 // expected-warning@+1{{arguments got flipped?}}
184 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]185 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]186 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]187 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]188 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
189 }
190
191 {
192 const char large_string[] = "Hello!!!";
193 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
194
195 // expected-error@+1{{string bigger than buffer}}
196 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
197 // expected-error@+1{{string bigger than buffer}}
198 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]199 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]200 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]201 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]202 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]203 // expected-error@+1{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]204 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]205 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]206 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]207 // expected-error@+1{{size bigger than buffer}}
208 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
209 // expected-error@+1{{size bigger than buffer}}
210 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]211 }
212
213 {
214 struct {
215 char tiny_buffer[4];
216 char tiny_buffer2[4];
217 } split = {};
218
219 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
220 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
221 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
222 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
223 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
224
225 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
226 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
227
228 const char small_string[] = "Hi!!";
229 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
230
231#if _FORTIFY_SOURCE > 1
232 // expected-error@+2{{string bigger than buffer}}
233#endif
234 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
235
236#if _FORTIFY_SOURCE > 1
237 // expected-error@+2{{string bigger than buffer}}
238#endif
239 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
240
241#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]242 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]243#endif
244 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
245
246#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]247 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]248#endif
249 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
250
251#if _FORTIFY_SOURCE > 1
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]252 // expected-error@+2{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]253#endif
254 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
255
256#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]257 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]258#endif
259 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]260
261#if _FORTIFY_SOURCE > 1
262 // expected-error@+2{{size bigger than buffer}}
263#endif
264 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
265
266#if _FORTIFY_SOURCE > 1
267 // expected-error@+2{{size bigger than buffer}}
268#endif
269 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]270 }
271}
272
George Burgess IV2356c932019-06-06 17:18:13 -0700[diff] [blame]273FORTIFY_TEST(fcntl) {
274 const char target[] = "/dev/null";
275 int dirfd = 0;
276
277 // These all emit hard errors without diagnose_if, so running them is a bit
278 // more involved.
279#ifdef COMPILATION_TESTS
280 // expected-error@+1{{too many arguments}}
281 open("/", 0, 0, 0);
282 // expected-error@+1{{too many arguments}}
283 open64("/", 0, 0, 0);
284 // expected-error@+1{{too many arguments}}
285 openat(0, "/", 0, 0, 0);
286 // expected-error@+1{{too many arguments}}
287 openat64(0, "/", 0, 0, 0);
288#endif
289
290 // expected-error@+1{{missing mode}}
291 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
292 // expected-error@+1{{missing mode}}
293 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
294 // expected-error@+1{{missing mode}}
295 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
296 // expected-error@+1{{missing mode}}
297 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
298 // expected-error@+1{{missing mode}}
299 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
300 // expected-error@+1{{missing mode}}
301 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
302 // expected-error@+1{{missing mode}}
303 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
304 // expected-error@+1{{missing mode}}
305 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
306
307 // expected-warning@+1{{superfluous mode bits}}
308 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
309 // expected-warning@+1{{superfluous mode bits}}
310 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
311 // expected-warning@+1{{superfluous mode bits}}
312 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
313 // expected-warning@+1{{superfluous mode bits}}
314 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
315}
316
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]317// Since these emit hard errors, it's sort of hard to run them...
318#ifdef COMPILATION_TESTS
319namespace compilation_tests {
320template <typename T>
321static T declval() {
322 __builtin_unreachable();
323}
324
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]325static void testFormatStrings() {
326 const auto unsigned_value = declval<unsigned long long>();
327 const auto* unknown_string = declval<const char*>();
George Burgess IV06bb4ce2019-06-13 15:13:02 -0700[diff] [blame]328 const auto va = *declval<va_list*>();
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]329
330 {
331 auto some_fd = declval<int>();
332 // expected-warning@+1{{format specifies type 'int'}}
333 dprintf(some_fd, "%d", unsigned_value);
334 // expected-warning@+1{{format string is not a string literal}}
335 dprintf(some_fd, unknown_string, unsigned_value);
336 // expected-warning@+1{{format string is not a string literal}}
337 vdprintf(1, unknown_string, va);
338 }
339
340 {
341 auto* retval = declval<char*>();
342#if 0
343 // expected-error@+2{{ignoring return value}}
344#endif
345 // expected-warning@+1{{format specifies type 'int'}}
346 asprintf(&retval, "%d", unsigned_value);
347#if 0
348 // expected-error@+2{{ignoring return value}}
349#endif
350 // expected-warning@+1{{format string is not a string literal}}
351 asprintf(&retval, unknown_string, unsigned_value);
352#if 0
353 // expected-error@+2{{ignoring return value}}
354#endif
355 // expected-warning@+1{{format string is not a string literal}}
356 vasprintf(&retval, unknown_string, va);
357 }
358
359 // expected-warning@+1{{format specifies type 'int'}}
360 syslog(0, "%d", unsigned_value);
361 // expected-warning@+1{{format string is not a string literal}}
362 syslog(0, unknown_string, unsigned_value);
363 // expected-warning@+1{{format string is not a string literal}}
364 vsyslog(0, unknown_string, va);
365
366 {
367 auto* file = declval<FILE*>();
368 // expected-warning@+1{{format specifies type 'int'}}
369 fprintf(file, "%d", unsigned_value);
370 // expected-warning@+1{{format string is not a string literal}}
371 fprintf(file, unknown_string, unsigned_value);
372 // expected-warning@+1{{format string is not a string literal}}
373 vfprintf(file, unknown_string, va);
374 }
375
376 // expected-warning@+1{{format specifies type 'int'}}
377 printf("%d", unsigned_value);
378 // expected-warning@+1{{format string is not a string literal}}
379 printf(unknown_string, unsigned_value);
380 // expected-warning@+1{{format string is not a string literal}}
381 vprintf(unknown_string, va);
382
383 {
384 char buf[128];
385 // expected-warning@+1{{format specifies type 'int'}}
386 sprintf(buf, "%d", unsigned_value);
387 // expected-warning@+1{{format string is not a string literal}}
388 sprintf(buf, unknown_string, unsigned_value);
389 // expected-warning@+1{{format string is not a string literal}}
390 sprintf(buf, unknown_string, va);
391
392 // expected-warning@+1{{format specifies type 'int'}}
393 snprintf(buf, sizeof(buf), "%d", unsigned_value);
394 // expected-warning@+1{{format string is not a string literal}}
395 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
396 // expected-warning@+1{{format string is not a string literal}}
397 vsnprintf(buf, sizeof(buf), unknown_string, va);
398 }
399
400 // FIXME: below are general format string cases where clang should probably try to warn.
401 {
402 char buf[4];
403 sprintf(buf, "%s", "1234");
404 sprintf(buf, "1%s4", "23");
405 sprintf(buf, "%d", 1234);
406
407 // Similar thoughts for strncpy, etc.
408 }
409}
410
411static void testStdlib() {
412 char path_buffer[PATH_MAX - 1];
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]413 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]414 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
415 realpath("/", path_buffer);
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]416 // expected-warning@+1{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]417 realpath("/", nullptr);
418
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]419 // expected-warning@+2{{ignoring return value of function}}
420 // expected-error@+1{{flipped arguments?}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]421 realpath(nullptr, path_buffer);
422
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]423 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]424 // expected-error@+1{{flipped arguments?}}
425 realpath(nullptr, nullptr);
426}
427} // namespace compilation_tests
428#endif
429
430FORTIFY_TEST(poll) {
431 int pipe_fds[2];
432 if (pipe(pipe_fds)) err(1, "pipe failed");
433
434 // after this, pipe_fds[0] should always report RDHUP
435 if (close(pipe_fds[1])) err(1, "close failed");
436
437 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
438 {
439 struct pollfd few_fds[] = { poll_fd, poll_fd };
440 // expected-error@+1{{fd_count is larger than the given buffer}}
441 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
442 // expected-error@+1{{fd_count is larger than the given buffer}}
443 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
444 // expected-error@+1{{fd_count is larger than the given buffer}}
445 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
446 }
447
448 {
449 struct {
450 struct pollfd few[2];
451 struct pollfd extra[1];
452 } fds = { { poll_fd, poll_fd }, { poll_fd } };
453 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
454
455#if _FORTIFY_SOURCE > 1
456 // expected-error@+2{{fd_count is larger than the given buffer}}
457#endif
458 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
459
460 struct timespec timeout = {};
461#if _FORTIFY_SOURCE > 1
462 // expected-error@+2{{fd_count is larger than the given buffer}}
463#endif
464 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
465
466#if _FORTIFY_SOURCE > 1
467 // expected-error@+2{{fd_count is larger than the given buffer}}
468#endif
469 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
470 }
471}
472
473FORTIFY_TEST(socket) {
474 {
475 char small_buffer[8];
476 // expected-error@+1{{size bigger than buffer}}
477 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
478 // expected-error@+1{{size bigger than buffer}}
479 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
480
481 // expected-error@+1{{size bigger than buffer}}
482 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
483 // expected-error@+1{{size bigger than buffer}}
484 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
485 }
486
487 {
488 struct {
489 char tiny_buffer[4];
490 char tiny_buffer2;
491 } split = {};
492
493 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
494 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
495 }
496}
497
498FORTIFY_TEST(sys_stat) {
499 // expected-error@+1{{'umask' called with invalid mode}}
500 EXPECT_FORTIFY_DEATH(umask(01777));
501}
502
503FORTIFY_TEST(stdio) {
504 char small_buffer[8] = {};
505 {
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]506 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]507 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
508
509 va_list va;
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]510 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]511 // expected-warning@+1{{format string is empty}}
512 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]513
514 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
515
516 // expected-error@+1{{format string will always overflow}}
517 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]518 }
519
520 // expected-error@+1{{size should not be negative}}
521 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
522 // expected-error@+1{{size is larger than the destination buffer}}
523 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
524
525 // expected-error@+1{{size * count overflows}}
526 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
527 // expected-error@+1{{size * count is too large for the given buffer}}
528 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
529
530 // expected-error@+1{{size * count overflows}}
531 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
532 // expected-error@+1{{size * count is too large for the given buffer}}
533 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
534}
535
536FORTIFY_TEST(unistd) {
537 char small_buffer[8];
538
539 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
540#if 0
541 // expected-error@+2{{ignoring return value of function}}
542#endif
543 // expected-error@+1{{bytes overflows the given object}}
544 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
545#if 0
546 // expected-error@+2{{ignoring return value of function}}
547#endif
548 // expected-error@+1{{bytes overflows the given object}}
549 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
550#if 0
551 // expected-error@+2{{ignoring return value of function}}
552#endif
553 // expected-error@+1{{bytes overflows the given object}}
554 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
555#if 0
556 // expected-error@+2{{ignoring return value of function}}
557#endif
558 // expected-error@+1{{bytes overflows the given object}}
559 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
560#if 0
561 // expected-error@+2{{ignoring return value of function}}
562#endif
563 // expected-error@+1{{bytes overflows the given object}}
564 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
565#if 0
566 // expected-error@+2{{ignoring return value of function}}
567#endif
568 // expected-error@+1{{bytes overflows the given object}}
569 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
570#if 0
571 // expected-error@+2{{ignoring return value of function}}
572#endif
573 // expected-error@+1{{bytes overflows the given object}}
574 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
575#if 0
576 // expected-error@+2{{ignoring return value of function}}
577#endif
578 // expected-error@+1{{bytes overflows the given object}}
579 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
580
581 // getcwd allocates and returns a buffer if you pass null to getcwd
582 EXPECT_NO_DEATH(getcwd(nullptr, 0));
583 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
584
585 struct {
586 char tiny_buffer[4];
587 char tiny_buffer2[4];
588 } split;
589
590 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
591 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
592 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
593 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
594 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
595 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
596
597#if _FORTIFY_SOURCE > 1
598 // expected-error@+2{{bytes overflows the given object}}
599#endif
600 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
601#if _FORTIFY_SOURCE > 1
602 // expected-error@+2{{bytes overflows the given object}}
603#endif
604 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
605
606 {
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]607 char* volatile unknown = small_buffer;
608 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
609 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
610 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
611 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
612 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
613 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
614 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
615 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
616 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
617 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
618 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
619 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
620 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]621 }
622}
623
624#endif // defined(__BIONIC__)