Commit | Line | Data |
---|---|---|
875bfd52 KC |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
fa4a3f86 KC |
3 | * Runtime test cases for CONFIG_FORTIFY_SOURCE. For testing memcpy(), |
4 | * see FORTIFY_MEM_* tests in LKDTM (drivers/misc/lkdtm/fortify.c). | |
875bfd52 KC |
5 | * |
6 | * For corner cases with UBSAN, try testing with: | |
7 | * | |
8 | * ./tools/testing/kunit/kunit.py run --arch=x86_64 \ | |
9 | * --kconfig_add CONFIG_FORTIFY_SOURCE=y \ | |
10 | * --kconfig_add CONFIG_UBSAN=y \ | |
11 | * --kconfig_add CONFIG_UBSAN_TRAP=y \ | |
12 | * --kconfig_add CONFIG_UBSAN_BOUNDS=y \ | |
13 | * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=y \ | |
14 | * --make_options LLVM=1 fortify | |
15 | */ | |
16 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
17 | ||
4ce615e7 KC |
18 | /* Redefine fortify_panic() to track failures. */ |
19 | void fortify_add_kunit_error(int write); | |
3d965b33 KC |
20 | #define fortify_panic(func, write, avail, size, retfail) do { \ |
21 | __fortify_report(FORTIFY_REASON(func, write), avail, size); \ | |
4ce615e7 KC |
22 | fortify_add_kunit_error(write); \ |
23 | return (retfail); \ | |
24 | } while (0) | |
25 | ||
46ee8f68 | 26 | #include <kunit/device.h> |
875bfd52 | 27 | #include <kunit/test.h> |
4ce615e7 | 28 | #include <kunit/test-bug.h> |
9124a264 KC |
29 | #include <linux/device.h> |
30 | #include <linux/slab.h> | |
875bfd52 | 31 | #include <linux/string.h> |
9124a264 | 32 | #include <linux/vmalloc.h> |
875bfd52 | 33 | |
1a78f8cb KC |
34 | /* Handle being built without CONFIG_FORTIFY_SOURCE */ |
35 | #ifndef __compiletime_strlen | |
36 | # define __compiletime_strlen __builtin_strlen | |
37 | #endif | |
38 | ||
4ce615e7 KC |
39 | static struct kunit_resource read_resource; |
40 | static struct kunit_resource write_resource; | |
41 | static int fortify_read_overflows; | |
42 | static int fortify_write_overflows; | |
43 | ||
875bfd52 KC |
44 | static const char array_of_10[] = "this is 10"; |
45 | static const char *ptr_of_11 = "this is 11!"; | |
46 | static char array_unknown[] = "compiler thinks I might change"; | |
47 | ||
4ce615e7 KC |
48 | void fortify_add_kunit_error(int write) |
49 | { | |
50 | struct kunit_resource *resource; | |
51 | struct kunit *current_test; | |
52 | ||
53 | current_test = kunit_get_current_test(); | |
54 | if (!current_test) | |
55 | return; | |
56 | ||
57 | resource = kunit_find_named_resource(current_test, | |
58 | write ? "fortify_write_overflows" | |
59 | : "fortify_read_overflows"); | |
60 | if (!resource) | |
61 | return; | |
62 | ||
63 | (*(int *)resource->data)++; | |
64 | kunit_put_resource(resource); | |
65 | } | |
66 | ||
875bfd52 KC |
67 | static void known_sizes_test(struct kunit *test) |
68 | { | |
69 | KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8); | |
70 | KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10); | |
71 | KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11); | |
72 | ||
73 | KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX); | |
74 | /* Externally defined and dynamically sized string pointer: */ | |
06c1c49d | 75 | KUNIT_EXPECT_EQ(test, __compiletime_strlen(test->name), SIZE_MAX); |
875bfd52 KC |
76 | } |
77 | ||
78 | /* This is volatile so the optimizer can't perform DCE below. */ | |
79 | static volatile int pick; | |
80 | ||
81 | /* Not inline to keep optimizer from figuring out which string we want. */ | |
82 | static noinline size_t want_minus_one(int pick) | |
83 | { | |
84 | const char *str; | |
85 | ||
86 | switch (pick) { | |
87 | case 1: | |
88 | str = "4444"; | |
89 | break; | |
90 | case 2: | |
91 | str = "333"; | |
92 | break; | |
93 | default: | |
94 | str = "1"; | |
95 | break; | |
96 | } | |
97 | return __compiletime_strlen(str); | |
98 | } | |
99 | ||
100 | static void control_flow_split_test(struct kunit *test) | |
101 | { | |
102 | KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX); | |
103 | } | |
104 | ||
9124a264 KC |
105 | #define KUNIT_EXPECT_BOS(test, p, expected, name) \ |
106 | KUNIT_EXPECT_EQ_MSG(test, __builtin_object_size(p, 1), \ | |
107 | expected, \ | |
108 | "__alloc_size() not working with __bos on " name "\n") | |
109 | ||
110 | #if !__has_builtin(__builtin_dynamic_object_size) | |
111 | #define KUNIT_EXPECT_BDOS(test, p, expected, name) \ | |
112 | /* Silence "unused variable 'expected'" warning. */ \ | |
113 | KUNIT_EXPECT_EQ(test, expected, expected) | |
114 | #else | |
115 | #define KUNIT_EXPECT_BDOS(test, p, expected, name) \ | |
116 | KUNIT_EXPECT_EQ_MSG(test, __builtin_dynamic_object_size(p, 1), \ | |
117 | expected, \ | |
118 | "__alloc_size() not working with __bdos on " name "\n") | |
119 | #endif | |
120 | ||
121 | /* If the execpted size is a constant value, __bos can see it. */ | |
122 | #define check_const(_expected, alloc, free) do { \ | |
123 | size_t expected = (_expected); \ | |
124 | void *p = alloc; \ | |
125 | KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \ | |
126 | KUNIT_EXPECT_BOS(test, p, expected, #alloc); \ | |
127 | KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \ | |
128 | free; \ | |
129 | } while (0) | |
130 | ||
131 | /* If the execpted size is NOT a constant value, __bos CANNOT see it. */ | |
132 | #define check_dynamic(_expected, alloc, free) do { \ | |
133 | size_t expected = (_expected); \ | |
134 | void *p = alloc; \ | |
135 | KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \ | |
136 | KUNIT_EXPECT_BOS(test, p, SIZE_MAX, #alloc); \ | |
137 | KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \ | |
138 | free; \ | |
139 | } while (0) | |
140 | ||
141 | /* Assortment of constant-value kinda-edge cases. */ | |
142 | #define CONST_TEST_BODY(TEST_alloc) do { \ | |
143 | /* Special-case vmalloc()-family to skip 0-sized allocs. */ \ | |
144 | if (strcmp(#TEST_alloc, "TEST_vmalloc") != 0) \ | |
145 | TEST_alloc(check_const, 0, 0); \ | |
146 | TEST_alloc(check_const, 1, 1); \ | |
147 | TEST_alloc(check_const, 128, 128); \ | |
148 | TEST_alloc(check_const, 1023, 1023); \ | |
149 | TEST_alloc(check_const, 1025, 1025); \ | |
150 | TEST_alloc(check_const, 4096, 4096); \ | |
151 | TEST_alloc(check_const, 4097, 4097); \ | |
152 | } while (0) | |
153 | ||
154 | static volatile size_t zero_size; | |
155 | static volatile size_t unknown_size = 50; | |
156 | ||
157 | #if !__has_builtin(__builtin_dynamic_object_size) | |
158 | #define DYNAMIC_TEST_BODY(TEST_alloc) \ | |
159 | kunit_skip(test, "Compiler is missing __builtin_dynamic_object_size() support\n") | |
160 | #else | |
161 | #define DYNAMIC_TEST_BODY(TEST_alloc) do { \ | |
162 | size_t size = unknown_size; \ | |
163 | \ | |
164 | /* \ | |
165 | * Expected size is "size" in each test, before it is then \ | |
166 | * internally incremented in each test. Requires we disable \ | |
167 | * -Wunsequenced. \ | |
168 | */ \ | |
169 | TEST_alloc(check_dynamic, size, size++); \ | |
170 | /* Make sure incrementing actually happened. */ \ | |
171 | KUNIT_EXPECT_NE(test, size, unknown_size); \ | |
172 | } while (0) | |
173 | #endif | |
174 | ||
175 | #define DEFINE_ALLOC_SIZE_TEST_PAIR(allocator) \ | |
176 | static void alloc_size_##allocator##_const_test(struct kunit *test) \ | |
177 | { \ | |
178 | CONST_TEST_BODY(TEST_##allocator); \ | |
179 | } \ | |
180 | static void alloc_size_##allocator##_dynamic_test(struct kunit *test) \ | |
181 | { \ | |
182 | DYNAMIC_TEST_BODY(TEST_##allocator); \ | |
183 | } | |
184 | ||
185 | #define TEST_kmalloc(checker, expected_size, alloc_size) do { \ | |
186 | gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ | |
187 | void *orig; \ | |
188 | size_t len; \ | |
189 | \ | |
190 | checker(expected_size, kmalloc(alloc_size, gfp), \ | |
191 | kfree(p)); \ | |
192 | checker(expected_size, \ | |
193 | kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \ | |
194 | kfree(p)); \ | |
195 | checker(expected_size, kzalloc(alloc_size, gfp), \ | |
196 | kfree(p)); \ | |
197 | checker(expected_size, \ | |
198 | kzalloc_node(alloc_size, gfp, NUMA_NO_NODE), \ | |
199 | kfree(p)); \ | |
200 | checker(expected_size, kcalloc(1, alloc_size, gfp), \ | |
201 | kfree(p)); \ | |
202 | checker(expected_size, kcalloc(alloc_size, 1, gfp), \ | |
203 | kfree(p)); \ | |
204 | checker(expected_size, \ | |
205 | kcalloc_node(1, alloc_size, gfp, NUMA_NO_NODE), \ | |
206 | kfree(p)); \ | |
207 | checker(expected_size, \ | |
208 | kcalloc_node(alloc_size, 1, gfp, NUMA_NO_NODE), \ | |
209 | kfree(p)); \ | |
210 | checker(expected_size, kmalloc_array(1, alloc_size, gfp), \ | |
211 | kfree(p)); \ | |
212 | checker(expected_size, kmalloc_array(alloc_size, 1, gfp), \ | |
213 | kfree(p)); \ | |
214 | checker(expected_size, \ | |
215 | kmalloc_array_node(1, alloc_size, gfp, NUMA_NO_NODE), \ | |
216 | kfree(p)); \ | |
217 | checker(expected_size, \ | |
218 | kmalloc_array_node(alloc_size, 1, gfp, NUMA_NO_NODE), \ | |
219 | kfree(p)); \ | |
220 | checker(expected_size, __kmalloc(alloc_size, gfp), \ | |
221 | kfree(p)); \ | |
222 | checker(expected_size, \ | |
223 | __kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \ | |
224 | kfree(p)); \ | |
225 | \ | |
226 | orig = kmalloc(alloc_size, gfp); \ | |
227 | KUNIT_EXPECT_TRUE(test, orig != NULL); \ | |
228 | checker((expected_size) * 2, \ | |
229 | krealloc(orig, (alloc_size) * 2, gfp), \ | |
230 | kfree(p)); \ | |
231 | orig = kmalloc(alloc_size, gfp); \ | |
232 | KUNIT_EXPECT_TRUE(test, orig != NULL); \ | |
233 | checker((expected_size) * 2, \ | |
234 | krealloc_array(orig, 1, (alloc_size) * 2, gfp), \ | |
235 | kfree(p)); \ | |
236 | orig = kmalloc(alloc_size, gfp); \ | |
237 | KUNIT_EXPECT_TRUE(test, orig != NULL); \ | |
238 | checker((expected_size) * 2, \ | |
239 | krealloc_array(orig, (alloc_size) * 2, 1, gfp), \ | |
240 | kfree(p)); \ | |
241 | \ | |
242 | len = 11; \ | |
243 | /* Using memdup() with fixed size, so force unknown length. */ \ | |
244 | if (!__builtin_constant_p(expected_size)) \ | |
245 | len += zero_size; \ | |
246 | checker(len, kmemdup("hello there", len, gfp), kfree(p)); \ | |
247 | } while (0) | |
248 | DEFINE_ALLOC_SIZE_TEST_PAIR(kmalloc) | |
249 | ||
250 | /* Sizes are in pages, not bytes. */ | |
251 | #define TEST_vmalloc(checker, expected_pages, alloc_pages) do { \ | |
252 | gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ | |
253 | checker((expected_pages) * PAGE_SIZE, \ | |
254 | vmalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \ | |
255 | checker((expected_pages) * PAGE_SIZE, \ | |
256 | vzalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \ | |
257 | checker((expected_pages) * PAGE_SIZE, \ | |
258 | __vmalloc((alloc_pages) * PAGE_SIZE, gfp), vfree(p)); \ | |
259 | } while (0) | |
260 | DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc) | |
261 | ||
262 | /* Sizes are in pages (and open-coded for side-effects), not bytes. */ | |
263 | #define TEST_kvmalloc(checker, expected_pages, alloc_pages) do { \ | |
264 | gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ | |
265 | size_t prev_size; \ | |
266 | void *orig; \ | |
267 | \ | |
268 | checker((expected_pages) * PAGE_SIZE, \ | |
269 | kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \ | |
270 | vfree(p)); \ | |
271 | checker((expected_pages) * PAGE_SIZE, \ | |
272 | kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ | |
273 | vfree(p)); \ | |
274 | checker((expected_pages) * PAGE_SIZE, \ | |
275 | kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \ | |
276 | vfree(p)); \ | |
277 | checker((expected_pages) * PAGE_SIZE, \ | |
278 | kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ | |
279 | vfree(p)); \ | |
280 | checker((expected_pages) * PAGE_SIZE, \ | |
281 | kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \ | |
282 | vfree(p)); \ | |
283 | checker((expected_pages) * PAGE_SIZE, \ | |
284 | kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \ | |
285 | vfree(p)); \ | |
286 | checker((expected_pages) * PAGE_SIZE, \ | |
287 | kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \ | |
288 | vfree(p)); \ | |
289 | checker((expected_pages) * PAGE_SIZE, \ | |
290 | kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \ | |
291 | vfree(p)); \ | |
292 | \ | |
293 | prev_size = (expected_pages) * PAGE_SIZE; \ | |
294 | orig = kvmalloc(prev_size, gfp); \ | |
295 | KUNIT_EXPECT_TRUE(test, orig != NULL); \ | |
296 | checker(((expected_pages) * PAGE_SIZE) * 2, \ | |
297 | kvrealloc(orig, prev_size, \ | |
298 | ((alloc_pages) * PAGE_SIZE) * 2, gfp), \ | |
299 | kvfree(p)); \ | |
300 | } while (0) | |
301 | DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc) | |
302 | ||
303 | #define TEST_devm_kmalloc(checker, expected_size, alloc_size) do { \ | |
304 | gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ | |
305 | const char dev_name[] = "fortify-test"; \ | |
306 | struct device *dev; \ | |
307 | void *orig; \ | |
308 | size_t len; \ | |
309 | \ | |
310 | /* Create dummy device for devm_kmalloc()-family tests. */ \ | |
46ee8f68 | 311 | dev = kunit_device_register(test, dev_name); \ |
9124a264 KC |
312 | KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev), \ |
313 | "Cannot register test device\n"); \ | |
314 | \ | |
315 | checker(expected_size, devm_kmalloc(dev, alloc_size, gfp), \ | |
316 | devm_kfree(dev, p)); \ | |
317 | checker(expected_size, devm_kzalloc(dev, alloc_size, gfp), \ | |
318 | devm_kfree(dev, p)); \ | |
319 | checker(expected_size, \ | |
320 | devm_kmalloc_array(dev, 1, alloc_size, gfp), \ | |
321 | devm_kfree(dev, p)); \ | |
322 | checker(expected_size, \ | |
323 | devm_kmalloc_array(dev, alloc_size, 1, gfp), \ | |
324 | devm_kfree(dev, p)); \ | |
325 | checker(expected_size, \ | |
326 | devm_kcalloc(dev, 1, alloc_size, gfp), \ | |
327 | devm_kfree(dev, p)); \ | |
328 | checker(expected_size, \ | |
329 | devm_kcalloc(dev, alloc_size, 1, gfp), \ | |
330 | devm_kfree(dev, p)); \ | |
331 | \ | |
332 | orig = devm_kmalloc(dev, alloc_size, gfp); \ | |
333 | KUNIT_EXPECT_TRUE(test, orig != NULL); \ | |
334 | checker((expected_size) * 2, \ | |
335 | devm_krealloc(dev, orig, (alloc_size) * 2, gfp), \ | |
336 | devm_kfree(dev, p)); \ | |
337 | \ | |
338 | len = 4; \ | |
339 | /* Using memdup() with fixed size, so force unknown length. */ \ | |
340 | if (!__builtin_constant_p(expected_size)) \ | |
341 | len += zero_size; \ | |
342 | checker(len, devm_kmemdup(dev, "Ohai", len, gfp), \ | |
343 | devm_kfree(dev, p)); \ | |
344 | \ | |
46ee8f68 | 345 | kunit_device_unregister(test, dev); \ |
9124a264 KC |
346 | } while (0) |
347 | DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc) | |
348 | ||
fa4a3f86 KC |
349 | /* |
350 | * We can't have an array at the end of a structure or else | |
351 | * builds without -fstrict-flex-arrays=3 will report them as | |
352 | * being an unknown length. Additionally, add bytes before | |
353 | * and after the string to catch over/underflows if tests | |
354 | * fail. | |
355 | */ | |
356 | struct fortify_padding { | |
357 | unsigned long bytes_before; | |
358 | char buf[32]; | |
359 | unsigned long bytes_after; | |
360 | }; | |
361 | /* Force compiler into not being able to resolve size at compile-time. */ | |
362 | static volatile int unconst; | |
363 | ||
364 | static void strlen_test(struct kunit *test) | |
365 | { | |
366 | struct fortify_padding pad = { }; | |
367 | int i, end = sizeof(pad.buf) - 1; | |
368 | ||
369 | /* Fill 31 bytes with valid characters. */ | |
370 | for (i = 0; i < sizeof(pad.buf) - 1; i++) | |
371 | pad.buf[i] = i + '0'; | |
372 | /* Trailing bytes are still %NUL. */ | |
373 | KUNIT_EXPECT_EQ(test, pad.buf[end], '\0'); | |
374 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
375 | ||
376 | /* String is terminated, so strlen() is valid. */ | |
377 | KUNIT_EXPECT_EQ(test, strlen(pad.buf), end); | |
378 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
379 | ||
380 | /* Make string unterminated, and recount. */ | |
381 | pad.buf[end] = 'A'; | |
382 | end = sizeof(pad.buf); | |
383 | KUNIT_EXPECT_EQ(test, strlen(pad.buf), end); | |
384 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
385 | } | |
386 | ||
387 | static void strnlen_test(struct kunit *test) | |
388 | { | |
389 | struct fortify_padding pad = { }; | |
390 | int i, end = sizeof(pad.buf) - 1; | |
391 | ||
392 | /* Fill 31 bytes with valid characters. */ | |
393 | for (i = 0; i < sizeof(pad.buf) - 1; i++) | |
394 | pad.buf[i] = i + '0'; | |
395 | /* Trailing bytes are still %NUL. */ | |
396 | KUNIT_EXPECT_EQ(test, pad.buf[end], '\0'); | |
397 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
398 | ||
399 | /* String is terminated, so strnlen() is valid. */ | |
400 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end); | |
401 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
402 | /* A truncated strnlen() will be safe, too. */ | |
403 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2), | |
404 | sizeof(pad.buf) / 2); | |
405 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
406 | ||
407 | /* Make string unterminated, and recount. */ | |
408 | pad.buf[end] = 'A'; | |
409 | end = sizeof(pad.buf); | |
410 | /* Reading beyond with strncpy() will fail. */ | |
411 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end); | |
412 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
413 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end); | |
414 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
415 | ||
416 | /* Early-truncated is safe still, though. */ | |
417 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end); | |
418 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
419 | ||
420 | end = sizeof(pad.buf) / 2; | |
421 | KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end); | |
422 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
423 | } | |
424 | ||
425 | static void strcpy_test(struct kunit *test) | |
426 | { | |
427 | struct fortify_padding pad = { }; | |
428 | char src[sizeof(pad.buf) + 1] = { }; | |
429 | int i; | |
430 | ||
431 | /* Fill 31 bytes with valid characters. */ | |
432 | for (i = 0; i < sizeof(src) - 2; i++) | |
433 | src[i] = i + '0'; | |
434 | ||
435 | /* Destination is %NUL-filled to start with. */ | |
436 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
437 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
438 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
439 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
440 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
441 | ||
442 | /* Legitimate strcpy() 1 less than of max size. */ | |
443 | KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) | |
444 | == pad.buf); | |
445 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
446 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
447 | /* Only last byte should be %NUL */ | |
448 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
449 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
450 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
451 | ||
452 | src[sizeof(src) - 2] = 'A'; | |
453 | /* But now we trip the overflow checking. */ | |
454 | KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) | |
455 | == pad.buf); | |
456 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
457 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
458 | /* Trailing %NUL -- thanks to FORTIFY. */ | |
459 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
460 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
461 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
462 | /* And we will not have gone beyond. */ | |
463 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
464 | ||
465 | src[sizeof(src) - 1] = 'A'; | |
466 | /* And for sure now, two bytes past. */ | |
467 | KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) | |
468 | == pad.buf); | |
469 | /* | |
470 | * Which trips both the strlen() on the unterminated src, | |
471 | * and the resulting copy attempt. | |
472 | */ | |
473 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
474 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
475 | /* Trailing %NUL -- thanks to FORTIFY. */ | |
476 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
477 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
478 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
479 | /* And we will not have gone beyond. */ | |
480 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
481 | } | |
482 | ||
483 | static void strncpy_test(struct kunit *test) | |
484 | { | |
485 | struct fortify_padding pad = { }; | |
486 | char src[] = "Copy me fully into a small buffer and I will overflow!"; | |
487 | ||
488 | /* Destination is %NUL-filled to start with. */ | |
489 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
490 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
491 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
492 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
493 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
494 | ||
495 | /* Legitimate strncpy() 1 less than of max size. */ | |
496 | KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, | |
497 | sizeof(pad.buf) + unconst - 1) | |
498 | == pad.buf); | |
499 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
500 | /* Only last byte should be %NUL */ | |
501 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
502 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
503 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
504 | ||
505 | /* Legitimate (though unterminated) max-size strncpy. */ | |
506 | KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, | |
507 | sizeof(pad.buf) + unconst) | |
508 | == pad.buf); | |
509 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
510 | /* No trailing %NUL -- thanks strncpy API. */ | |
511 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
512 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
513 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
514 | /* But we will not have gone beyond. */ | |
515 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
516 | ||
517 | /* Now verify that FORTIFY is working... */ | |
518 | KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, | |
519 | sizeof(pad.buf) + unconst + 1) | |
520 | == pad.buf); | |
521 | /* Should catch the overflow. */ | |
522 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
523 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
524 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
525 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
526 | /* And we will not have gone beyond. */ | |
527 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
528 | ||
529 | /* And further... */ | |
530 | KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, | |
531 | sizeof(pad.buf) + unconst + 2) | |
532 | == pad.buf); | |
533 | /* Should catch the overflow. */ | |
534 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
535 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
536 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
537 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
538 | /* And we will not have gone beyond. */ | |
539 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
540 | } | |
541 | ||
542 | static void strscpy_test(struct kunit *test) | |
543 | { | |
544 | struct fortify_padding pad = { }; | |
545 | char src[] = "Copy me fully into a small buffer and I will overflow!"; | |
546 | ||
547 | /* Destination is %NUL-filled to start with. */ | |
548 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
549 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
550 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
551 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
552 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
553 | ||
554 | /* Legitimate strscpy() 1 less than of max size. */ | |
555 | KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, | |
556 | sizeof(pad.buf) + unconst - 1), | |
557 | -E2BIG); | |
558 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
559 | /* Keeping space for %NUL, last two bytes should be %NUL */ | |
560 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
561 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
562 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
563 | ||
564 | /* Legitimate max-size strscpy. */ | |
565 | KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, | |
566 | sizeof(pad.buf) + unconst), | |
567 | -E2BIG); | |
568 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
569 | /* A trailing %NUL will exist. */ | |
570 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
571 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
572 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
573 | ||
574 | /* Now verify that FORTIFY is working... */ | |
575 | KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, | |
576 | sizeof(pad.buf) + unconst + 1), | |
577 | -E2BIG); | |
578 | /* Should catch the overflow. */ | |
579 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
580 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
581 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
582 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
583 | /* And we will not have gone beyond. */ | |
584 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
585 | ||
586 | /* And much further... */ | |
587 | KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, | |
588 | sizeof(src) * 2 + unconst), | |
589 | -E2BIG); | |
590 | /* Should catch the overflow. */ | |
591 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
592 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
593 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
594 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
595 | /* And we will not have gone beyond. */ | |
596 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
597 | } | |
598 | ||
599 | static void strcat_test(struct kunit *test) | |
600 | { | |
601 | struct fortify_padding pad = { }; | |
602 | char src[sizeof(pad.buf) / 2] = { }; | |
603 | char one[] = "A"; | |
604 | char two[] = "BC"; | |
605 | int i; | |
606 | ||
607 | /* Fill 15 bytes with valid characters. */ | |
608 | for (i = 0; i < sizeof(src) - 1; i++) | |
609 | src[i] = i + 'A'; | |
610 | ||
611 | /* Destination is %NUL-filled to start with. */ | |
612 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
613 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
614 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
615 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
616 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
617 | ||
618 | /* Legitimate strcat() using less than half max size. */ | |
619 | KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf); | |
620 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
621 | /* Legitimate strcat() now 2 bytes shy of end. */ | |
622 | KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf); | |
623 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
624 | /* Last two bytes should be %NUL */ | |
625 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
626 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
627 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
628 | ||
629 | /* Add one more character to the end. */ | |
630 | KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf); | |
631 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
632 | /* Last byte should be %NUL */ | |
633 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
634 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
635 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
636 | ||
637 | /* And this one char will overflow. */ | |
638 | KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf); | |
639 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
640 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
641 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
642 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
643 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
644 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
645 | ||
646 | /* And adding two will overflow more. */ | |
647 | KUNIT_ASSERT_TRUE(test, strcat(pad.buf, two) == pad.buf); | |
648 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
649 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
650 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
651 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
652 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
653 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
654 | } | |
655 | ||
656 | static void strncat_test(struct kunit *test) | |
657 | { | |
658 | struct fortify_padding pad = { }; | |
659 | char src[sizeof(pad.buf)] = { }; | |
660 | int i, partial; | |
661 | ||
662 | /* Fill 31 bytes with valid characters. */ | |
663 | partial = sizeof(src) / 2 - 1; | |
664 | for (i = 0; i < partial; i++) | |
665 | src[i] = i + 'A'; | |
666 | ||
667 | /* Destination is %NUL-filled to start with. */ | |
668 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
669 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
670 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
671 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
672 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
673 | ||
674 | /* Legitimate strncat() using less than half max size. */ | |
675 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf); | |
676 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
677 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
678 | /* Legitimate strncat() now 2 bytes shy of end. */ | |
679 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf); | |
680 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
681 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
682 | /* Last two bytes should be %NUL */ | |
683 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
684 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
685 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
686 | ||
687 | /* Add one more character to the end. */ | |
688 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); | |
689 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
690 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
691 | /* Last byte should be %NUL */ | |
692 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
693 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
694 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
695 | ||
696 | /* And this one char will overflow. */ | |
697 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); | |
698 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
699 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
700 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
701 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
702 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
703 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
704 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
705 | ||
706 | /* And adding two will overflow more. */ | |
707 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 2) == pad.buf); | |
708 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
709 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
710 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
711 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
712 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
713 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
714 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
715 | ||
716 | /* Force an unterminated destination, and overflow. */ | |
717 | pad.buf[sizeof(pad.buf) - 1] = 'A'; | |
718 | KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); | |
719 | /* This will have tripped both strlen() and strcat(). */ | |
720 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
721 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3); | |
722 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
723 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
724 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
725 | /* But we should not go beyond the end. */ | |
726 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
727 | } | |
728 | ||
729 | static void strlcat_test(struct kunit *test) | |
730 | { | |
731 | struct fortify_padding pad = { }; | |
732 | char src[sizeof(pad.buf)] = { }; | |
733 | int i, partial; | |
734 | int len = sizeof(pad.buf) + unconst; | |
735 | ||
736 | /* Fill 15 bytes with valid characters. */ | |
737 | partial = sizeof(src) / 2 - 1; | |
738 | for (i = 0; i < partial; i++) | |
739 | src[i] = i + 'A'; | |
740 | ||
741 | /* Destination is %NUL-filled to start with. */ | |
742 | KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); | |
743 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
744 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
745 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
746 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
747 | ||
748 | /* Legitimate strlcat() using less than half max size. */ | |
749 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial); | |
750 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
751 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
752 | /* Legitimate strlcat() now 2 bytes shy of end. */ | |
753 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial * 2); | |
754 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
755 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
756 | /* Last two bytes should be %NUL */ | |
757 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
758 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
759 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
760 | ||
761 | /* Add one more character to the end. */ | |
762 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "Q", len), partial * 2 + 1); | |
763 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
764 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); | |
765 | /* Last byte should be %NUL */ | |
766 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
767 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
768 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
769 | ||
770 | /* And this one char will overflow. */ | |
771 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "V", len * 2), len); | |
772 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
773 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); | |
774 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
775 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
776 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
777 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
778 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
779 | ||
780 | /* And adding two will overflow more. */ | |
781 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "QQ", len * 2), len + 1); | |
782 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
783 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
784 | /* Last byte should be %NUL thanks to FORTIFY. */ | |
785 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
786 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
787 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
788 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
789 | ||
790 | /* Force an unterminated destination, and overflow. */ | |
791 | pad.buf[sizeof(pad.buf) - 1] = 'A'; | |
792 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "TT", len * 2), len + 2); | |
793 | /* This will have tripped both strlen() and strlcat(). */ | |
794 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
795 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); | |
796 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
797 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); | |
798 | KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); | |
799 | /* But we should not go beyond the end. */ | |
800 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
801 | ||
802 | /* Force an unterminated source, and overflow. */ | |
803 | memset(src, 'B', sizeof(src)); | |
804 | pad.buf[sizeof(pad.buf) - 1] = '\0'; | |
805 | KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len * 3), len - 1 + sizeof(src)); | |
806 | /* This will have tripped both strlen() and strlcat(). */ | |
807 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3); | |
808 | KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3); | |
809 | KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); | |
810 | /* But we should not go beyond the end. */ | |
811 | KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); | |
812 | } | |
813 | ||
814 | static void memscan_test(struct kunit *test) | |
815 | { | |
816 | char haystack[] = "Where oh where is my memory range?"; | |
817 | char *mem = haystack + strlen("Where oh where is "); | |
818 | char needle = 'm'; | |
819 | size_t len = sizeof(haystack) + unconst; | |
820 | ||
821 | KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len), | |
822 | mem); | |
823 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
824 | /* Catch too-large range. */ | |
825 | KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len + 1), | |
826 | NULL); | |
827 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
828 | KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len * 2), | |
829 | NULL); | |
830 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
831 | } | |
832 | ||
833 | static void memchr_test(struct kunit *test) | |
834 | { | |
835 | char haystack[] = "Where oh where is my memory range?"; | |
836 | char *mem = haystack + strlen("Where oh where is "); | |
837 | char needle = 'm'; | |
838 | size_t len = sizeof(haystack) + unconst; | |
839 | ||
840 | KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len), | |
841 | mem); | |
842 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
843 | /* Catch too-large range. */ | |
844 | KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len + 1), | |
845 | NULL); | |
846 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
847 | KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len * 2), | |
848 | NULL); | |
849 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
850 | } | |
851 | ||
852 | static void memchr_inv_test(struct kunit *test) | |
853 | { | |
854 | char haystack[] = "Where oh where is my memory range?"; | |
855 | char *mem = haystack + 1; | |
856 | char needle = 'W'; | |
857 | size_t len = sizeof(haystack) + unconst; | |
858 | ||
859 | /* Normal search is okay. */ | |
860 | KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len), | |
861 | mem); | |
862 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
863 | /* Catch too-large range. */ | |
864 | KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len + 1), | |
865 | NULL); | |
866 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
867 | KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len * 2), | |
868 | NULL); | |
869 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
870 | } | |
871 | ||
872 | static void memcmp_test(struct kunit *test) | |
873 | { | |
874 | char one[] = "My mind is going ..."; | |
875 | char two[] = "My mind is going ... I can feel it."; | |
876 | size_t one_len = sizeof(one) + unconst - 1; | |
877 | size_t two_len = sizeof(two) + unconst - 1; | |
878 | ||
879 | /* We match the first string (ignoring the %NUL). */ | |
880 | KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0); | |
881 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
882 | /* Still in bounds, but no longer matching. */ | |
883 | KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32); | |
884 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
885 | ||
886 | /* Catch too-large ranges. */ | |
887 | KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 2), INT_MIN); | |
888 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
889 | ||
890 | KUNIT_ASSERT_EQ(test, memcmp(two, one, two_len + 2), INT_MIN); | |
891 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
892 | } | |
893 | ||
894 | static void kmemdup_test(struct kunit *test) | |
895 | { | |
896 | char src[] = "I got Doom running on it!"; | |
897 | char *copy; | |
898 | size_t len = sizeof(src) + unconst; | |
899 | ||
900 | /* Copy is within bounds. */ | |
901 | copy = kmemdup(src, len, GFP_KERNEL); | |
902 | KUNIT_EXPECT_NOT_NULL(test, copy); | |
903 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
904 | kfree(copy); | |
905 | ||
906 | /* Without %NUL. */ | |
907 | copy = kmemdup(src, len - 1, GFP_KERNEL); | |
908 | KUNIT_EXPECT_NOT_NULL(test, copy); | |
909 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
910 | kfree(copy); | |
911 | ||
912 | /* Tiny bounds. */ | |
913 | copy = kmemdup(src, 1, GFP_KERNEL); | |
914 | KUNIT_EXPECT_NOT_NULL(test, copy); | |
915 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); | |
916 | kfree(copy); | |
917 | ||
918 | /* Out of bounds by 1 byte. */ | |
919 | copy = kmemdup(src, len + 1, GFP_KERNEL); | |
920 | KUNIT_EXPECT_NULL(test, copy); | |
921 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); | |
922 | kfree(copy); | |
923 | ||
924 | /* Way out of bounds. */ | |
925 | copy = kmemdup(src, len * 2, GFP_KERNEL); | |
926 | KUNIT_EXPECT_NULL(test, copy); | |
927 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); | |
928 | kfree(copy); | |
929 | ||
930 | /* Starting offset causing out of bounds. */ | |
931 | copy = kmemdup(src + 1, len, GFP_KERNEL); | |
932 | KUNIT_EXPECT_NULL(test, copy); | |
933 | KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3); | |
934 | kfree(copy); | |
935 | } | |
936 | ||
1a78f8cb KC |
937 | static int fortify_test_init(struct kunit *test) |
938 | { | |
939 | if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE)) | |
940 | kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y"); | |
941 | ||
4ce615e7 KC |
942 | fortify_read_overflows = 0; |
943 | kunit_add_named_resource(test, NULL, NULL, &read_resource, | |
944 | "fortify_read_overflows", | |
945 | &fortify_read_overflows); | |
946 | fortify_write_overflows = 0; | |
947 | kunit_add_named_resource(test, NULL, NULL, &write_resource, | |
948 | "fortify_write_overflows", | |
949 | &fortify_write_overflows); | |
1a78f8cb KC |
950 | return 0; |
951 | } | |
952 | ||
875bfd52 KC |
953 | static struct kunit_case fortify_test_cases[] = { |
954 | KUNIT_CASE(known_sizes_test), | |
955 | KUNIT_CASE(control_flow_split_test), | |
9124a264 KC |
956 | KUNIT_CASE(alloc_size_kmalloc_const_test), |
957 | KUNIT_CASE(alloc_size_kmalloc_dynamic_test), | |
958 | KUNIT_CASE(alloc_size_vmalloc_const_test), | |
959 | KUNIT_CASE(alloc_size_vmalloc_dynamic_test), | |
960 | KUNIT_CASE(alloc_size_kvmalloc_const_test), | |
961 | KUNIT_CASE(alloc_size_kvmalloc_dynamic_test), | |
962 | KUNIT_CASE(alloc_size_devm_kmalloc_const_test), | |
963 | KUNIT_CASE(alloc_size_devm_kmalloc_dynamic_test), | |
fa4a3f86 KC |
964 | KUNIT_CASE(strlen_test), |
965 | KUNIT_CASE(strnlen_test), | |
966 | KUNIT_CASE(strcpy_test), | |
967 | KUNIT_CASE(strncpy_test), | |
968 | KUNIT_CASE(strscpy_test), | |
969 | KUNIT_CASE(strcat_test), | |
970 | KUNIT_CASE(strncat_test), | |
971 | KUNIT_CASE(strlcat_test), | |
972 | /* skip memset: performs bounds checking on whole structs */ | |
973 | /* skip memcpy: still using warn-and-overwrite instead of hard-fail */ | |
974 | KUNIT_CASE(memscan_test), | |
975 | KUNIT_CASE(memchr_test), | |
976 | KUNIT_CASE(memchr_inv_test), | |
977 | KUNIT_CASE(memcmp_test), | |
978 | KUNIT_CASE(kmemdup_test), | |
875bfd52 KC |
979 | {} |
980 | }; | |
981 | ||
982 | static struct kunit_suite fortify_test_suite = { | |
983 | .name = "fortify", | |
1a78f8cb | 984 | .init = fortify_test_init, |
875bfd52 KC |
985 | .test_cases = fortify_test_cases, |
986 | }; | |
987 | ||
988 | kunit_test_suite(fortify_test_suite); | |
989 | ||
990 | MODULE_LICENSE("GPL"); |