Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / 23ec1421b539128ec9941deadfc4b30babf6e1b6 / . / tests / clang_fortify_tests.cpp
blob: 018880fd388e90d00fb2282a24bd6006190a04b9 [file] [log] [blame]
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef __clang__
18#error "Non-clang isn't supported"
19#endif
20
21// Clang compile-time and run-time tests for Bionic's FORTIFY.
22//
23// This file is compiled in two configurations ways to give us a sane set of tests for clang's
24// FORTIFY implementation.
25//
26// One configuration uses clang's diagnostic consumer
27// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
28// to check diagnostics (e.g. the expected-* comments everywhere).
29//
30// Please note that this test does things like leaking memory. That's WAI.
31
32// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
33// for this test case, and their line numbers may change over time.
34// expected-note@* 0+{{from 'diagnose_if'}}
35//
36// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
37// expected-note@* 0+{{candidate function}}
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]38//
39// And finally, all explicitly-unavailable-here complaints from headers are
40// uninteresting
Yi Kongbf67ea52019-08-03 18:26:05 -0700[diff] [blame]41// expected-note@* 0+{{has been explicitly marked unavailable here}}
42
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]43// Note that some of these diags come from clang itself, while others come from
44// `diagnose_if`s sprinkled throughout Bionic.
45
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]46#ifndef _FORTIFY_SOURCE
47#error "_FORTIFY_SOURCE must be defined"
48#endif
49
50#include <sys/cdefs.h>
51
52// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
53#ifndef __BIONIC__
54// expected-no-diagnostics
55#else
56
57// As alluded to above, we're going to be doing some obviously very broken things in this file.
58// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
59// let's wipe out any build-time errors.
60#ifndef COMPILATION_TESTS
61#undef __clang_error_if
62#define __clang_error_if(...)
63#undef __clang_warning_if
64#define __clang_warning_if(...)
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]65#pragma clang diagnostic ignored "-Wfortify-source"
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]66
67// SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
68// blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
69#define SOMETIMES_CONST volatile
70#else
71#define SOMETIMES_CONST const
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]72#endif
73
74#include <err.h>
75#include <fcntl.h>
76#include <limits.h>
77#include <poll.h>
78#include <signal.h>
79#include <stdio.h>
80#include <stdlib.h>
81#include <string.h>
82#include <sys/socket.h>
83#include <sys/stat.h>
84#include <sys/wait.h>
85#include <syslog.h>
86#include <unistd.h>
87#include <wchar.h>
88
89#ifndef COMPILATION_TESTS
90#include <gtest/gtest.h>
91#include "BionicDeathTest.h"
92
93#define CONCAT2(x, y) x##y
94#define CONCAT(x, y) CONCAT2(x, y)
95#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE)
96
97namespace {
98struct FORTIFY_TEST_NAME : BionicDeathTest {
99 protected:
100 void SetUp() override {
101 stdin_saved = dup(STDIN_FILENO);
102 if (stdin_saved < 0) err(1, "failed to dup stdin");
103
104 int devnull = open("/dev/null", O_RDONLY);
105 if (devnull < 0) err(1, "failed to open /dev/null");
106
107 if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin");
108 static_cast<void>(close(devnull));
109
110 BionicDeathTest::SetUp();
111 }
112
113 void TearDown() override {
114 if (stdin_saved == -1) return;
115 if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin");
116
117 static_cast<void>(close(stdin_saved));
118
119 BionicDeathTest::TearDown();
120 }
121
122 private:
123 int stdin_saved = -1;
124};
125} // namespace
126
127template <typename Fn>
128__attribute__((noreturn)) static void ExitAfter(Fn&& f) {
129 f();
130 // No need to tear things down; our parent process should handle that.
131 _exit(0);
132}
133
134// In any case (including failing tests), we always want to die after this.
135#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
136
137// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
138// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
139// the *_STRUCT variants below.)
140#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
141#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
142// Expecting death, but only if we're doing a "strict" struct-checking mode.
143#if _FORTIFY_SOURCE > 1
144#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
145#else
146#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
147#endif
148
149#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name)
150
151#else // defined(COMPILATION_TESTS)
152
153#define EXPECT_NO_DEATH(expr) expr
154#define EXPECT_FORTIFY_DEATH(expr) expr
155#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
156#define FORTIFY_TEST(test_name) void test_name()
157#endif
158
159const static int kBogusFD = -1;
160
161FORTIFY_TEST(string) {
162 char small_buffer[8] = {};
163
164 {
165 char large_buffer[sizeof(small_buffer) + 1] = {};
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]166 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]167 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]168 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]169 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV849c0b92019-06-10 16:22:09 -0700[diff] [blame]170 // expected-error@+1{{size bigger than buffer}}
171 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]172 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]173 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
174 // expected-warning@+1{{arguments got flipped?}}
175 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]176 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]177 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]178 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]179 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
180 }
181
182 {
183 const char large_string[] = "Hello!!!";
184 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
185
186 // expected-error@+1{{string bigger than buffer}}
187 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
188 // expected-error@+1{{string bigger than buffer}}
189 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]190 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]191 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]192 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]193 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]194 // expected-error@+1{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]195 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]196 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]197 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]198 // expected-error@+1{{size bigger than buffer}}
199 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
200 // expected-error@+1{{size bigger than buffer}}
201 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]202 }
203
204 {
205 struct {
206 char tiny_buffer[4];
207 char tiny_buffer2[4];
208 } split = {};
209
210 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
211 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
212 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
213 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
214 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
215
216 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
217 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
218
219 const char small_string[] = "Hi!!";
220 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
221
222#if _FORTIFY_SOURCE > 1
223 // expected-error@+2{{string bigger than buffer}}
224#endif
225 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
226
227#if _FORTIFY_SOURCE > 1
228 // expected-error@+2{{string bigger than buffer}}
229#endif
230 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
231
232#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]233 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]234#endif
235 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
236
237#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]238 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]239#endif
240 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
241
242#if _FORTIFY_SOURCE > 1
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]243 // expected-error@+2{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]244#endif
245 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
246
247#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]248 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]249#endif
250 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]251
252#if _FORTIFY_SOURCE > 1
253 // expected-error@+2{{size bigger than buffer}}
254#endif
255 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
256
257#if _FORTIFY_SOURCE > 1
258 // expected-error@+2{{size bigger than buffer}}
259#endif
260 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]261 }
262}
263
George Burgess IV2356c932019-06-06 17:18:13 -0700[diff] [blame]264FORTIFY_TEST(fcntl) {
265 const char target[] = "/dev/null";
266 int dirfd = 0;
267
268 // These all emit hard errors without diagnose_if, so running them is a bit
269 // more involved.
270#ifdef COMPILATION_TESTS
271 // expected-error@+1{{too many arguments}}
272 open("/", 0, 0, 0);
273 // expected-error@+1{{too many arguments}}
274 open64("/", 0, 0, 0);
275 // expected-error@+1{{too many arguments}}
276 openat(0, "/", 0, 0, 0);
277 // expected-error@+1{{too many arguments}}
278 openat64(0, "/", 0, 0, 0);
279#endif
280
281 // expected-error@+1{{missing mode}}
282 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
283 // expected-error@+1{{missing mode}}
284 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
285 // expected-error@+1{{missing mode}}
286 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
287 // expected-error@+1{{missing mode}}
288 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
289 // expected-error@+1{{missing mode}}
290 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
291 // expected-error@+1{{missing mode}}
292 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
293 // expected-error@+1{{missing mode}}
294 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
295 // expected-error@+1{{missing mode}}
296 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
297
298 // expected-warning@+1{{superfluous mode bits}}
299 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
300 // expected-warning@+1{{superfluous mode bits}}
301 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
302 // expected-warning@+1{{superfluous mode bits}}
303 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
304 // expected-warning@+1{{superfluous mode bits}}
305 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
306}
307
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]308// Since these emit hard errors, it's sort of hard to run them...
309#ifdef COMPILATION_TESTS
310namespace compilation_tests {
311template <typename T>
312static T declval() {
313 __builtin_unreachable();
314}
315
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]316static void testFormatStrings() {
317 const auto unsigned_value = declval<unsigned long long>();
318 const auto* unknown_string = declval<const char*>();
George Burgess IV06bb4ce2019-06-13 15:13:02 -0700[diff] [blame]319 const auto va = *declval<va_list*>();
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]320
321 {
322 auto some_fd = declval<int>();
323 // expected-warning@+1{{format specifies type 'int'}}
324 dprintf(some_fd, "%d", unsigned_value);
325 // expected-warning@+1{{format string is not a string literal}}
326 dprintf(some_fd, unknown_string, unsigned_value);
327 // expected-warning@+1{{format string is not a string literal}}
328 vdprintf(1, unknown_string, va);
329 }
330
331 {
332 auto* retval = declval<char*>();
333#if 0
334 // expected-error@+2{{ignoring return value}}
335#endif
336 // expected-warning@+1{{format specifies type 'int'}}
337 asprintf(&retval, "%d", unsigned_value);
338#if 0
339 // expected-error@+2{{ignoring return value}}
340#endif
341 // expected-warning@+1{{format string is not a string literal}}
342 asprintf(&retval, unknown_string, unsigned_value);
343#if 0
344 // expected-error@+2{{ignoring return value}}
345#endif
346 // expected-warning@+1{{format string is not a string literal}}
347 vasprintf(&retval, unknown_string, va);
348 }
349
350 // expected-warning@+1{{format specifies type 'int'}}
351 syslog(0, "%d", unsigned_value);
352 // expected-warning@+1{{format string is not a string literal}}
353 syslog(0, unknown_string, unsigned_value);
354 // expected-warning@+1{{format string is not a string literal}}
355 vsyslog(0, unknown_string, va);
356
357 {
358 auto* file = declval<FILE*>();
359 // expected-warning@+1{{format specifies type 'int'}}
360 fprintf(file, "%d", unsigned_value);
361 // expected-warning@+1{{format string is not a string literal}}
362 fprintf(file, unknown_string, unsigned_value);
363 // expected-warning@+1{{format string is not a string literal}}
364 vfprintf(file, unknown_string, va);
365 }
366
367 // expected-warning@+1{{format specifies type 'int'}}
368 printf("%d", unsigned_value);
369 // expected-warning@+1{{format string is not a string literal}}
370 printf(unknown_string, unsigned_value);
371 // expected-warning@+1{{format string is not a string literal}}
372 vprintf(unknown_string, va);
373
374 {
375 char buf[128];
376 // expected-warning@+1{{format specifies type 'int'}}
377 sprintf(buf, "%d", unsigned_value);
378 // expected-warning@+1{{format string is not a string literal}}
379 sprintf(buf, unknown_string, unsigned_value);
380 // expected-warning@+1{{format string is not a string literal}}
381 sprintf(buf, unknown_string, va);
382
383 // expected-warning@+1{{format specifies type 'int'}}
384 snprintf(buf, sizeof(buf), "%d", unsigned_value);
385 // expected-warning@+1{{format string is not a string literal}}
386 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
387 // expected-warning@+1{{format string is not a string literal}}
388 vsnprintf(buf, sizeof(buf), unknown_string, va);
389 }
390
391 // FIXME: below are general format string cases where clang should probably try to warn.
392 {
393 char buf[4];
394 sprintf(buf, "%s", "1234");
395 sprintf(buf, "1%s4", "23");
396 sprintf(buf, "%d", 1234);
397
398 // Similar thoughts for strncpy, etc.
399 }
400}
401
402static void testStdlib() {
403 char path_buffer[PATH_MAX - 1];
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]404 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]405 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
406 realpath("/", path_buffer);
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]407 // expected-warning@+1{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]408 realpath("/", nullptr);
409
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]410 // expected-warning@+2{{ignoring return value of function}}
411 // expected-error@+1{{flipped arguments?}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]412 realpath(nullptr, path_buffer);
413
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]414 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]415 // expected-error@+1{{flipped arguments?}}
416 realpath(nullptr, nullptr);
417}
418} // namespace compilation_tests
419#endif
420
421FORTIFY_TEST(poll) {
422 int pipe_fds[2];
423 if (pipe(pipe_fds)) err(1, "pipe failed");
424
425 // after this, pipe_fds[0] should always report RDHUP
426 if (close(pipe_fds[1])) err(1, "close failed");
427
428 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
429 {
430 struct pollfd few_fds[] = { poll_fd, poll_fd };
431 // expected-error@+1{{fd_count is larger than the given buffer}}
432 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
433 // expected-error@+1{{fd_count is larger than the given buffer}}
434 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
435 // expected-error@+1{{fd_count is larger than the given buffer}}
436 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
437 }
438
439 {
440 struct {
441 struct pollfd few[2];
442 struct pollfd extra[1];
443 } fds = { { poll_fd, poll_fd }, { poll_fd } };
444 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
445
446#if _FORTIFY_SOURCE > 1
447 // expected-error@+2{{fd_count is larger than the given buffer}}
448#endif
449 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
450
451 struct timespec timeout = {};
452#if _FORTIFY_SOURCE > 1
453 // expected-error@+2{{fd_count is larger than the given buffer}}
454#endif
455 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
456
457#if _FORTIFY_SOURCE > 1
458 // expected-error@+2{{fd_count is larger than the given buffer}}
459#endif
460 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
461 }
462}
463
464FORTIFY_TEST(socket) {
465 {
466 char small_buffer[8];
467 // expected-error@+1{{size bigger than buffer}}
468 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
469 // expected-error@+1{{size bigger than buffer}}
470 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
471
472 // expected-error@+1{{size bigger than buffer}}
473 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
474 // expected-error@+1{{size bigger than buffer}}
475 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
476 }
477
478 {
479 struct {
480 char tiny_buffer[4];
481 char tiny_buffer2;
482 } split = {};
483
484 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
485 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
486 }
487}
488
489FORTIFY_TEST(sys_stat) {
490 // expected-error@+1{{'umask' called with invalid mode}}
491 EXPECT_FORTIFY_DEATH(umask(01777));
492}
493
494FORTIFY_TEST(stdio) {
495 char small_buffer[8] = {};
496 {
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]497 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]498 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
499
500 va_list va;
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]501 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]502 // expected-warning@+1{{format string is empty}}
503 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]504
505 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
506
507 // expected-error@+1{{format string will always overflow}}
508 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]509 }
510
511 // expected-error@+1{{size should not be negative}}
512 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
513 // expected-error@+1{{size is larger than the destination buffer}}
514 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
515
516 // expected-error@+1{{size * count overflows}}
517 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
518 // expected-error@+1{{size * count is too large for the given buffer}}
519 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
520
521 // expected-error@+1{{size * count overflows}}
522 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
523 // expected-error@+1{{size * count is too large for the given buffer}}
524 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
525}
526
527FORTIFY_TEST(unistd) {
528 char small_buffer[8];
529
530 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
531#if 0
532 // expected-error@+2{{ignoring return value of function}}
533#endif
534 // expected-error@+1{{bytes overflows the given object}}
535 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
536#if 0
537 // expected-error@+2{{ignoring return value of function}}
538#endif
539 // expected-error@+1{{bytes overflows the given object}}
540 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
541#if 0
542 // expected-error@+2{{ignoring return value of function}}
543#endif
544 // expected-error@+1{{bytes overflows the given object}}
545 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
546#if 0
547 // expected-error@+2{{ignoring return value of function}}
548#endif
549 // expected-error@+1{{bytes overflows the given object}}
550 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
551#if 0
552 // expected-error@+2{{ignoring return value of function}}
553#endif
554 // expected-error@+1{{bytes overflows the given object}}
555 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
556#if 0
557 // expected-error@+2{{ignoring return value of function}}
558#endif
559 // expected-error@+1{{bytes overflows the given object}}
560 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
561#if 0
562 // expected-error@+2{{ignoring return value of function}}
563#endif
564 // expected-error@+1{{bytes overflows the given object}}
565 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
566#if 0
567 // expected-error@+2{{ignoring return value of function}}
568#endif
569 // expected-error@+1{{bytes overflows the given object}}
570 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
571
572 // getcwd allocates and returns a buffer if you pass null to getcwd
573 EXPECT_NO_DEATH(getcwd(nullptr, 0));
574 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
575
576 struct {
577 char tiny_buffer[4];
578 char tiny_buffer2[4];
579 } split;
580
581 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
582 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
583 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
584 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
585 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
586 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
587
588#if _FORTIFY_SOURCE > 1
589 // expected-error@+2{{bytes overflows the given object}}
590#endif
591 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
592#if _FORTIFY_SOURCE > 1
593 // expected-error@+2{{bytes overflows the given object}}
594#endif
595 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
596
597 {
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]598 char* volatile unknown = small_buffer;
599 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
600 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
601 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
602 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
603 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
604 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
605 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
606 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
607 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
608 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
609 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
610 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
611 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]612 }
613}
614
615#endif // defined(__BIONIC__)