fortify_kunit.c 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Runtime test cases for CONFIG_FORTIFY_SOURCE. For additional memcpy()
  4. * testing see FORTIFY_MEM_* tests in LKDTM (drivers/misc/lkdtm/fortify.c).
  5. *
  6. * For corner cases with UBSAN, try testing with:
  7. *
  8. * ./tools/testing/kunit/kunit.py run --arch=x86_64 \
  9. * --kconfig_add CONFIG_FORTIFY_SOURCE=y \
  10. * --kconfig_add CONFIG_UBSAN=y \
  11. * --kconfig_add CONFIG_UBSAN_TRAP=y \
  12. * --kconfig_add CONFIG_UBSAN_BOUNDS=y \
  13. * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=y \
  14. * --make_options LLVM=1 fortify
  15. */
  16. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  17. /* We don't need to fill dmesg with the fortify WARNs during testing. */
  18. #ifdef DEBUG
  19. # define FORTIFY_REPORT_KUNIT(x...) __fortify_report(x)
  20. # define FORTIFY_WARN_KUNIT(x...) WARN_ONCE(x)
  21. #else
  22. # define FORTIFY_REPORT_KUNIT(x...) do { } while (0)
  23. # define FORTIFY_WARN_KUNIT(x...) do { } while (0)
  24. #endif
  25. /* Redefine fortify_panic() to track failures. */
  26. void fortify_add_kunit_error(int write);
  27. #define fortify_panic(func, write, avail, size, retfail) do { \
  28. FORTIFY_REPORT_KUNIT(FORTIFY_REASON(func, write), avail, size); \
  29. fortify_add_kunit_error(write); \
  30. return (retfail); \
  31. } while (0)
  32. /* Redefine fortify_warn_once() to track memcpy() failures. */
  33. #define fortify_warn_once(chk_func, x...) do { \
  34. bool __result = chk_func; \
  35. FORTIFY_WARN_KUNIT(__result, x); \
  36. if (__result) \
  37. fortify_add_kunit_error(1); \
  38. } while (0)
  39. #include <kunit/device.h>
  40. #include <kunit/test.h>
  41. #include <kunit/test-bug.h>
  42. #include <linux/device.h>
  43. #include <linux/slab.h>
  44. #include <linux/string.h>
  45. #include <linux/vmalloc.h>
  46. /* Handle being built without CONFIG_FORTIFY_SOURCE */
  47. #ifndef __compiletime_strlen
  48. # define __compiletime_strlen __builtin_strlen
  49. #endif
  50. static struct kunit_resource read_resource;
  51. static struct kunit_resource write_resource;
  52. static int fortify_read_overflows;
  53. static int fortify_write_overflows;
  54. static const char array_of_10[] = "this is 10";
  55. static const char *ptr_of_11 = "this is 11!";
  56. static const char * const unchanging_12 = "this is 12!!";
  57. static char array_unknown[] = "compiler thinks I might change";
  58. void fortify_add_kunit_error(int write)
  59. {
  60. struct kunit_resource *resource;
  61. struct kunit *current_test;
  62. current_test = kunit_get_current_test();
  63. if (!current_test)
  64. return;
  65. resource = kunit_find_named_resource(current_test,
  66. write ? "fortify_write_overflows"
  67. : "fortify_read_overflows");
  68. if (!resource)
  69. return;
  70. (*(int *)resource->data)++;
  71. kunit_put_resource(resource);
  72. }
  73. static void fortify_test_known_sizes(struct kunit *test)
  74. {
  75. char stack[80] = "Test!";
  76. KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(stack)));
  77. KUNIT_EXPECT_EQ(test, __compiletime_strlen(stack), 5);
  78. KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen("88888888")));
  79. KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8);
  80. KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen(array_of_10)));
  81. KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10);
  82. KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(ptr_of_11)));
  83. KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11);
  84. KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen(unchanging_12)));
  85. KUNIT_EXPECT_EQ(test, __compiletime_strlen(unchanging_12), 12);
  86. KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(array_unknown)));
  87. KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX);
  88. /* Externally defined and dynamically sized string pointer: */
  89. KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(test->name)));
  90. KUNIT_EXPECT_EQ(test, __compiletime_strlen(test->name), SIZE_MAX);
  91. }
  92. /* This is volatile so the optimizer can't perform DCE below. */
  93. static volatile int pick;
  94. /* Not inline to keep optimizer from figuring out which string we want. */
  95. static noinline size_t want_minus_one(int pick)
  96. {
  97. const char *str;
  98. switch (pick) {
  99. case 1:
  100. str = "4444";
  101. break;
  102. case 2:
  103. str = "333";
  104. break;
  105. default:
  106. str = "1";
  107. break;
  108. }
  109. return __compiletime_strlen(str);
  110. }
  111. static void fortify_test_control_flow_split(struct kunit *test)
  112. {
  113. KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX);
  114. }
  115. #define KUNIT_EXPECT_BOS(test, p, expected, name) \
  116. KUNIT_EXPECT_EQ_MSG(test, __builtin_object_size(p, 1), \
  117. expected, \
  118. "__alloc_size() not working with __bos on " name "\n")
  119. #if !__has_builtin(__builtin_dynamic_object_size)
  120. #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
  121. /* Silence "unused variable 'expected'" warning. */ \
  122. KUNIT_EXPECT_EQ(test, expected, expected)
  123. #else
  124. #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
  125. KUNIT_EXPECT_EQ_MSG(test, __builtin_dynamic_object_size(p, 1), \
  126. expected, \
  127. "__alloc_size() not working with __bdos on " name "\n")
  128. #endif
  129. /* If the execpted size is a constant value, __bos can see it. */
  130. #define check_const(_expected, alloc, free) do { \
  131. size_t expected = (_expected); \
  132. void *p = alloc; \
  133. KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
  134. KUNIT_EXPECT_BOS(test, p, expected, #alloc); \
  135. KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
  136. free; \
  137. } while (0)
  138. /* If the execpted size is NOT a constant value, __bos CANNOT see it. */
  139. #define check_dynamic(_expected, alloc, free) do { \
  140. size_t expected = (_expected); \
  141. void *p = alloc; \
  142. KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
  143. KUNIT_EXPECT_BOS(test, p, SIZE_MAX, #alloc); \
  144. KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
  145. free; \
  146. } while (0)
  147. /* Assortment of constant-value kinda-edge cases. */
  148. #define CONST_TEST_BODY(TEST_alloc) do { \
  149. /* Special-case vmalloc()-family to skip 0-sized allocs. */ \
  150. if (strcmp(#TEST_alloc, "TEST_vmalloc") != 0) \
  151. TEST_alloc(check_const, 0, 0); \
  152. TEST_alloc(check_const, 1, 1); \
  153. TEST_alloc(check_const, 128, 128); \
  154. TEST_alloc(check_const, 1023, 1023); \
  155. TEST_alloc(check_const, 1025, 1025); \
  156. TEST_alloc(check_const, 4096, 4096); \
  157. TEST_alloc(check_const, 4097, 4097); \
  158. } while (0)
  159. static volatile size_t zero_size;
  160. static volatile size_t unknown_size = 50;
  161. #if !__has_builtin(__builtin_dynamic_object_size)
  162. #define DYNAMIC_TEST_BODY(TEST_alloc) \
  163. kunit_skip(test, "Compiler is missing __builtin_dynamic_object_size() support\n")
  164. #else
  165. #define DYNAMIC_TEST_BODY(TEST_alloc) do { \
  166. size_t size = unknown_size; \
  167. \
  168. /* \
  169. * Expected size is "size" in each test, before it is then \
  170. * internally incremented in each test. Requires we disable \
  171. * -Wunsequenced. \
  172. */ \
  173. TEST_alloc(check_dynamic, size, size++); \
  174. /* Make sure incrementing actually happened. */ \
  175. KUNIT_EXPECT_NE(test, size, unknown_size); \
  176. } while (0)
  177. #endif
  178. #define DEFINE_ALLOC_SIZE_TEST_PAIR(allocator) \
  179. static void fortify_test_alloc_size_##allocator##_const(struct kunit *test) \
  180. { \
  181. CONST_TEST_BODY(TEST_##allocator); \
  182. } \
  183. static void fortify_test_alloc_size_##allocator##_dynamic(struct kunit *test) \
  184. { \
  185. DYNAMIC_TEST_BODY(TEST_##allocator); \
  186. }
  187. #define TEST_kmalloc(checker, expected_size, alloc_size) do { \
  188. gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
  189. void *orig; \
  190. size_t len; \
  191. \
  192. checker(expected_size, kmalloc(alloc_size, gfp), \
  193. kfree(p)); \
  194. checker(expected_size, \
  195. kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
  196. kfree(p)); \
  197. checker(expected_size, kzalloc(alloc_size, gfp), \
  198. kfree(p)); \
  199. checker(expected_size, \
  200. kzalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
  201. kfree(p)); \
  202. checker(expected_size, kcalloc(1, alloc_size, gfp), \
  203. kfree(p)); \
  204. checker(expected_size, kcalloc(alloc_size, 1, gfp), \
  205. kfree(p)); \
  206. checker(expected_size, \
  207. kcalloc_node(1, alloc_size, gfp, NUMA_NO_NODE), \
  208. kfree(p)); \
  209. checker(expected_size, \
  210. kcalloc_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
  211. kfree(p)); \
  212. checker(expected_size, kmalloc_array(1, alloc_size, gfp), \
  213. kfree(p)); \
  214. checker(expected_size, kmalloc_array(alloc_size, 1, gfp), \
  215. kfree(p)); \
  216. checker(expected_size, \
  217. kmalloc_array_node(1, alloc_size, gfp, NUMA_NO_NODE), \
  218. kfree(p)); \
  219. checker(expected_size, \
  220. kmalloc_array_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
  221. kfree(p)); \
  222. \
  223. orig = kmalloc(alloc_size, gfp); \
  224. KUNIT_EXPECT_TRUE(test, orig != NULL); \
  225. checker((expected_size) * 2, \
  226. krealloc(orig, (alloc_size) * 2, gfp), \
  227. kfree(p)); \
  228. orig = kmalloc(alloc_size, gfp); \
  229. KUNIT_EXPECT_TRUE(test, orig != NULL); \
  230. checker((expected_size) * 2, \
  231. krealloc_array(orig, 1, (alloc_size) * 2, gfp), \
  232. kfree(p)); \
  233. orig = kmalloc(alloc_size, gfp); \
  234. KUNIT_EXPECT_TRUE(test, orig != NULL); \
  235. checker((expected_size) * 2, \
  236. krealloc_array(orig, (alloc_size) * 2, 1, gfp), \
  237. kfree(p)); \
  238. \
  239. len = 11; \
  240. /* Using memdup() with fixed size, so force unknown length. */ \
  241. if (!__builtin_constant_p(expected_size)) \
  242. len += zero_size; \
  243. checker(len, kmemdup("hello there", len, gfp), kfree(p)); \
  244. } while (0)
  245. DEFINE_ALLOC_SIZE_TEST_PAIR(kmalloc)
  246. /* Sizes are in pages, not bytes. */
  247. #define TEST_vmalloc(checker, expected_pages, alloc_pages) do { \
  248. gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
  249. checker((expected_pages) * PAGE_SIZE, \
  250. vmalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
  251. checker((expected_pages) * PAGE_SIZE, \
  252. vzalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
  253. checker((expected_pages) * PAGE_SIZE, \
  254. __vmalloc((alloc_pages) * PAGE_SIZE, gfp), vfree(p)); \
  255. } while (0)
  256. DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc)
  257. /* Sizes are in pages (and open-coded for side-effects), not bytes. */
  258. #define TEST_kvmalloc(checker, expected_pages, alloc_pages) do { \
  259. gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
  260. size_t prev_size; \
  261. void *orig; \
  262. \
  263. checker((expected_pages) * PAGE_SIZE, \
  264. kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \
  265. kvfree(p)); \
  266. checker((expected_pages) * PAGE_SIZE, \
  267. kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
  268. kvfree(p)); \
  269. checker((expected_pages) * PAGE_SIZE, \
  270. kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \
  271. kvfree(p)); \
  272. checker((expected_pages) * PAGE_SIZE, \
  273. kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
  274. kvfree(p)); \
  275. checker((expected_pages) * PAGE_SIZE, \
  276. kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \
  277. kvfree(p)); \
  278. checker((expected_pages) * PAGE_SIZE, \
  279. kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \
  280. kvfree(p)); \
  281. checker((expected_pages) * PAGE_SIZE, \
  282. kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \
  283. kvfree(p)); \
  284. checker((expected_pages) * PAGE_SIZE, \
  285. kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \
  286. kvfree(p)); \
  287. \
  288. prev_size = (expected_pages) * PAGE_SIZE; \
  289. orig = kvmalloc(prev_size, gfp); \
  290. KUNIT_EXPECT_TRUE(test, orig != NULL); \
  291. checker(((expected_pages) * PAGE_SIZE) * 2, \
  292. kvrealloc(orig, ((alloc_pages) * PAGE_SIZE) * 2, gfp), \
  293. kvfree(p)); \
  294. } while (0)
  295. DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc)
  296. #define TEST_devm_kmalloc(checker, expected_size, alloc_size) do { \
  297. gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
  298. const char dev_name[] = "fortify-test"; \
  299. struct device *dev; \
  300. void *orig; \
  301. size_t len; \
  302. \
  303. /* Create dummy device for devm_kmalloc()-family tests. */ \
  304. dev = kunit_device_register(test, dev_name); \
  305. KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev), \
  306. "Cannot register test device\n"); \
  307. \
  308. checker(expected_size, devm_kmalloc(dev, alloc_size, gfp), \
  309. devm_kfree(dev, p)); \
  310. checker(expected_size, devm_kzalloc(dev, alloc_size, gfp), \
  311. devm_kfree(dev, p)); \
  312. checker(expected_size, \
  313. devm_kmalloc_array(dev, 1, alloc_size, gfp), \
  314. devm_kfree(dev, p)); \
  315. checker(expected_size, \
  316. devm_kmalloc_array(dev, alloc_size, 1, gfp), \
  317. devm_kfree(dev, p)); \
  318. checker(expected_size, \
  319. devm_kcalloc(dev, 1, alloc_size, gfp), \
  320. devm_kfree(dev, p)); \
  321. checker(expected_size, \
  322. devm_kcalloc(dev, alloc_size, 1, gfp), \
  323. devm_kfree(dev, p)); \
  324. \
  325. orig = devm_kmalloc(dev, alloc_size, gfp); \
  326. KUNIT_EXPECT_TRUE(test, orig != NULL); \
  327. checker((expected_size) * 2, \
  328. devm_krealloc(dev, orig, (alloc_size) * 2, gfp), \
  329. devm_kfree(dev, p)); \
  330. \
  331. len = 4; \
  332. /* Using memdup() with fixed size, so force unknown length. */ \
  333. if (!__builtin_constant_p(expected_size)) \
  334. len += zero_size; \
  335. checker(len, devm_kmemdup(dev, "Ohai", len, gfp), \
  336. devm_kfree(dev, p)); \
  337. \
  338. kunit_device_unregister(test, dev); \
  339. } while (0)
  340. DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc)
  341. static const char * const test_strs[] = {
  342. "",
  343. "Hello there",
  344. "A longer string, just for variety",
  345. };
  346. #define TEST_realloc(checker) do { \
  347. gfp_t gfp = GFP_KERNEL; \
  348. size_t len; \
  349. int i; \
  350. \
  351. for (i = 0; i < ARRAY_SIZE(test_strs); i++) { \
  352. len = strlen(test_strs[i]); \
  353. KUNIT_EXPECT_EQ(test, __builtin_constant_p(len), 0); \
  354. checker(len, kmemdup_array(test_strs[i], 1, len, gfp), \
  355. kfree(p)); \
  356. checker(len, kmemdup(test_strs[i], len, gfp), \
  357. kfree(p)); \
  358. } \
  359. } while (0)
  360. static void fortify_test_realloc_size(struct kunit *test)
  361. {
  362. TEST_realloc(check_dynamic);
  363. }
  364. /*
  365. * We can't have an array at the end of a structure or else
  366. * builds without -fstrict-flex-arrays=3 will report them as
  367. * being an unknown length. Additionally, add bytes before
  368. * and after the string to catch over/underflows if tests
  369. * fail.
  370. */
  371. struct fortify_padding {
  372. unsigned long bytes_before;
  373. char buf[32];
  374. unsigned long bytes_after;
  375. };
  376. static void fortify_test_strlen(struct kunit *test)
  377. {
  378. struct fortify_padding pad = { };
  379. int i, end = sizeof(pad.buf) - 1;
  380. /* Fill 31 bytes with valid characters. */
  381. for (i = 0; i < sizeof(pad.buf) - 1; i++)
  382. pad.buf[i] = i + '0';
  383. /* Trailing bytes are still %NUL. */
  384. KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
  385. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  386. /* String is terminated, so strlen() is valid. */
  387. KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
  388. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  389. /* Make string unterminated, and recount. */
  390. pad.buf[end] = 'A';
  391. end = sizeof(pad.buf);
  392. KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
  393. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  394. }
  395. static void fortify_test_strnlen(struct kunit *test)
  396. {
  397. struct fortify_padding pad = { };
  398. int i, end = sizeof(pad.buf) - 1;
  399. /* Fill 31 bytes with valid characters. */
  400. for (i = 0; i < sizeof(pad.buf) - 1; i++)
  401. pad.buf[i] = i + '0';
  402. /* Trailing bytes are still %NUL. */
  403. KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
  404. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  405. /* String is terminated, so strnlen() is valid. */
  406. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end);
  407. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  408. /* A truncated strnlen() will be safe, too. */
  409. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2),
  410. sizeof(pad.buf) / 2);
  411. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  412. /* Make string unterminated, and recount. */
  413. pad.buf[end] = 'A';
  414. end = sizeof(pad.buf);
  415. /* Reading beyond with strncpy() will fail. */
  416. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
  417. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  418. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
  419. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  420. /* Early-truncated is safe still, though. */
  421. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
  422. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  423. end = sizeof(pad.buf) / 2;
  424. KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
  425. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  426. }
  427. static void fortify_test_strcpy(struct kunit *test)
  428. {
  429. struct fortify_padding pad = { };
  430. char src[sizeof(pad.buf) + 1] = { };
  431. int i;
  432. /* Fill 31 bytes with valid characters. */
  433. for (i = 0; i < sizeof(src) - 2; i++)
  434. src[i] = i + '0';
  435. /* Destination is %NUL-filled to start with. */
  436. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  437. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  438. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  439. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  440. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  441. /* Legitimate strcpy() 1 less than of max size. */
  442. KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
  443. == pad.buf);
  444. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  445. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  446. /* Only last byte should be %NUL */
  447. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  448. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  449. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  450. src[sizeof(src) - 2] = 'A';
  451. /* But now we trip the overflow checking. */
  452. KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
  453. == pad.buf);
  454. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  455. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  456. /* Trailing %NUL -- thanks to FORTIFY. */
  457. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  458. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  459. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  460. /* And we will not have gone beyond. */
  461. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  462. src[sizeof(src) - 1] = 'A';
  463. /* And for sure now, two bytes past. */
  464. KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
  465. == pad.buf);
  466. /*
  467. * Which trips both the strlen() on the unterminated src,
  468. * and the resulting copy attempt.
  469. */
  470. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  471. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  472. /* Trailing %NUL -- thanks to FORTIFY. */
  473. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  474. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  475. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  476. /* And we will not have gone beyond. */
  477. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  478. }
  479. static void fortify_test_strncpy(struct kunit *test)
  480. {
  481. struct fortify_padding pad = { };
  482. char src[] = "Copy me fully into a small buffer and I will overflow!";
  483. size_t sizeof_buf = sizeof(pad.buf);
  484. OPTIMIZER_HIDE_VAR(sizeof_buf);
  485. /* Destination is %NUL-filled to start with. */
  486. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  487. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  488. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
  489. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0');
  490. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  491. /* Legitimate strncpy() 1 less than of max size. */
  492. KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf - 1)
  493. == pad.buf);
  494. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  495. /* Only last byte should be %NUL */
  496. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  497. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  498. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0');
  499. /* Legitimate (though unterminated) max-size strncpy. */
  500. KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf)
  501. == pad.buf);
  502. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  503. /* No trailing %NUL -- thanks strncpy API. */
  504. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
  505. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  506. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  507. /* But we will not have gone beyond. */
  508. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  509. /* Now verify that FORTIFY is working... */
  510. KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 1)
  511. == pad.buf);
  512. /* Should catch the overflow. */
  513. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  514. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
  515. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  516. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  517. /* And we will not have gone beyond. */
  518. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  519. /* And further... */
  520. KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 2)
  521. == pad.buf);
  522. /* Should catch the overflow. */
  523. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  524. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0');
  525. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  526. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  527. /* And we will not have gone beyond. */
  528. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  529. }
  530. static void fortify_test_strscpy(struct kunit *test)
  531. {
  532. struct fortify_padding pad = { };
  533. char src[] = "Copy me fully into a small buffer and I will overflow!";
  534. size_t sizeof_buf = sizeof(pad.buf);
  535. size_t sizeof_src = sizeof(src);
  536. OPTIMIZER_HIDE_VAR(sizeof_buf);
  537. OPTIMIZER_HIDE_VAR(sizeof_src);
  538. /* Destination is %NUL-filled to start with. */
  539. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  540. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  541. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
  542. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0');
  543. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  544. /* Legitimate strscpy() 1 less than of max size. */
  545. KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf - 1),
  546. -E2BIG);
  547. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  548. /* Keeping space for %NUL, last two bytes should be %NUL */
  549. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  550. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0');
  551. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0');
  552. /* Legitimate max-size strscpy. */
  553. KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf),
  554. -E2BIG);
  555. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  556. /* A trailing %NUL will exist. */
  557. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  558. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  559. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  560. /* Now verify that FORTIFY is working... */
  561. KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf + 1),
  562. -E2BIG);
  563. /* Should catch the overflow. */
  564. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  565. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  566. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  567. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  568. /* And we will not have gone beyond. */
  569. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  570. /* And much further... */
  571. KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_src * 2),
  572. -E2BIG);
  573. /* Should catch the overflow. */
  574. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  575. KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0');
  576. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  577. KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0');
  578. /* And we will not have gone beyond. */
  579. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  580. }
  581. static void fortify_test_strcat(struct kunit *test)
  582. {
  583. struct fortify_padding pad = { };
  584. char src[sizeof(pad.buf) / 2] = { };
  585. char one[] = "A";
  586. char two[] = "BC";
  587. int i;
  588. /* Fill 15 bytes with valid characters. */
  589. for (i = 0; i < sizeof(src) - 1; i++)
  590. src[i] = i + 'A';
  591. /* Destination is %NUL-filled to start with. */
  592. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  593. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  594. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  595. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  596. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  597. /* Legitimate strcat() using less than half max size. */
  598. KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
  599. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  600. /* Legitimate strcat() now 2 bytes shy of end. */
  601. KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
  602. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  603. /* Last two bytes should be %NUL */
  604. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  605. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  606. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  607. /* Add one more character to the end. */
  608. KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
  609. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  610. /* Last byte should be %NUL */
  611. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  612. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  613. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  614. /* And this one char will overflow. */
  615. KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
  616. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  617. /* Last byte should be %NUL thanks to FORTIFY. */
  618. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  619. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  620. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  621. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  622. /* And adding two will overflow more. */
  623. KUNIT_ASSERT_TRUE(test, strcat(pad.buf, two) == pad.buf);
  624. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  625. /* Last byte should be %NUL thanks to FORTIFY. */
  626. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  627. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  628. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  629. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  630. }
  631. static void fortify_test_strncat(struct kunit *test)
  632. {
  633. struct fortify_padding pad = { };
  634. char src[sizeof(pad.buf)] = { };
  635. int i, partial;
  636. /* Fill 31 bytes with valid characters. */
  637. partial = sizeof(src) / 2 - 1;
  638. for (i = 0; i < partial; i++)
  639. src[i] = i + 'A';
  640. /* Destination is %NUL-filled to start with. */
  641. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  642. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  643. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  644. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  645. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  646. /* Legitimate strncat() using less than half max size. */
  647. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
  648. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  649. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  650. /* Legitimate strncat() now 2 bytes shy of end. */
  651. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
  652. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  653. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  654. /* Last two bytes should be %NUL */
  655. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  656. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  657. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  658. /* Add one more character to the end. */
  659. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
  660. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  661. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  662. /* Last byte should be %NUL */
  663. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  664. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  665. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  666. /* And this one char will overflow. */
  667. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
  668. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  669. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  670. /* Last byte should be %NUL thanks to FORTIFY. */
  671. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  672. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  673. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  674. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  675. /* And adding two will overflow more. */
  676. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 2) == pad.buf);
  677. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  678. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  679. /* Last byte should be %NUL thanks to FORTIFY. */
  680. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  681. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  682. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  683. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  684. /* Force an unterminated destination, and overflow. */
  685. pad.buf[sizeof(pad.buf) - 1] = 'A';
  686. KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
  687. /* This will have tripped both strlen() and strcat(). */
  688. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  689. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
  690. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  691. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  692. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  693. /* But we should not go beyond the end. */
  694. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  695. }
  696. static void fortify_test_strlcat(struct kunit *test)
  697. {
  698. struct fortify_padding pad = { };
  699. char src[sizeof(pad.buf)] = { };
  700. int i, partial;
  701. int len = sizeof(pad.buf);
  702. OPTIMIZER_HIDE_VAR(len);
  703. /* Fill 15 bytes with valid characters. */
  704. partial = sizeof(src) / 2 - 1;
  705. for (i = 0; i < partial; i++)
  706. src[i] = i + 'A';
  707. /* Destination is %NUL-filled to start with. */
  708. KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
  709. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  710. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  711. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  712. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  713. /* Legitimate strlcat() using less than half max size. */
  714. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial);
  715. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  716. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  717. /* Legitimate strlcat() now 2 bytes shy of end. */
  718. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial * 2);
  719. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  720. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  721. /* Last two bytes should be %NUL */
  722. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  723. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  724. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  725. /* Add one more character to the end. */
  726. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "Q", len), partial * 2 + 1);
  727. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  728. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
  729. /* Last byte should be %NUL */
  730. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  731. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  732. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  733. /* And this one char will overflow. */
  734. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "V", len * 2), len);
  735. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  736. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
  737. /* Last byte should be %NUL thanks to FORTIFY. */
  738. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  739. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  740. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  741. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  742. /* And adding two will overflow more. */
  743. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "QQ", len * 2), len + 1);
  744. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  745. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  746. /* Last byte should be %NUL thanks to FORTIFY. */
  747. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  748. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  749. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  750. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  751. /* Force an unterminated destination, and overflow. */
  752. pad.buf[sizeof(pad.buf) - 1] = 'A';
  753. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "TT", len * 2), len + 2);
  754. /* This will have tripped both strlen() and strlcat(). */
  755. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  756. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
  757. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  758. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
  759. KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
  760. /* But we should not go beyond the end. */
  761. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  762. /* Force an unterminated source, and overflow. */
  763. memset(src, 'B', sizeof(src));
  764. pad.buf[sizeof(pad.buf) - 1] = '\0';
  765. KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len * 3), len - 1 + sizeof(src));
  766. /* This will have tripped both strlen() and strlcat(). */
  767. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
  768. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
  769. KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
  770. /* But we should not go beyond the end. */
  771. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
  772. }
  773. /* Check for 0-sized arrays... */
  774. struct fortify_zero_sized {
  775. unsigned long bytes_before;
  776. char buf[0];
  777. unsigned long bytes_after;
  778. };
  779. #define __fortify_test(memfunc) \
  780. static void fortify_test_##memfunc(struct kunit *test) \
  781. { \
  782. struct fortify_zero_sized empty = { }; \
  783. struct fortify_padding pad = { }; \
  784. char srcA[sizeof(pad.buf) + 2]; \
  785. char srcB[sizeof(pad.buf) + 2]; \
  786. size_t len = sizeof(pad.buf); \
  787. size_t zero = 0; \
  788. \
  789. OPTIMIZER_HIDE_VAR(len); \
  790. OPTIMIZER_HIDE_VAR(zero); \
  791. \
  792. memset(srcA, 'A', sizeof(srcA)); \
  793. KUNIT_ASSERT_EQ(test, srcA[0], 'A'); \
  794. memset(srcB, 'B', sizeof(srcB)); \
  795. KUNIT_ASSERT_EQ(test, srcB[0], 'B'); \
  796. \
  797. memfunc(pad.buf, srcA, zero); \
  798. KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
  799. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  800. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  801. memfunc(pad.buf + 1, srcB, zero + 1); \
  802. KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
  803. KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
  804. KUNIT_EXPECT_EQ(test, pad.buf[2], '\0'); \
  805. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  806. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  807. memfunc(pad.buf, srcA, zero + 1); \
  808. KUNIT_EXPECT_EQ(test, pad.buf[0], 'A'); \
  809. KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
  810. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  811. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  812. memfunc(pad.buf, srcA, len - 1); \
  813. KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \
  814. KUNIT_EXPECT_EQ(test, pad.buf[len - 1], '\0'); \
  815. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  816. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  817. memfunc(pad.buf, srcA, len); \
  818. KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \
  819. KUNIT_EXPECT_EQ(test, pad.buf[len - 1], 'A'); \
  820. KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); \
  821. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  822. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  823. memfunc(pad.buf, srcA, len + 1); \
  824. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  825. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \
  826. memfunc(pad.buf + 1, srcB, len); \
  827. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  828. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); \
  829. \
  830. /* Reset error counter. */ \
  831. fortify_write_overflows = 0; \
  832. /* Copy nothing into nothing: no errors. */ \
  833. memfunc(empty.buf, srcB, zero); \
  834. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  835. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
  836. memfunc(empty.buf, srcB, zero + 1); \
  837. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
  838. KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \
  839. }
  840. __fortify_test(memcpy)
  841. __fortify_test(memmove)
  842. static void fortify_test_memscan(struct kunit *test)
  843. {
  844. char haystack[] = "Where oh where is my memory range?";
  845. char *mem = haystack + strlen("Where oh where is ");
  846. char needle = 'm';
  847. size_t len = sizeof(haystack);
  848. OPTIMIZER_HIDE_VAR(len);
  849. KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len),
  850. mem);
  851. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  852. /* Catch too-large range. */
  853. KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len + 1),
  854. NULL);
  855. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  856. KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len * 2),
  857. NULL);
  858. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  859. }
  860. static void fortify_test_memchr(struct kunit *test)
  861. {
  862. char haystack[] = "Where oh where is my memory range?";
  863. char *mem = haystack + strlen("Where oh where is ");
  864. char needle = 'm';
  865. size_t len = sizeof(haystack);
  866. OPTIMIZER_HIDE_VAR(len);
  867. KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len),
  868. mem);
  869. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  870. /* Catch too-large range. */
  871. KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len + 1),
  872. NULL);
  873. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  874. KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len * 2),
  875. NULL);
  876. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  877. }
  878. static void fortify_test_memchr_inv(struct kunit *test)
  879. {
  880. char haystack[] = "Where oh where is my memory range?";
  881. char *mem = haystack + 1;
  882. char needle = 'W';
  883. size_t len = sizeof(haystack);
  884. OPTIMIZER_HIDE_VAR(len);
  885. /* Normal search is okay. */
  886. KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len),
  887. mem);
  888. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  889. /* Catch too-large range. */
  890. KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len + 1),
  891. NULL);
  892. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  893. KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len * 2),
  894. NULL);
  895. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  896. }
  897. static void fortify_test_memcmp(struct kunit *test)
  898. {
  899. char one[] = "My mind is going ...";
  900. char two[] = "My mind is going ... I can feel it.";
  901. volatile size_t one_len = sizeof(one) - 1;
  902. volatile size_t two_len = sizeof(two) - 1;
  903. OPTIMIZER_HIDE_VAR(one_len);
  904. OPTIMIZER_HIDE_VAR(two_len);
  905. /* We match the first string (ignoring the %NUL). */
  906. KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
  907. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  908. /* Still in bounds, but no longer matching. */
  909. KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0);
  910. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  911. /* Catch too-large ranges. */
  912. KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 2), INT_MIN);
  913. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  914. KUNIT_ASSERT_EQ(test, memcmp(two, one, two_len + 2), INT_MIN);
  915. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  916. }
  917. static void fortify_test_kmemdup(struct kunit *test)
  918. {
  919. char src[] = "I got Doom running on it!";
  920. char *copy;
  921. size_t len = sizeof(src);
  922. OPTIMIZER_HIDE_VAR(len);
  923. /* Copy is within bounds. */
  924. copy = kmemdup(src, len, GFP_KERNEL);
  925. KUNIT_EXPECT_NOT_NULL(test, copy);
  926. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  927. kfree(copy);
  928. /* Without %NUL. */
  929. copy = kmemdup(src, len - 1, GFP_KERNEL);
  930. KUNIT_EXPECT_NOT_NULL(test, copy);
  931. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  932. kfree(copy);
  933. /* Tiny bounds. */
  934. copy = kmemdup(src, 1, GFP_KERNEL);
  935. KUNIT_EXPECT_NOT_NULL(test, copy);
  936. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
  937. kfree(copy);
  938. /* Out of bounds by 1 byte. */
  939. copy = kmemdup(src, len + 1, GFP_KERNEL);
  940. KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
  941. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
  942. kfree(copy);
  943. /* Way out of bounds. */
  944. copy = kmemdup(src, len * 2, GFP_KERNEL);
  945. KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
  946. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
  947. kfree(copy);
  948. /* Starting offset causing out of bounds. */
  949. copy = kmemdup(src + 1, len, GFP_KERNEL);
  950. KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
  951. KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
  952. kfree(copy);
  953. }
  954. static int fortify_test_init(struct kunit *test)
  955. {
  956. if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE))
  957. kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y");
  958. fortify_read_overflows = 0;
  959. kunit_add_named_resource(test, NULL, NULL, &read_resource,
  960. "fortify_read_overflows",
  961. &fortify_read_overflows);
  962. fortify_write_overflows = 0;
  963. kunit_add_named_resource(test, NULL, NULL, &write_resource,
  964. "fortify_write_overflows",
  965. &fortify_write_overflows);
  966. return 0;
  967. }
  968. static struct kunit_case fortify_test_cases[] = {
  969. KUNIT_CASE(fortify_test_known_sizes),
  970. KUNIT_CASE(fortify_test_control_flow_split),
  971. KUNIT_CASE(fortify_test_alloc_size_kmalloc_const),
  972. KUNIT_CASE(fortify_test_alloc_size_kmalloc_dynamic),
  973. KUNIT_CASE(fortify_test_alloc_size_vmalloc_const),
  974. KUNIT_CASE(fortify_test_alloc_size_vmalloc_dynamic),
  975. KUNIT_CASE(fortify_test_alloc_size_kvmalloc_const),
  976. KUNIT_CASE(fortify_test_alloc_size_kvmalloc_dynamic),
  977. KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_const),
  978. KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_dynamic),
  979. KUNIT_CASE(fortify_test_realloc_size),
  980. KUNIT_CASE(fortify_test_strlen),
  981. KUNIT_CASE(fortify_test_strnlen),
  982. KUNIT_CASE(fortify_test_strcpy),
  983. KUNIT_CASE(fortify_test_strncpy),
  984. KUNIT_CASE(fortify_test_strscpy),
  985. KUNIT_CASE(fortify_test_strcat),
  986. KUNIT_CASE(fortify_test_strncat),
  987. KUNIT_CASE(fortify_test_strlcat),
  988. /* skip memset: performs bounds checking on whole structs */
  989. KUNIT_CASE(fortify_test_memcpy),
  990. KUNIT_CASE(fortify_test_memmove),
  991. KUNIT_CASE(fortify_test_memscan),
  992. KUNIT_CASE(fortify_test_memchr),
  993. KUNIT_CASE(fortify_test_memchr_inv),
  994. KUNIT_CASE(fortify_test_memcmp),
  995. KUNIT_CASE(fortify_test_kmemdup),
  996. {}
  997. };
  998. static struct kunit_suite fortify_test_suite = {
  999. .name = "fortify",
  1000. .init = fortify_test_init,
  1001. .test_cases = fortify_test_cases,
  1002. };
  1003. kunit_test_suite(fortify_test_suite);
  1004. MODULE_DESCRIPTION("Runtime test cases for CONFIG_FORTIFY_SOURCE");
  1005. MODULE_LICENSE("GPL");