Gitiles
Code Review Sign In
gerrit.omnirom.org / android_bionic / ae1745d37550de264b600b08c13242513116b8ac / . / tests / clang_fortify_tests.cpp
blob: 715f9c81c573642deda8ef5468566b818841db98 [file] [log] [blame]
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]1/*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef __clang__
18#error "Non-clang isn't supported"
19#endif
20
21// Clang compile-time and run-time tests for Bionic's FORTIFY.
22//
23// This file is compiled in two configurations ways to give us a sane set of tests for clang's
24// FORTIFY implementation.
25//
26// One configuration uses clang's diagnostic consumer
27// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
28// to check diagnostics (e.g. the expected-* comments everywhere).
29//
30// Please note that this test does things like leaking memory. That's WAI.
31
32// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
33// for this test case, and their line numbers may change over time.
34// expected-note@* 0+{{from 'diagnose_if'}}
35//
36// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
37// expected-note@* 0+{{candidate function}}
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]38//
39// And finally, all explicitly-unavailable-here complaints from headers are
40// uninteresting
Yi Kongbf67ea52019-08-03 18:26:05 -0700[diff] [blame]41// expected-note@* 0+{{has been explicitly marked unavailable here}}
42
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]43// Note that some of these diags come from clang itself, while others come from
44// `diagnose_if`s sprinkled throughout Bionic.
45
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]46#ifndef _FORTIFY_SOURCE
47#error "_FORTIFY_SOURCE must be defined"
48#endif
49
50#include <sys/cdefs.h>
51
52// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
53#ifndef __BIONIC__
54// expected-no-diagnostics
55#else
56
57// As alluded to above, we're going to be doing some obviously very broken things in this file.
58// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
59// let's wipe out any build-time errors.
60#ifndef COMPILATION_TESTS
61#undef __clang_error_if
62#define __clang_error_if(...)
63#undef __clang_warning_if
64#define __clang_warning_if(...)
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]65#pragma clang diagnostic ignored "-Wfortify-source"
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]66
67// SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
68// blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
69#define SOMETIMES_CONST volatile
70#else
71#define SOMETIMES_CONST const
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]72#endif
73
74#include <err.h>
75#include <fcntl.h>
76#include <limits.h>
77#include <poll.h>
78#include <signal.h>
79#include <stdio.h>
80#include <stdlib.h>
81#include <string.h>
82#include <sys/socket.h>
83#include <sys/stat.h>
84#include <sys/wait.h>
85#include <syslog.h>
86#include <unistd.h>
87#include <wchar.h>
88
89#ifndef COMPILATION_TESTS
90#include <gtest/gtest.h>
91#include "BionicDeathTest.h"
92
93#define CONCAT2(x, y) x##y
94#define CONCAT(x, y) CONCAT2(x, y)
95#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE)
96
97namespace {
98struct FORTIFY_TEST_NAME : BionicDeathTest {
99 protected:
100 void SetUp() override {
101 stdin_saved = dup(STDIN_FILENO);
102 if (stdin_saved < 0) err(1, "failed to dup stdin");
103
104 int devnull = open("/dev/null", O_RDONLY);
105 if (devnull < 0) err(1, "failed to open /dev/null");
106
107 if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin");
108 static_cast<void>(close(devnull));
109
110 BionicDeathTest::SetUp();
111 }
112
113 void TearDown() override {
114 if (stdin_saved == -1) return;
115 if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin");
116
117 static_cast<void>(close(stdin_saved));
118
119 BionicDeathTest::TearDown();
120 }
121
122 private:
123 int stdin_saved = -1;
124};
125} // namespace
126
127template <typename Fn>
128__attribute__((noreturn)) static void ExitAfter(Fn&& f) {
129 f();
130 // No need to tear things down; our parent process should handle that.
131 _exit(0);
132}
133
134// In any case (including failing tests), we always want to die after this.
135#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
136
137// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
138// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
139// the *_STRUCT variants below.)
140#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
141#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
142// Expecting death, but only if we're doing a "strict" struct-checking mode.
143#if _FORTIFY_SOURCE > 1
144#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
145#else
146#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
147#endif
148
149#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name)
150
151#else // defined(COMPILATION_TESTS)
152
153#define EXPECT_NO_DEATH(expr) expr
154#define EXPECT_FORTIFY_DEATH(expr) expr
155#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
156#define FORTIFY_TEST(test_name) void test_name()
157#endif
158
159const static int kBogusFD = -1;
160
161FORTIFY_TEST(string) {
162 char small_buffer[8] = {};
163
164 {
165 char large_buffer[sizeof(small_buffer) + 1] = {};
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]166 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]167 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]168 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]169 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
Yabin Cuiae1745d2020-04-16 15:07:28 -0700[diff] [blame^]170 // FIXME(gbiv): look into removing mempcpy's diagnose_if bits once the b/149839606 roll sticks.
171 // expected-error@+2{{will always overflow}}
George Burgess IV849c0b92019-06-10 16:22:09 -0700[diff] [blame]172 // expected-error@+1{{size bigger than buffer}}
173 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]174 // expected-error@+1{{will always overflow}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]175 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
176 // expected-warning@+1{{arguments got flipped?}}
177 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]178 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]179 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
George Burgess IV261b7f42019-06-10 16:32:07 -0700[diff] [blame]180 // expected-error@+1{{size bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]181 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
182 }
183
184 {
185 const char large_string[] = "Hello!!!";
186 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
187
188 // expected-error@+1{{string bigger than buffer}}
189 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
190 // expected-error@+1{{string bigger than buffer}}
191 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]192 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]193 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]194 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]195 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]196 // expected-error@+1{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]197 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]198 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]199 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]200 // expected-error@+1{{size bigger than buffer}}
201 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
202 // expected-error@+1{{size bigger than buffer}}
203 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]204 }
205
206 {
207 struct {
208 char tiny_buffer[4];
209 char tiny_buffer2[4];
210 } split = {};
211
212 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
213 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
214 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
215 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
216 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
217
218 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
219 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
220
221 const char small_string[] = "Hi!!";
222 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
223
224#if _FORTIFY_SOURCE > 1
225 // expected-error@+2{{string bigger than buffer}}
226#endif
227 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
228
229#if _FORTIFY_SOURCE > 1
230 // expected-error@+2{{string bigger than buffer}}
231#endif
232 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
233
234#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]235 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]236#endif
237 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
238
239#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]240 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]241#endif
242 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
243
244#if _FORTIFY_SOURCE > 1
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]245 // expected-error@+2{{string bigger than buffer}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]246#endif
247 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
248
249#if _FORTIFY_SOURCE > 1
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]250 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]251#endif
252 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV77f99aa2019-06-06 14:14:52 -0700[diff] [blame]253
254#if _FORTIFY_SOURCE > 1
255 // expected-error@+2{{size bigger than buffer}}
256#endif
257 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
258
259#if _FORTIFY_SOURCE > 1
260 // expected-error@+2{{size bigger than buffer}}
261#endif
262 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]263 }
264}
265
George Burgess IV2356c932019-06-06 17:18:13 -0700[diff] [blame]266FORTIFY_TEST(fcntl) {
267 const char target[] = "/dev/null";
268 int dirfd = 0;
269
270 // These all emit hard errors without diagnose_if, so running them is a bit
271 // more involved.
272#ifdef COMPILATION_TESTS
273 // expected-error@+1{{too many arguments}}
274 open("/", 0, 0, 0);
275 // expected-error@+1{{too many arguments}}
276 open64("/", 0, 0, 0);
277 // expected-error@+1{{too many arguments}}
278 openat(0, "/", 0, 0, 0);
279 // expected-error@+1{{too many arguments}}
280 openat64(0, "/", 0, 0, 0);
281#endif
282
283 // expected-error@+1{{missing mode}}
284 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
285 // expected-error@+1{{missing mode}}
286 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
287 // expected-error@+1{{missing mode}}
288 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
289 // expected-error@+1{{missing mode}}
290 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
291 // expected-error@+1{{missing mode}}
292 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
293 // expected-error@+1{{missing mode}}
294 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
295 // expected-error@+1{{missing mode}}
296 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
297 // expected-error@+1{{missing mode}}
298 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
299
300 // expected-warning@+1{{superfluous mode bits}}
301 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
302 // expected-warning@+1{{superfluous mode bits}}
303 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
304 // expected-warning@+1{{superfluous mode bits}}
305 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
306 // expected-warning@+1{{superfluous mode bits}}
307 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
308}
309
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]310// Since these emit hard errors, it's sort of hard to run them...
311#ifdef COMPILATION_TESTS
312namespace compilation_tests {
313template <typename T>
314static T declval() {
315 __builtin_unreachable();
316}
317
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]318static void testFormatStrings() {
319 const auto unsigned_value = declval<unsigned long long>();
320 const auto* unknown_string = declval<const char*>();
George Burgess IV06bb4ce2019-06-13 15:13:02 -0700[diff] [blame]321 const auto va = *declval<va_list*>();
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]322
323 {
324 auto some_fd = declval<int>();
325 // expected-warning@+1{{format specifies type 'int'}}
326 dprintf(some_fd, "%d", unsigned_value);
327 // expected-warning@+1{{format string is not a string literal}}
328 dprintf(some_fd, unknown_string, unsigned_value);
329 // expected-warning@+1{{format string is not a string literal}}
330 vdprintf(1, unknown_string, va);
331 }
332
333 {
334 auto* retval = declval<char*>();
335#if 0
336 // expected-error@+2{{ignoring return value}}
337#endif
338 // expected-warning@+1{{format specifies type 'int'}}
339 asprintf(&retval, "%d", unsigned_value);
340#if 0
341 // expected-error@+2{{ignoring return value}}
342#endif
343 // expected-warning@+1{{format string is not a string literal}}
344 asprintf(&retval, unknown_string, unsigned_value);
345#if 0
346 // expected-error@+2{{ignoring return value}}
347#endif
348 // expected-warning@+1{{format string is not a string literal}}
349 vasprintf(&retval, unknown_string, va);
350 }
351
352 // expected-warning@+1{{format specifies type 'int'}}
353 syslog(0, "%d", unsigned_value);
354 // expected-warning@+1{{format string is not a string literal}}
355 syslog(0, unknown_string, unsigned_value);
356 // expected-warning@+1{{format string is not a string literal}}
357 vsyslog(0, unknown_string, va);
358
359 {
360 auto* file = declval<FILE*>();
361 // expected-warning@+1{{format specifies type 'int'}}
362 fprintf(file, "%d", unsigned_value);
363 // expected-warning@+1{{format string is not a string literal}}
364 fprintf(file, unknown_string, unsigned_value);
365 // expected-warning@+1{{format string is not a string literal}}
366 vfprintf(file, unknown_string, va);
367 }
368
369 // expected-warning@+1{{format specifies type 'int'}}
370 printf("%d", unsigned_value);
371 // expected-warning@+1{{format string is not a string literal}}
372 printf(unknown_string, unsigned_value);
373 // expected-warning@+1{{format string is not a string literal}}
374 vprintf(unknown_string, va);
375
376 {
377 char buf[128];
378 // expected-warning@+1{{format specifies type 'int'}}
379 sprintf(buf, "%d", unsigned_value);
380 // expected-warning@+1{{format string is not a string literal}}
381 sprintf(buf, unknown_string, unsigned_value);
382 // expected-warning@+1{{format string is not a string literal}}
383 sprintf(buf, unknown_string, va);
384
385 // expected-warning@+1{{format specifies type 'int'}}
386 snprintf(buf, sizeof(buf), "%d", unsigned_value);
387 // expected-warning@+1{{format string is not a string literal}}
388 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
389 // expected-warning@+1{{format string is not a string literal}}
390 vsnprintf(buf, sizeof(buf), unknown_string, va);
391 }
392
393 // FIXME: below are general format string cases where clang should probably try to warn.
394 {
395 char buf[4];
396 sprintf(buf, "%s", "1234");
397 sprintf(buf, "1%s4", "23");
398 sprintf(buf, "%d", 1234);
399
400 // Similar thoughts for strncpy, etc.
401 }
402}
403
404static void testStdlib() {
405 char path_buffer[PATH_MAX - 1];
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]406 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]407 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
408 realpath("/", path_buffer);
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]409 // expected-warning@+1{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]410 realpath("/", nullptr);
411
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]412 // expected-warning@+2{{ignoring return value of function}}
413 // expected-error@+1{{flipped arguments?}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]414 realpath(nullptr, path_buffer);
415
George Burgess IV8c0ec112019-06-06 17:23:32 -0700[diff] [blame]416 // expected-warning@+2{{ignoring return value of function}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]417 // expected-error@+1{{flipped arguments?}}
418 realpath(nullptr, nullptr);
419}
420} // namespace compilation_tests
421#endif
422
423FORTIFY_TEST(poll) {
424 int pipe_fds[2];
425 if (pipe(pipe_fds)) err(1, "pipe failed");
426
427 // after this, pipe_fds[0] should always report RDHUP
428 if (close(pipe_fds[1])) err(1, "close failed");
429
430 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
431 {
432 struct pollfd few_fds[] = { poll_fd, poll_fd };
433 // expected-error@+1{{fd_count is larger than the given buffer}}
434 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
435 // expected-error@+1{{fd_count is larger than the given buffer}}
436 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
437 // expected-error@+1{{fd_count is larger than the given buffer}}
438 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
439 }
440
441 {
442 struct {
443 struct pollfd few[2];
444 struct pollfd extra[1];
445 } fds = { { poll_fd, poll_fd }, { poll_fd } };
446 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
447
448#if _FORTIFY_SOURCE > 1
449 // expected-error@+2{{fd_count is larger than the given buffer}}
450#endif
451 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
452
453 struct timespec timeout = {};
454#if _FORTIFY_SOURCE > 1
455 // expected-error@+2{{fd_count is larger than the given buffer}}
456#endif
457 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
458
459#if _FORTIFY_SOURCE > 1
460 // expected-error@+2{{fd_count is larger than the given buffer}}
461#endif
462 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
463 }
464}
465
466FORTIFY_TEST(socket) {
467 {
468 char small_buffer[8];
469 // expected-error@+1{{size bigger than buffer}}
470 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
471 // expected-error@+1{{size bigger than buffer}}
472 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
473
474 // expected-error@+1{{size bigger than buffer}}
475 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
476 // expected-error@+1{{size bigger than buffer}}
477 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
478 }
479
480 {
481 struct {
482 char tiny_buffer[4];
483 char tiny_buffer2;
484 } split = {};
485
486 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
487 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
488 }
489}
490
491FORTIFY_TEST(sys_stat) {
492 // expected-error@+1{{'umask' called with invalid mode}}
493 EXPECT_FORTIFY_DEATH(umask(01777));
494}
495
496FORTIFY_TEST(stdio) {
497 char small_buffer[8] = {};
498 {
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]499 // expected-error@+1{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]500 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
501
502 va_list va;
George Burgess IV36926f42019-09-15 16:57:00 -0700[diff] [blame]503 // expected-error@+2{{size argument is too large}}
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]504 // expected-warning@+1{{format string is empty}}
505 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
George Burgess IV26d25a22019-06-06 17:45:05 -0700[diff] [blame]506
507 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
508
509 // expected-error@+1{{format string will always overflow}}
510 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]511 }
512
513 // expected-error@+1{{size should not be negative}}
514 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
515 // expected-error@+1{{size is larger than the destination buffer}}
516 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
517
518 // expected-error@+1{{size * count overflows}}
519 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
520 // expected-error@+1{{size * count is too large for the given buffer}}
521 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
522
523 // expected-error@+1{{size * count overflows}}
524 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
525 // expected-error@+1{{size * count is too large for the given buffer}}
526 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
527}
528
529FORTIFY_TEST(unistd) {
530 char small_buffer[8];
531
532 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
533#if 0
534 // expected-error@+2{{ignoring return value of function}}
535#endif
536 // expected-error@+1{{bytes overflows the given object}}
537 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
538#if 0
539 // expected-error@+2{{ignoring return value of function}}
540#endif
541 // expected-error@+1{{bytes overflows the given object}}
542 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
543#if 0
544 // expected-error@+2{{ignoring return value of function}}
545#endif
546 // expected-error@+1{{bytes overflows the given object}}
547 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
548#if 0
549 // expected-error@+2{{ignoring return value of function}}
550#endif
551 // expected-error@+1{{bytes overflows the given object}}
552 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
553#if 0
554 // expected-error@+2{{ignoring return value of function}}
555#endif
556 // expected-error@+1{{bytes overflows the given object}}
557 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
558#if 0
559 // expected-error@+2{{ignoring return value of function}}
560#endif
561 // expected-error@+1{{bytes overflows the given object}}
562 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
563#if 0
564 // expected-error@+2{{ignoring return value of function}}
565#endif
566 // expected-error@+1{{bytes overflows the given object}}
567 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
568#if 0
569 // expected-error@+2{{ignoring return value of function}}
570#endif
571 // expected-error@+1{{bytes overflows the given object}}
572 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
573
574 // getcwd allocates and returns a buffer if you pass null to getcwd
575 EXPECT_NO_DEATH(getcwd(nullptr, 0));
576 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
577
578 struct {
579 char tiny_buffer[4];
580 char tiny_buffer2[4];
581 } split;
582
583 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
584 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
585 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
586 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
587 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
588 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
589
590#if _FORTIFY_SOURCE > 1
591 // expected-error@+2{{bytes overflows the given object}}
592#endif
593 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
594#if _FORTIFY_SOURCE > 1
595 // expected-error@+2{{bytes overflows the given object}}
596#endif
597 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
598
599 {
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]600 char* volatile unknown = small_buffer;
601 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
602 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
603 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
604 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
605 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
606 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
607 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
608 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
609 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
610 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
611 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
612 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
613 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
George Burgess IV9a274102019-06-04 15:39:52 -0700[diff] [blame]614 }
615}
616
617#endif // defined(__BIONIC__)