diff options
| -rw-r--r-- | tests/Android.bp | 71 | ||||
| -rw-r--r-- | tests/Android.mk | 22 | ||||
| -rw-r--r-- | tests/clang_fortify_tests.cpp | 611 | ||||
| -rw-r--r-- | tests/fortify_filecheck_diagnostics_test.cpp | 323 | ||||
| -rw-r--r-- | tests/make_fortify_compile_test.mk | 20 |
5 files changed, 703 insertions, 344 deletions
diff --git a/tests/Android.bp b/tests/Android.bp index e0faa5fe6..a55d08bcd 100644 --- a/tests/Android.bp +++ b/tests/Android.bp @@ -281,6 +281,16 @@ cc_test_library { // ----------------------------------------------------------------------------- cc_defaults { + name: "bionic_clang_fortify_tests_w_flags", + cflags: [ + "-Wno-builtin-memcpy-chk-size", + "-Wno-format-zero-length", + "-Wno-memset-transposed-args", + "-Wno-strncat-size", + ], +} + +cc_defaults { name: "bionic_fortify_tests_defaults", cflags: [ "-U_FORTIFY_SOURCE", @@ -299,6 +309,9 @@ cc_defaults { // unused. cc_test_library { name: "fortify_disabled_for_asan", + defaults: [ + "bionic_clang_fortify_tests_w_flags", + ], cflags: [ "-Werror", "-D_FORTIFY_SOURCE=2", @@ -306,11 +319,10 @@ cc_test_library { // enabled. Since the intent is just to build this, we can get away with // passing this flag on its own. "-fsanitize=address", - "-Wno-memset-transposed-args", ], // Ignore that we don't have ASAN symbols linked in. allow_undefined_symbols: true, - srcs: ["fortify_filecheck_diagnostics_test.cpp"], + srcs: ["clang_fortify_tests.cpp"], } // Ensure we don't use FORTIFY'ed functions with the static analyzer/clang-tidy: @@ -319,13 +331,15 @@ cc_test_library { // enabled. The library that results from building this is meant to be unused. cc_test_library { name: "fortify_disabled_for_tidy", + defaults: [ + "bionic_clang_fortify_tests_w_flags", + ], cflags: [ "-Werror", "-D_FORTIFY_SOURCE=2", "-D__clang_analyzer__", - "-Wno-memset-transposed-args", ], - srcs: ["fortify_filecheck_diagnostics_test.cpp"], + srcs: ["clang_fortify_tests.cpp"], } cc_test_library { @@ -358,6 +372,53 @@ cc_test_library { }, } +cc_defaults { + name: "bionic_new_fortify_tests_defaults", + defaults: [ + "bionic_clang_fortify_tests_w_flags", + ], + cflags: [ + "-U_FORTIFY_SOURCE", + ], + srcs: ["clang_fortify_tests.cpp"], + target: { + host: { + clang_cflags: ["-D__clang__"], + }, + }, +} + +cc_test_library { + name: "libfortify1-new-tests-clang", + defaults: [ + "bionic_new_fortify_tests_defaults", + "bionic_tests_defaults", + ], + cflags: [ + "-D_FORTIFY_SOURCE=1", + "-DTEST_NAME=Fortify1_clang_new", + ], + shared: { + enabled: false, + }, +} + +cc_test_library { + name: "libfortify2-new-tests-clang", + defaults: [ + "bionic_new_fortify_tests_defaults", + "bionic_tests_defaults", + ], + cflags: [ + "-D_FORTIFY_SOURCE=2", + "-DTEST_NAME=Fortify2_clang_new", + ], + shared: { + enabled: false, + }, +} + + // ----------------------------------------------------------------------------- // Library of all tests (excluding the dynamic linker tests). // ----------------------------------------------------------------------------- @@ -368,7 +429,9 @@ cc_test_library { "libBionicStandardTests", "libBionicElfTlsTests", "libfortify1-tests-clang", + "libfortify1-new-tests-clang", "libfortify2-tests-clang", + "libfortify2-new-tests-clang", ], shared: { enabled: false, diff --git a/tests/Android.mk b/tests/Android.mk index 848d2917e..b5571e3f6 100644 --- a/tests/Android.mk +++ b/tests/Android.mk @@ -59,23 +59,11 @@ ifeq ($(HOST_OS)-$(HOST_ARCH),$(filter $(HOST_OS)-$(HOST_ARCH),linux-x86 linux-x # Compile time tests. # ----------------------------------------------------------------------------- -# Some of these are intentionally using = instead of := since we need access to -# some variables not initialtized until we're in the build system. - -include $(CLEAR_VARS) -LOCAL_ADDITIONAL_DEPENDENCIES := \ - $(LOCAL_PATH)/Android.mk \ - $(LOCAL_PATH)/touch-obj-on-success - -LOCAL_CXX := $(LOCAL_PATH)/touch-obj-on-success \ - $(LLVM_PREBUILTS_PATH)/clang++ \ - -LOCAL_CLANG := true -LOCAL_MODULE := bionic-compile-time-tests-clang++ -LOCAL_CPPFLAGS := -Wall -Wno-error -LOCAL_CPPFLAGS += -fno-color-diagnostics -ferror-limit=10000 -Xclang -verify -LOCAL_SRC_FILES := fortify_filecheck_diagnostics_test.cpp -include $(BUILD_STATIC_LIBRARY) +FORTIFY_LEVEL := 1 +include $(LOCAL_PATH)/make_fortify_compile_test.mk + +FORTIFY_LEVEL := 2 +include $(LOCAL_PATH)/make_fortify_compile_test.mk endif # linux-x86 diff --git a/tests/clang_fortify_tests.cpp b/tests/clang_fortify_tests.cpp new file mode 100644 index 000000000..948faf343 --- /dev/null +++ b/tests/clang_fortify_tests.cpp @@ -0,0 +1,611 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __clang__ +#error "Non-clang isn't supported" +#endif + +// Clang compile-time and run-time tests for Bionic's FORTIFY. +// +// This file is compiled in two configurations ways to give us a sane set of tests for clang's +// FORTIFY implementation. +// +// One configuration uses clang's diagnostic consumer +// (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details) +// to check diagnostics (e.g. the expected-* comments everywhere). +// +// Please note that this test does things like leaking memory. That's WAI. + +// Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting +// for this test case, and their line numbers may change over time. +// expected-note@* 0+{{from 'diagnose_if'}} +// +// Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those. +// expected-note@* 0+{{candidate function}} + +#ifndef _FORTIFY_SOURCE +#error "_FORTIFY_SOURCE must be defined" +#endif + +#include <sys/cdefs.h> + +// This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply. +#ifndef __BIONIC__ +// expected-no-diagnostics +#else + +// As alluded to above, we're going to be doing some obviously very broken things in this file. +// FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So +// let's wipe out any build-time errors. +#ifndef COMPILATION_TESTS +#undef __clang_error_if +#define __clang_error_if(...) +#undef __clang_warning_if +#define __clang_warning_if(...) +#endif + +#include <err.h> +#include <fcntl.h> +#include <limits.h> +#include <poll.h> +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/wait.h> +#include <syslog.h> +#include <unistd.h> +#include <wchar.h> + +#ifndef COMPILATION_TESTS +#include <gtest/gtest.h> +#include "BionicDeathTest.h" + +#define CONCAT2(x, y) x##y +#define CONCAT(x, y) CONCAT2(x, y) +#define FORTIFY_TEST_NAME CONCAT(clang_fortify_test_, _FORTIFY_SOURCE) + +namespace { +struct FORTIFY_TEST_NAME : BionicDeathTest { + protected: + void SetUp() override { + stdin_saved = dup(STDIN_FILENO); + if (stdin_saved < 0) err(1, "failed to dup stdin"); + + int devnull = open("/dev/null", O_RDONLY); + if (devnull < 0) err(1, "failed to open /dev/null"); + + if (!dup2(devnull, STDIN_FILENO)) err(1, "failed to overwrite stdin"); + static_cast<void>(close(devnull)); + + BionicDeathTest::SetUp(); + } + + void TearDown() override { + if (stdin_saved == -1) return; + if (!dup2(stdin_saved, STDIN_FILENO)) warn("failed to restore stdin"); + + static_cast<void>(close(stdin_saved)); + + BionicDeathTest::TearDown(); + } + + private: + int stdin_saved = -1; +}; +} // namespace + +template <typename Fn> +__attribute__((noreturn)) static void ExitAfter(Fn&& f) { + f(); + // No need to tear things down; our parent process should handle that. + _exit(0); +} + +// In any case (including failing tests), we always want to die after this. +#define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex) + +// EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment +// doesn't get modified on no bug. (Environment modification is especially tricky to deal with given +// the *_STRUCT variants below.) +#define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "") +#define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY") +// Expecting death, but only if we're doing a "strict" struct-checking mode. +#if _FORTIFY_SOURCE > 1 +#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH +#else +#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH +#endif + +#define FORTIFY_TEST(test_name) TEST(FORTIFY_TEST_NAME, test_name) + +#else // defined(COMPILATION_TESTS) + +#define EXPECT_NO_DEATH(expr) expr +#define EXPECT_FORTIFY_DEATH(expr) expr +#define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH +#define FORTIFY_TEST(test_name) void test_name() +#endif + +const static int kBogusFD = -1; + +FORTIFY_TEST(string) { + char small_buffer[8] = {}; + + { + char large_buffer[sizeof(small_buffer) + 1] = {}; + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer))); + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer))); + // FIXME: this should be EXPECT_FORTIFY_DEATH +#if 0 + // expected-error@+1{{called with bigger length than the destination}} +#endif + EXPECT_NO_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer))); + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer))); + // expected-warning@+1{{arguments got flipped?}} + EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0)); + // FIXME: Should these be warnings? + // expected-warning@+1{{will always overflow}} + EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer))); + // expected-warning@+1{{will always overflow}} + EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer))); + } + + { + const char large_string[] = "Hello!!!"; + static_assert(sizeof(large_string) > sizeof(small_buffer), ""); + + // expected-error@+1{{string bigger than buffer}} + EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string)); + // expected-error@+1{{string bigger than buffer}} + EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string)); +#if 0 + // expected-error@+1{{called with bigger length than the destination}} +#endif + EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string))); +#if 0 + // expected-error@+1{{called with bigger length than the destination}} +#endif + EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string))); +#if 0 + // expected-error@+1{{destination buffer will always be overflown}} +#endif + EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string)); +#if 0 + // expected-error@+1{{destination buffer will always be overflown}} +#endif + EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string))); + } + + { + struct { + char tiny_buffer[4]; + char tiny_buffer2[4]; + } split = {}; + + EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split))); + EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split))); + EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split))); + EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split))); + EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split))); + + EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split))); + EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split))); + + const char small_string[] = "Hi!!"; + static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), ""); + +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{string bigger than buffer}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string)); + +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{string bigger than buffer}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string)); + +#if _FORTIFY_SOURCE > 1 +#if 0 + // expected-error@+2{{called with bigger length than the destination}} +#endif +#endif + EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string))); + +#if _FORTIFY_SOURCE > 1 +#if 0 + // expected-error@+2{{called with bigger length than the destination}} +#endif +#endif + EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string))); + +#if _FORTIFY_SOURCE > 1 +#if 0 + // expected-error@+2{{destination buffer will always be overflown}} +#endif +#endif + EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string)); + +#if _FORTIFY_SOURCE > 1 +#if 0 + // expected-error@+2{{destination buffer will always be overflown}} +#endif +#endif + EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string))); + } +} + +// Since these emit hard errors, it's sort of hard to run them... +#ifdef COMPILATION_TESTS +namespace compilation_tests { +template <typename T> +static T declval() { + __builtin_unreachable(); +} + +static void testFcntl() { + // expected-error@+1{{too many arguments}} + open("/", 0, 0, 0); +#if 0 + // expected-error@+1{{either with 2 or 3 arguments, not more}} +#endif + open64("/", 0, 0, 0); + // expected-error@+1{{too many arguments}} + openat(0, "/", 0, 0, 0); +#if 0 + // expected-error@+1{{either with 3 or 4 arguments, not more}} +#endif + openat64(0, "/", 0, 0, 0); + + // expected-error@+1{{missing mode}} + open("/", O_CREAT); + // expected-error@+1{{missing mode}} + open("/", O_TMPFILE); +#if 0 + // expected-error@+1{{needs 3 arguments}} +#endif + open64("/", O_CREAT); +#if 0 + // expected-error@+1{{needs 3 arguments}} +#endif + open64("/", O_TMPFILE); + // expected-error@+1{{missing mode}} + openat(0, "/", O_CREAT); + // expected-error@+1{{missing mode}} + openat(0, "/", O_TMPFILE); +#if 0 + // expected-error@+1{{needs 4 arguments}} +#endif + openat64(0, "/", O_CREAT); +#if 0 + // expected-error@+1{{needs 4 arguments}} +#endif + openat64(0, "/", O_TMPFILE); + + // Superfluous modes are sometimes bugs, but not often enough to complain + // about, apparently. +} + +static void testFormatStrings() { + const auto unsigned_value = declval<unsigned long long>(); + const auto* unknown_string = declval<const char*>(); + const auto va = declval<va_list>(); + + { + auto some_fd = declval<int>(); + // expected-warning@+1{{format specifies type 'int'}} + dprintf(some_fd, "%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + dprintf(some_fd, unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + vdprintf(1, unknown_string, va); + } + + { + auto* retval = declval<char*>(); +#if 0 + // expected-error@+2{{ignoring return value}} +#endif + // expected-warning@+1{{format specifies type 'int'}} + asprintf(&retval, "%d", unsigned_value); +#if 0 + // expected-error@+2{{ignoring return value}} +#endif + // expected-warning@+1{{format string is not a string literal}} + asprintf(&retval, unknown_string, unsigned_value); +#if 0 + // expected-error@+2{{ignoring return value}} +#endif + // expected-warning@+1{{format string is not a string literal}} + vasprintf(&retval, unknown_string, va); + } + + // expected-warning@+1{{format specifies type 'int'}} + syslog(0, "%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + syslog(0, unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + vsyslog(0, unknown_string, va); + + { + auto* file = declval<FILE*>(); + // expected-warning@+1{{format specifies type 'int'}} + fprintf(file, "%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + fprintf(file, unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + vfprintf(file, unknown_string, va); + } + + // expected-warning@+1{{format specifies type 'int'}} + printf("%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + printf(unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + vprintf(unknown_string, va); + + { + char buf[128]; + // expected-warning@+1{{format specifies type 'int'}} + sprintf(buf, "%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + sprintf(buf, unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + sprintf(buf, unknown_string, va); + + // expected-warning@+1{{format specifies type 'int'}} + snprintf(buf, sizeof(buf), "%d", unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + snprintf(buf, sizeof(buf), unknown_string, unsigned_value); + // expected-warning@+1{{format string is not a string literal}} + vsnprintf(buf, sizeof(buf), unknown_string, va); + } + + // FIXME: below are general format string cases where clang should probably try to warn. + { + char buf[4]; + sprintf(buf, "%s", "1234"); + sprintf(buf, "1%s4", "23"); + sprintf(buf, "%d", 1234); + + // Similar thoughts for strncpy, etc. + } +} + +static void testStdlib() { + char path_buffer[PATH_MAX - 1]; +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}} + realpath("/", path_buffer); +#if 0 + // expected-error@+1{{ignoring return value of function}} +#endif + realpath("/", nullptr); + + // FIXME: This should complain about flipped arguments, instead of objectsize. + // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}} + realpath(nullptr, path_buffer); + + // expected-error@+1{{flipped arguments?}} + realpath(nullptr, nullptr); +} +} // namespace compilation_tests +#endif + +FORTIFY_TEST(poll) { + int pipe_fds[2]; + if (pipe(pipe_fds)) err(1, "pipe failed"); + + // after this, pipe_fds[0] should always report RDHUP + if (close(pipe_fds[1])) err(1, "close failed"); + + struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 }; + { + struct pollfd few_fds[] = { poll_fd, poll_fd }; + // expected-error@+1{{fd_count is larger than the given buffer}} + EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0)); + // expected-error@+1{{fd_count is larger than the given buffer}} + EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0)); + // expected-error@+1{{fd_count is larger than the given buffer}} + EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr)); + } + + { + struct { + struct pollfd few[2]; + struct pollfd extra[1]; + } fds = { { poll_fd, poll_fd }, { poll_fd } }; + static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, ""); + +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{fd_count is larger than the given buffer}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0)); + + struct timespec timeout = {}; +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{fd_count is larger than the given buffer}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0)); + +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{fd_count is larger than the given buffer}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr)); + } +} + +FORTIFY_TEST(socket) { + { + char small_buffer[8]; + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0)); + + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); + // expected-error@+1{{size bigger than buffer}} + EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0)); + } + + { + struct { + char tiny_buffer[4]; + char tiny_buffer2; + } split = {}; + + EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0)); + EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0)); + } +} + +FORTIFY_TEST(sys_stat) { + // expected-error@+1{{'umask' called with invalid mode}} + EXPECT_FORTIFY_DEATH(umask(01777)); +} + +FORTIFY_TEST(stdio) { + char small_buffer[8] = {}; + { +#if 0 + // expected-error@+1{{may overflow the destination buffer}} +#endif + EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, "")); + + va_list va; +#if 0 + // expected-error@+1{{may overflow the destination buffer}} +#endif + // expected-warning@+1{{format string is empty}} + EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va)); + } + + // expected-error@+1{{size should not be negative}} + EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin)); + // expected-error@+1{{size is larger than the destination buffer}} + EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin)); + + // expected-error@+1{{size * count overflows}} + EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin)); + // expected-error@+1{{size * count is too large for the given buffer}} + EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin)); + + // expected-error@+1{{size * count overflows}} + EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout)); + // expected-error@+1{{size * count is too large for the given buffer}} + EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout)); +} + +FORTIFY_TEST(unistd) { + char small_buffer[8]; + + // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them. +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1)); +#if 0 + // expected-error@+2{{ignoring return value of function}} +#endif + // expected-error@+1{{bytes overflows the given object}} + EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1)); + + // getcwd allocates and returns a buffer if you pass null to getcwd + EXPECT_NO_DEATH(getcwd(nullptr, 0)); + EXPECT_NO_DEATH(getcwd(nullptr, 4096)); + + struct { + char tiny_buffer[4]; + char tiny_buffer2[4]; + } split; + + EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split))); + EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0)); + EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0)); + EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split))); + EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0)); + EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0)); + +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{bytes overflows the given object}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split))); +#if _FORTIFY_SOURCE > 1 + // expected-error@+2{{bytes overflows the given object}} +#endif + EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split))); + + { + // FIXME: These should all die in FORTIFY. Headers are bugged. +#ifdef COMPILATION_TESTS + char* volatile unknown = small_buffer; + const size_t count = static_cast<size_t>(SSIZE_MAX) + 1; + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count)); + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0)); + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0)); + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count)); + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0)); + // expected-error@+1{{'count' must be <= SSIZE_MAX}} + EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0)); +#endif + } +} + +#endif // defined(__BIONIC__) diff --git a/tests/fortify_filecheck_diagnostics_test.cpp b/tests/fortify_filecheck_diagnostics_test.cpp deleted file mode 100644 index ac9853c7f..000000000 --- a/tests/fortify_filecheck_diagnostics_test.cpp +++ /dev/null @@ -1,323 +0,0 @@ -/* - * Copyright (C) 2014 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* - * Silence all notes about enable_if-related 'candidates'; they're nice to know - * about for users, but this test doesn't care. - */ -// expected-note@* 0+{{candidate function}} - -/* Similarly, ignore all "from 'diagnose_if'"s. */ -// expected-note@* 0+{{from 'diagnose_if'}} - - -#undef _FORTIFY_SOURCE -#define _FORTIFY_SOURCE 2 -#include <fcntl.h> -#include <netinet/in.h> -#include <poll.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <sys/socket.h> -#include <sys/stat.h> -#include <time.h> -#include <unistd.h> - -#if !defined(__BIONIC__) -# error "This only works with Bionic." -#endif - -void test_sprintf() { - char buf[4]; - - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{call to unavailable function 'sprintf': format string will always overflow destination buffer}} - sprintf(buf, "foobar"); // NOLINT(runtime/printf) - - // TODO: clang should emit a warning, but doesn't - sprintf(buf, "%s", "foobar"); // NOLINT(runtime/printf) -} - -void test_snprintf() { - char buf[4]; - - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{call to unavailable function 'snprintf': format string will always overflow destination buffer}} - snprintf(buf, 5, "foobar"); // NOLINT(runtime/printf) - - // TODO: clang should emit a warning, but doesn't - snprintf(buf, 5, "%s", "foobar"); // NOLINT(runtime/printf) - - // TODO: clang should emit a warning, but doesn't - snprintf(buf, 5, " %s ", "foobar"); // NOLINT(runtime/printf) - - // TODO: clang should emit a warning, but doesn't - snprintf(buf, 5, "%d", 100000); // NOLINT(runtime/printf) -} - -void test_memcpy() { - char buf[4]; - - // expected-error@+1{{'memcpy' called with size bigger than buffer}} - memcpy(buf, "foobar", sizeof("foobar") + 100); -} - -void test_memmove() { - char buf[4]; - - // expected-error@+1{{'memmove' called with size bigger than buffer}} - memmove(buf, "foobar", sizeof("foobar")); -} - -void test_memset() { - char buf[4]; - - // expected-error@+1{{'memset' called with size bigger than buffer}} - memset(buf, 0, 6); -} - -void test_strcpy() { - char buf[4]; - - // expected-error@+1{{'strcpy' called with string bigger than buffer}} - strcpy(buf, "foobar"); // NOLINT(runtime/printf) - - // expected-error@+1{{'strcpy' called with string bigger than buffer}} - strcpy(buf, "quux"); -} - -void test_stpcpy() { - char buf[4]; - - // expected-error@+1{{'stpcpy' called with string bigger than buffer}} - stpcpy(buf, "foobar"); - - // expected-error@+1{{'stpcpy' called with string bigger than buffer}} - stpcpy(buf, "quux"); -} - -void test_strncpy() { - char buf[4]; - - // TODO: clang should emit a warning, but doesn't - strncpy(buf, "foobar", sizeof("foobar")); -} - -void test_strcat() { - char buf[4] = ""; - - // TODO: clang should emit a warning, but doesn't - strcat(buf, "foobar"); // NOLINT(runtime/printf) -} - -void test_strncat() { - char buf[4] = ""; - - // TODO: clang should emit a warning, but doesn't - strncat(buf, "foobar", sizeof("foobar")); -} - -void test_vsprintf(const char* fmt, ...) { - va_list va; - char buf[4]; - va_start(va, fmt); - - // clang should emit a warning, but doesn't - vsprintf(buf, "foobar", va); - va_end(va); -} - -void test_vsnprintf(const char* fmt, ...) { - va_list va; - char buf[4]; - va_start(va, fmt); - - // clang should emit a warning, but doesn't - vsnprintf(buf, 5, "foobar", va); // NOLINT(runtime/printf) - - va_end(va); -} - -void test_fgets() { - char buf[4]; - - // expected-error@+1{{in call to 'fgets', size should not be negative}} - fgets(buf, -1, stdin); - - // expected-error@+1{{in call to 'fgets', size is larger than the destination buffer}} - fgets(buf, 6, stdin); -} - -void test_recvfrom() { - char buf[4]; - sockaddr_in addr; - - // expected-error@+1{{'recvfrom' called with size bigger than buffer}} - recvfrom(0, buf, 6, 0, reinterpret_cast<sockaddr*>(&addr), nullptr); -} - -void test_recv() { - char buf[4] = {0}; - - // expected-error@+1{{'recv' called with size bigger than buffer}} - recv(0, buf, 6, 0); -} - -void test_umask() { - // expected-error@+1{{'umask' called with invalid mode}} - umask(01777); -} - -void test_read() { - char buf[4]; - // expected-error@+1{{in call to 'read', 'count' bytes overflows the given object}} - read(0, buf, 6); -} - -void test_open() { - // expected-error@+1{{'open' called with O_CREAT or O_TMPFILE, but missing mode}} - open("/dev/null", O_CREAT); - - // expected-error@+1{{'open' called with O_CREAT or O_TMPFILE, but missing mode}} - open("/dev/null", O_TMPFILE); - - // expected-error@+1{{call to unavailable function 'open': too many arguments}} - open("/dev/null", O_CREAT, 0, 0); - - // expected-error@+1{{call to unavailable function 'open': too many arguments}} - open("/dev/null", O_TMPFILE, 0, 0); - - // expected-warning@+1{{'open' has superfluous mode bits; missing O_CREAT?}} - open("/dev/null", O_RDONLY, 0644); - - // expected-warning@+1{{'open' has superfluous mode bits; missing O_CREAT?}} - open("/dev/null", O_DIRECTORY, 0644); -} - -void test_poll() { - pollfd fds[1]; - // expected-error@+1{{in call to 'poll', fd_count is larger than the given buffer}} - poll(fds, 2, 0); -} - -void test_ppoll() { - pollfd fds[1]; - timespec timeout; - // expected-error@+1{{in call to 'ppoll', fd_count is larger than the given buffer}} - ppoll(fds, 2, &timeout, nullptr); -} - -void test_ppoll64() { - pollfd fds[1]; - timespec timeout; - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{in call to 'ppoll64', fd_count is larger than the given buffer}} - ppoll64(fds, 2, &timeout, nullptr); -} - -void test_fread_overflow() { - char buf[4]; - // expected-error@+1{{in call to 'fread', size * count overflows}} - fread(buf, 2, (size_t)-1, stdin); -} - -void test_fread_too_big() { - char buf[4]; - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{in call to 'fread', size * count is too large for the given buffer}} - fread(buf, 1, 5, stdin); -} - -void test_fwrite_overflow() { - char buf[4] = {0}; - // expected-error@+1{{in call to 'fwrite', size * count overflows}} - fwrite(buf, 2, (size_t)-1, stdout); -} - -void test_fwrite_too_big() { - char buf[4] = {0}; - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{in call to 'fwrite', size * count is too large for the given buffer}} - fwrite(buf, 1, 5, stdout); -} - -void test_getcwd() { - char buf[4]; - // expected-error@+1{{in call to 'getcwd', 'size' bytes overflows the given object}} - getcwd(buf, 5); -} - -void test_pwrite64_size() { - char buf[4] = {0}; - // expected-error@+1{{in call to 'pwrite64', 'count' bytes overflows the given object}} - pwrite64(STDOUT_FILENO, buf, 5, 0); -} - -void test_pwrite64_too_big_malloc() { - void *buf = calloc(atoi("5"), 1); - // expected-error@+1{{in call to 'pwrite64', 'count' must be <= SSIZE_MAX}} - pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0); -} - -void test_pwrite64_too_big() { - char buf[4] = {0}; - // expected-error@+1{{in call to 'pwrite64', 'count' must be <= SSIZE_MAX}} - pwrite64(STDOUT_FILENO, buf, SIZE_MAX, 0); -} - -void test_write_size() { - char buf[4] = {0}; - // expected-error@+1{{in call to 'write', 'count' bytes overflows the given object}} - write(STDOUT_FILENO, buf, 5); -} - -void test_memset_args_flipped() { - char from[4] = {0}; - // NOLINTNEXTLINE(whitespace/line_length) - // expected-warning@+1{{'memset' will set 0 bytes; maybe the arguments got flipped?}} - memset(from, sizeof(from), 0); -} - -void test_sendto() { - char buf[4] = {0}; - sockaddr_in addr; - - // expected-error@+1{{'sendto' called with size bigger than buffer}} - sendto(0, buf, 6, 0, reinterpret_cast<sockaddr*>(&addr), sizeof(sockaddr_in)); -} - -void test_send() { - char buf[4] = {0}; - - // expected-error@+1{{'send' called with size bigger than buffer}} - send(0, buf, 6, 0); -} - -void test_realpath() { - char buf[4] = {0}; - // NOLINTNEXTLINE(whitespace/line_length) - // expected-error@+1{{'realpath' output parameter must be NULL or a pointer to a buffer with >= PATH_MAX bytes}} - realpath(".", buf); - - // This is fine. - realpath(".", nullptr); - - char bigbuf[PATH_MAX]; - // expected-error@+1{{'realpath': NULL path is never correct; flipped arguments?}} - realpath(nullptr, bigbuf); -} diff --git a/tests/make_fortify_compile_test.mk b/tests/make_fortify_compile_test.mk new file mode 100644 index 000000000..8270f29d7 --- /dev/null +++ b/tests/make_fortify_compile_test.mk @@ -0,0 +1,20 @@ +include $(CLEAR_VARS) + +LOCAL_ADDITIONAL_DEPENDENCIES := \ + $(LOCAL_PATH)/Android.mk \ + $(LOCAL_PATH)/touch-obj-on-success + +LOCAL_CXX := $(LOCAL_PATH)/touch-obj-on-success \ + $(LLVM_PREBUILTS_PATH)/clang++ \ + +LOCAL_CLANG := true +LOCAL_MODULE := bionic-compile-time-tests$(FORTIFY_LEVEL)-clang++ +LOCAL_CPPFLAGS := -Wall -Wno-error +LOCAL_CPPFLAGS += -fno-color-diagnostics -ferror-limit=10000 -Xclang -verify +LOCAL_CPPFLAGS += -DCOMPILATION_TESTS=1 -Wformat-nonliteral +LOCAL_CPPFLAGS += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=$(FORTIFY_LEVEL) +LOCAL_SRC_FILES := clang_fortify_tests.cpp + +include $(BUILD_STATIC_LIBRARY) + +FORTIFY_LEVEL := |