Commit graph

41 commits

Author SHA1 Message Date
George Burgess IV
e9c0e828de Fix an ifdef in a test
We don't support GCC here anymore. More importantly: `#ifdef foo &&
bar` is apparently parsed as `#ifdef foo` with extra tokens at the end.
Oops.

Bug: None
Test: Treehugger
Change-Id: I63d09b0fbad688d3b68a3327a52b3bb55627272f
2018-03-26 18:03:16 -07:00
Elliott Hughes
b83bf14a35 Fortify ppoll64.
I've deliberately not bothered with the GCC implementation because we'll
have removed GCC from the NDK before anyone gets to use this.

Bug: http://b/72493232
Test: ran tests
Change-Id: Icfc2a3b214739ab53aa41bacacc11b5c67498fb4
2018-03-22 13:59:02 -07:00
Elliott Hughes
55a8cc2a0d Add trivial test for __memrchr_chk.
Bug: N/A
Test: ran tests
Change-Id: I42aefcbf1fac6b96e56a0e21f94586a3caa524dc
2017-11-09 15:46:51 -08:00
Elliott Hughes
b115aefbb3 With O_TMPFILE, open(2) takes a mode argument.
Strictly, the mode isn't really meaningful unless you supply O_EXCL,
but the kernel will take it and fstat will return it even if you
never give the file a name.

Also warn for O_TMPFILE without a mode at compile time where possible.

Bug: N/A
Test: ran tests
Change-Id: I729b6d6e6190676fd017a1190b6200bf9abdbfd8
2017-08-04 10:20:18 -07:00
Treehugger Robot
85408ef2da Merge "Fix test compile errors after LLVM rebase" 2017-05-02 22:25:59 +00:00
Yi Kong
2d3122c90b Fix test compile errors after LLVM rebase
After the new rebase of Clang, we now support the alloc_size attribute,
so we can remove the warning about switching to alloc_size once Clang
has support.

Also fix an issue where 'false' is returned in a main method.

Test: make cts
Bug: 37752547
Change-Id: I32ee814aaa0338567cb8174a68d7ee1bfece2f75
2017-05-02 21:14:42 +00:00
George Burgess IV
cf44343c1a fix half-deleted comments in tests
they were half-deleted in If341a27756d608a0fa77ba6518e9bcc725f7632c.

Bug: None
Test: mma
Change-Id: I4e0c8208a7f2a55d273f4c87adca1d755dc98b77
2017-05-01 11:20:31 -07:00
George Burgess IV
5f8a673a7f Enable FORTIFY unit tests for clang
And add a thing to remind us to enable the malloc FORTIFY test when we
pull a new clang in.

Bug: 34747525
Test: vts -m BionicUnitTests on bullhead
Change-Id: If341a27756d608a0fa77ba6518e9bcc725f7632c
2017-04-06 11:27:41 -07:00
George Burgess IV
bd3d2088d9 libc: add const-correct string.h overloads
libcxx provides const-correct overloads for a few string.h functions.
These overloads use clang's enable_if attribute, so they're preferred
over our FORTIFY'ed equivalents.

This weakens _FORTIFY_SOURCE=2 when used with some of these functions,
since clang needs to see __pass_object_size in order to pass an accurate
result for __builtin_object_size(s, 1) at a callsite. Since those
functions don't have __pass_object_size on their params, clang can't do
that. This makes LLVM lower the __builtin_object_size calls, which means
we get the same result as __builtin_object_size(s, 0).

We have to provide all of the overloads in Bionic, since enable_if is
only used to disambiguate overloads with (otherwise) the same type. In
other words:

// overload 1
char *strchr(const char *, int s) __attribute__((enable_if(1, "")));
// overload 2
char *strchr(char *, int s);

void foo() {
  char cs[1] = {};
  strchr(static_cast<const char *>(cs), '\0'); // calls overload #1.
  strchr(cs, '\0'); // calls overload #2.
}

Bug: 34747525
Test: m checkbuild on bullhead internal master + AOSP. vts -m
BionicUnitTests passes on both. Surprisingly, the only code that this
seems to break is contained in Bionic.

Change-Id: Ie406f42fb3d1c5bf940dc857889876fc39b57c90
2017-04-05 13:17:07 -07:00
Daniel Micay
95b59c520b add fortified implementations of send/sendto
Bug: None
Test: Bullhead builds+boots; CtsBionicTestCases passes.
Change-Id: I2f137a100f679f7f2145d84b2f29ddd3e96a36ae
2017-02-14 15:50:28 -08:00
Elliott Hughes
62e59646f8 Improve diagnostics from the assembler __memset_chk routines.
Change-Id: Ic165043ab8cd5e16866b3e11cfba960514cbdc57
2016-03-01 12:46:47 -08:00
Dan Albert
f68dcbe093 Fix our fortify tests for global -Werror.
If anyone has a better way of doing this it would be welcome...

Bug: http://b/26936282
Change-Id: I796896866327b4b5b5ee4ec36994fb320993f85d
2016-02-02 17:13:03 -08:00
Daniel Micay
afdd15456a add fortified implementations of write/pwrite{,64}
These are just based on the read/pread{,64} implementations with the
function calls and error messages adjusted as appropriate. The only
difference is that the buffer parameters are const.

Change-Id: Ida1597a903807f583f230d74bcedffdb7b24fcf6
2015-08-20 13:46:51 -04:00
Daniel Micay
9101b00400 add a fortified implementation of getcwd
Change-Id: Ice3e6d3e1ff07788305dc85f8ee4059baad5fac4
2015-08-01 00:42:30 -04:00
Daniel Micay
fed2659869 add fortified implementations of fread/fwrite
A __size_mul_overflow utility is used to take advantage of the checked
overflow intrinsics in Clang and GCC (>= 5). The fallback for older
compilers is the optimized but less than ideal overflow checking pattern
used in OpenBSD.

Change-Id: Ibb0d4fd9b5acb67983e6a9f46844c2fd444f7e69
2015-07-23 18:55:46 -04:00
Daniel Micay
42281880a8 add fortified readlink/readlinkat implementations
Change-Id: Ia4b1824d20cad3a072b9162047492dade8576779
2015-04-17 18:49:12 -04:00
Daniel Micay
e7e1c875b0 add fortified implementations of pread/pread64
Change-Id: Iec39c3917e0bc94371bd81541619392f5abe29b9
2015-04-16 10:33:35 -04:00
Yabin Cui
f4fe6937aa Fix poll/ppoll fortify test to avoid hanging in failed fortify clang test.
Bug: 19220800
Change-Id: Ie75c640183c4a41a499556fefb4f824a134a5fb1
2015-02-04 12:27:06 -08:00
Elliott Hughes
d036e94bb3 Explicitly check that the reason fortify tests abort is fortify.
Change-Id: I95291e2febf7b497c1d9f37fd7fa9acdd21e86a4
2015-02-02 11:18:58 -08:00
Elliott Hughes
4674e3899a Fortify poll and ppoll.
And remove the test for FD_ZERO fortification, which never made much
sense anyway.

Change-Id: Id1009c5298d461fa4722189e8ecaf22f0c529536
2015-02-02 09:15:19 -08:00
Yabin Cui
9df70403d9 make all bionic death tests not dumpable
Bug: 18067305

Change-Id: Ia1ecacf47eddecc9bc58aaac779e0c218f463179
2014-11-06 11:09:03 -08:00
Nick Kralevich
884a3de60f Revert "cdefs.h: add artificial attribute to FORTIFY_SOURCE functions"
Broke the build.

In file included from frameworks/rs/cpu_ref/rsCpuCore.cpp:36:
system/core/include/cutils/properties.h:118:1: error: unknown attribute '__artificial__' ignored [-Werror,-Wunknown-attributes]
__BIONIC_FORTIFY_INLINE
^
bionic/libc/include/sys/cdefs.h:537:110: note: expanded from macro '__BIONIC_FORTIFY_INLINE'
#define __BIONIC_FORTIFY_INLINE extern __inline__ __always_inline __attribute__((gnu_inline)) __attribute__((__artificial__))
                                                                                                             ^
1 error generated.
make: *** [out/target/product/generic/obj/SHARED_LIBRARIES/libRSCpuRef_intermediates/rsCpuCore.o] Error 1
This reverts commit 9b543ffeac.

Change-Id: I6a1198747505dcb402b722887c1bfbc3a628a8b8
2014-10-06 00:39:47 +00:00
Nick Kralevich
9b543ffeac cdefs.h: add artificial attribute to FORTIFY_SOURCE functions
Otherwise the gcc compiler warning doesn't show up.

Delete some unittests. These unittests no longer compile cleanly
using -Wall -Werror, and rewriting them to compile cleanly
isn't feasible.

Bug: 17784968
Change-Id: I9bbdc7b6a1c2ac75754f5d0f90782e0dfae66721
2014-10-04 22:01:41 -07:00
Nick Kralevich
be0e43b776 debuggerd: if PR_GET_DUMPABLE=0, don't ask for dumping
PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.

Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.

Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.

FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.

Bug: 16513137
Change-Id: Idc7857b089f3545758f4d9b436b783d580fb653f
2014-07-23 15:48:49 -07:00
Elliott Hughes
063525c61d Consistently use #if defined(__BIONIC__) in tests.
I've also switched some tests to be positive rather than negative,
because !defined is slightly harder to reason about and there are
only two cases: bionic and glibc.

Change-Id: I8d3ac40420ca5aead3e88c69cf293f267273c8ef
2014-05-13 11:19:57 -07:00
Elliott Hughes
409588cdae Fix fallout from host GCC upgrade.
I'll raise a bug for the FD_ISSET fortification; we should do better too.

Change-Id: Id2bf277890ad06b010dc952e270d746714c2bea7
2014-04-23 23:02:43 -07:00
Christopher Ferris
950a58e24d Add stpcpy/stpncpy.
Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
2014-04-07 16:41:53 -07:00
Christopher Ferris
f04935c85e Make sure that the same tests are on all platforms.
In order to be able to generate a list of tests for cts, the same set of
tests must exist across all platforms. This CL adds empty tests where a
test was conditionally compiled out.

This CL creates a single library libBionicTests that includes all of
the tests found in bionic-unit-tests-static.

Also fix a few missing include files in some test files.

Tested by running and compiling the tests for every platform and
verifying the same number of tests are on each platform.

Change-Id: I9989d4bfebb0f9c409a0ce7e87169299eac605a2
2014-02-06 20:12:21 -08:00
Stephen Hines
6e38072add Wrap sprintf()/snprintf() macros to prevent expansion errors.
Previously, FORTIFY_SOURCE used single macros to define these standard
functions for use with clang. This can cause conflicts with other macros used
to call these functions, particularly when those macros expand the number of
arguments to the function. This change wraps our macro definitions, so that
expansion properly takes place for programmer arguments first.

Change-Id: I55929b1fd2a643b9d14a17631c4bcab3b0b712cf
2013-10-11 12:14:49 -07:00
Nick Kralevich
b036b5ca36 FORTIFY_SOURCE: fortify read()
Change-Id: Ic7de163fe121db13e00560adb257331bc709814d
2013-10-09 20:17:03 -07:00
Nick Kralevich
8d25327639 Revert "FORTIFY_SOURCE: fortify read()"
This change reverts
* fb3f956d07.
* 65c99de2cb

Change-Id: Id5774eeede41130579115cf67a72ee914f2b47d5
2013-10-09 16:46:25 -07:00
Nick Kralevich
65c99de2cb FORTIFY_SOURCE: fortify read()
Change-Id: I3d7b4ec86d04efb865117ce7629a2e26917f3331
2013-10-09 13:44:38 -07:00
Nick Kralevich
7943df62f7 Check memory size on FD_* functions
Make sure the buffer we're dealing with has enough room.
Might as well check for memory issues while we're here,
even though I don't imagine they'll happen in practice.

Change-Id: I0ae1f0f06aca9ceb91e58c70183bb14e275b92b5
2013-10-03 15:45:10 -07:00
Elliott Hughes
5b9310e502 Fix 32-bit issues in tests, and add a trivial test for the FD_* macros.
Change-Id: Ia3f21ce1f0ed9236527fe44d36ccb7de6bf63113
2013-10-02 16:59:05 -07:00
Nick Kralevich
90201d5eca FORTIFY_SOURCE: Add __FD_* checks
Add FORTIFY_SOURCE checks for the following macros:

* FD_CLR
* FD_ISSET
* FD_SET

Bug: 11047121
Change-Id: I3c5952136aec9eff3288b91b1318677ff971525c
2013-10-02 16:11:30 -07:00
Nick Kralevich
b91791d71c Use alloc_size attribute on *alloc functions
malloc and family were not declared with __attribute__((alloc_size)).
This was (sometimes) preventing FORTIFY_SOURCE related functions
from knowing the size of the buffer it's dealing with, inhibiting
FORTIFY_SOURCE protections.

Add __attribute__((alloc_size))

Information about the alloc_size attribute can be found
at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Change-Id: Ia2f0a445f0170a7325f69259b5e7fb35a9f14921
2013-10-02 14:14:40 -07:00
Nick Kralevich
60f4f9a5b9 libc: fortify recvfrom()
Fortify calls to recv() and recvfrom().

We use __bos0 to match glibc's behavior, and because I haven't
tested using __bos.

Change-Id: Iad6ae96551a89af17a9c347b80cdefcf2020c505
2013-09-24 16:45:01 -07:00
Christopher Ferris
16e185c908 __memcpy_chk: Fix signed cmp of unsigned values.
I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.

Add three new tests to verify this failure is fixed.

Bug: 10691831

Merge from internal master.

(cherry-picked from 883ef2499c)

Change-Id: Id9a96b549435f5d9b61dc132cf1082e0e30889f5
2013-09-20 20:12:09 -07:00
Nick Kralevich
93501d3ab8 FORTIFY_SOURCE: introduce __strncpy_chk2
This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
2013-08-28 12:39:06 -07:00
Nick Kralevich
a6cde39276 More FORTIFY_SOURCE functions under clang
* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
2013-06-29 08:16:22 -07:00
Nick Kralevich
5bcf39842e Reorganize FORTIFY_SOURCE tests.
Get rid of a lot of the duplication in the various FORTIFY_SOURCE
tests. Instead, we build 4 separate static libraries, with
4 different compile time options, and link them into the final test
binary.

Change-Id: Idb0b7cccc8dd837adb037bf4ddfe8942ae138230
2013-06-28 11:54:29 -07:00
Renamed from tests/fortify2_test.cpp (Browse further)