1 // SPDX-License-Identifier: GPL-2.0
3 * Runtime test cases for CONFIG_FORTIFY_SOURCE. For testing memcpy(),
4 * see FORTIFY_MEM_* tests in LKDTM (drivers/misc/lkdtm/fortify.c).
6 * For corner cases with UBSAN, try testing with:
8 * ./tools/testing/kunit/kunit.py run --arch=x86_64 \
9 * --kconfig_add CONFIG_FORTIFY_SOURCE=y \
10 * --kconfig_add CONFIG_UBSAN=y \
11 * --kconfig_add CONFIG_UBSAN_TRAP=y \
12 * --kconfig_add CONFIG_UBSAN_BOUNDS=y \
13 * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=y \
14 * --make_options LLVM=1 fortify
16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 /* Redefine fortify_panic() to track failures. */
19 void fortify_add_kunit_error(int write);
20 #define fortify_panic(func, write, avail, size, retfail) do { \
21 __fortify_report(FORTIFY_REASON(func, write), avail, size); \
22 fortify_add_kunit_error(write); \
26 #include <kunit/device.h>
27 #include <kunit/test.h>
28 #include <kunit/test-bug.h>
29 #include <linux/device.h>
30 #include <linux/slab.h>
31 #include <linux/string.h>
32 #include <linux/vmalloc.h>
34 /* Handle being built without CONFIG_FORTIFY_SOURCE */
35 #ifndef __compiletime_strlen
36 # define __compiletime_strlen __builtin_strlen
39 static struct kunit_resource read_resource;
40 static struct kunit_resource write_resource;
41 static int fortify_read_overflows;
42 static int fortify_write_overflows;
44 static const char array_of_10[] = "this is 10";
45 static const char *ptr_of_11 = "this is 11!";
46 static char array_unknown[] = "compiler thinks I might change";
48 void fortify_add_kunit_error(int write)
50 struct kunit_resource *resource;
51 struct kunit *current_test;
53 current_test = kunit_get_current_test();
57 resource = kunit_find_named_resource(current_test,
58 write ? "fortify_write_overflows"
59 : "fortify_read_overflows");
63 (*(int *)resource->data)++;
64 kunit_put_resource(resource);
67 static void known_sizes_test(struct kunit *test)
69 KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8);
70 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10);
71 KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11);
73 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX);
74 /* Externally defined and dynamically sized string pointer: */
75 KUNIT_EXPECT_EQ(test, __compiletime_strlen(test->name), SIZE_MAX);
78 /* This is volatile so the optimizer can't perform DCE below. */
79 static volatile int pick;
81 /* Not inline to keep optimizer from figuring out which string we want. */
82 static noinline size_t want_minus_one(int pick)
97 return __compiletime_strlen(str);
100 static void control_flow_split_test(struct kunit *test)
102 KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX);
105 #define KUNIT_EXPECT_BOS(test, p, expected, name) \
106 KUNIT_EXPECT_EQ_MSG(test, __builtin_object_size(p, 1), \
108 "__alloc_size() not working with __bos on " name "\n")
110 #if !__has_builtin(__builtin_dynamic_object_size)
111 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
112 /* Silence "unused variable 'expected'" warning. */ \
113 KUNIT_EXPECT_EQ(test, expected, expected)
115 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
116 KUNIT_EXPECT_EQ_MSG(test, __builtin_dynamic_object_size(p, 1), \
118 "__alloc_size() not working with __bdos on " name "\n")
121 /* If the execpted size is a constant value, __bos can see it. */
122 #define check_const(_expected, alloc, free) do { \
123 size_t expected = (_expected); \
125 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
126 KUNIT_EXPECT_BOS(test, p, expected, #alloc); \
127 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
131 /* If the execpted size is NOT a constant value, __bos CANNOT see it. */
132 #define check_dynamic(_expected, alloc, free) do { \
133 size_t expected = (_expected); \
135 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
136 KUNIT_EXPECT_BOS(test, p, SIZE_MAX, #alloc); \
137 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
141 /* Assortment of constant-value kinda-edge cases. */
142 #define CONST_TEST_BODY(TEST_alloc) do { \
143 /* Special-case vmalloc()-family to skip 0-sized allocs. */ \
144 if (strcmp(#TEST_alloc, "TEST_vmalloc") != 0) \
145 TEST_alloc(check_const, 0, 0); \
146 TEST_alloc(check_const, 1, 1); \
147 TEST_alloc(check_const, 128, 128); \
148 TEST_alloc(check_const, 1023, 1023); \
149 TEST_alloc(check_const, 1025, 1025); \
150 TEST_alloc(check_const, 4096, 4096); \
151 TEST_alloc(check_const, 4097, 4097); \
154 static volatile size_t zero_size;
155 static volatile size_t unknown_size = 50;
157 #if !__has_builtin(__builtin_dynamic_object_size)
158 #define DYNAMIC_TEST_BODY(TEST_alloc) \
159 kunit_skip(test, "Compiler is missing __builtin_dynamic_object_size() support\n")
161 #define DYNAMIC_TEST_BODY(TEST_alloc) do { \
162 size_t size = unknown_size; \
165 * Expected size is "size" in each test, before it is then \
166 * internally incremented in each test. Requires we disable \
169 TEST_alloc(check_dynamic, size, size++); \
170 /* Make sure incrementing actually happened. */ \
171 KUNIT_EXPECT_NE(test, size, unknown_size); \
175 #define DEFINE_ALLOC_SIZE_TEST_PAIR(allocator) \
176 static void alloc_size_##allocator##_const_test(struct kunit *test) \
178 CONST_TEST_BODY(TEST_##allocator); \
180 static void alloc_size_##allocator##_dynamic_test(struct kunit *test) \
182 DYNAMIC_TEST_BODY(TEST_##allocator); \
185 #define TEST_kmalloc(checker, expected_size, alloc_size) do { \
186 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
190 checker(expected_size, kmalloc(alloc_size, gfp), \
192 checker(expected_size, \
193 kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
195 checker(expected_size, kzalloc(alloc_size, gfp), \
197 checker(expected_size, \
198 kzalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
200 checker(expected_size, kcalloc(1, alloc_size, gfp), \
202 checker(expected_size, kcalloc(alloc_size, 1, gfp), \
204 checker(expected_size, \
205 kcalloc_node(1, alloc_size, gfp, NUMA_NO_NODE), \
207 checker(expected_size, \
208 kcalloc_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
210 checker(expected_size, kmalloc_array(1, alloc_size, gfp), \
212 checker(expected_size, kmalloc_array(alloc_size, 1, gfp), \
214 checker(expected_size, \
215 kmalloc_array_node(1, alloc_size, gfp, NUMA_NO_NODE), \
217 checker(expected_size, \
218 kmalloc_array_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
220 checker(expected_size, __kmalloc(alloc_size, gfp), \
222 checker(expected_size, \
223 __kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
226 orig = kmalloc(alloc_size, gfp); \
227 KUNIT_EXPECT_TRUE(test, orig != NULL); \
228 checker((expected_size) * 2, \
229 krealloc(orig, (alloc_size) * 2, gfp), \
231 orig = kmalloc(alloc_size, gfp); \
232 KUNIT_EXPECT_TRUE(test, orig != NULL); \
233 checker((expected_size) * 2, \
234 krealloc_array(orig, 1, (alloc_size) * 2, gfp), \
236 orig = kmalloc(alloc_size, gfp); \
237 KUNIT_EXPECT_TRUE(test, orig != NULL); \
238 checker((expected_size) * 2, \
239 krealloc_array(orig, (alloc_size) * 2, 1, gfp), \
243 /* Using memdup() with fixed size, so force unknown length. */ \
244 if (!__builtin_constant_p(expected_size)) \
246 checker(len, kmemdup("hello there", len, gfp), kfree(p)); \
248 DEFINE_ALLOC_SIZE_TEST_PAIR(kmalloc)
250 /* Sizes are in pages, not bytes. */
251 #define TEST_vmalloc(checker, expected_pages, alloc_pages) do { \
252 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
253 checker((expected_pages) * PAGE_SIZE, \
254 vmalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
255 checker((expected_pages) * PAGE_SIZE, \
256 vzalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
257 checker((expected_pages) * PAGE_SIZE, \
258 __vmalloc((alloc_pages) * PAGE_SIZE, gfp), vfree(p)); \
260 DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc)
262 /* Sizes are in pages (and open-coded for side-effects), not bytes. */
263 #define TEST_kvmalloc(checker, expected_pages, alloc_pages) do { \
264 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
268 checker((expected_pages) * PAGE_SIZE, \
269 kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \
271 checker((expected_pages) * PAGE_SIZE, \
272 kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
274 checker((expected_pages) * PAGE_SIZE, \
275 kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \
277 checker((expected_pages) * PAGE_SIZE, \
278 kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
280 checker((expected_pages) * PAGE_SIZE, \
281 kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \
283 checker((expected_pages) * PAGE_SIZE, \
284 kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \
286 checker((expected_pages) * PAGE_SIZE, \
287 kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \
289 checker((expected_pages) * PAGE_SIZE, \
290 kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \
293 prev_size = (expected_pages) * PAGE_SIZE; \
294 orig = kvmalloc(prev_size, gfp); \
295 KUNIT_EXPECT_TRUE(test, orig != NULL); \
296 checker(((expected_pages) * PAGE_SIZE) * 2, \
297 kvrealloc(orig, prev_size, \
298 ((alloc_pages) * PAGE_SIZE) * 2, gfp), \
301 DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc)
303 #define TEST_devm_kmalloc(checker, expected_size, alloc_size) do { \
304 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
305 const char dev_name[] = "fortify-test"; \
306 struct device *dev; \
310 /* Create dummy device for devm_kmalloc()-family tests. */ \
311 dev = kunit_device_register(test, dev_name); \
312 KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev), \
313 "Cannot register test device\n"); \
315 checker(expected_size, devm_kmalloc(dev, alloc_size, gfp), \
316 devm_kfree(dev, p)); \
317 checker(expected_size, devm_kzalloc(dev, alloc_size, gfp), \
318 devm_kfree(dev, p)); \
319 checker(expected_size, \
320 devm_kmalloc_array(dev, 1, alloc_size, gfp), \
321 devm_kfree(dev, p)); \
322 checker(expected_size, \
323 devm_kmalloc_array(dev, alloc_size, 1, gfp), \
324 devm_kfree(dev, p)); \
325 checker(expected_size, \
326 devm_kcalloc(dev, 1, alloc_size, gfp), \
327 devm_kfree(dev, p)); \
328 checker(expected_size, \
329 devm_kcalloc(dev, alloc_size, 1, gfp), \
330 devm_kfree(dev, p)); \
332 orig = devm_kmalloc(dev, alloc_size, gfp); \
333 KUNIT_EXPECT_TRUE(test, orig != NULL); \
334 checker((expected_size) * 2, \
335 devm_krealloc(dev, orig, (alloc_size) * 2, gfp), \
336 devm_kfree(dev, p)); \
339 /* Using memdup() with fixed size, so force unknown length. */ \
340 if (!__builtin_constant_p(expected_size)) \
342 checker(len, devm_kmemdup(dev, "Ohai", len, gfp), \
343 devm_kfree(dev, p)); \
345 kunit_device_unregister(test, dev); \
347 DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc)
350 * We can't have an array at the end of a structure or else
351 * builds without -fstrict-flex-arrays=3 will report them as
352 * being an unknown length. Additionally, add bytes before
353 * and after the string to catch over/underflows if tests
356 struct fortify_padding {
357 unsigned long bytes_before;
359 unsigned long bytes_after;
361 /* Force compiler into not being able to resolve size at compile-time. */
362 static volatile int unconst;
364 static void strlen_test(struct kunit *test)
366 struct fortify_padding pad = { };
367 int i, end = sizeof(pad.buf) - 1;
369 /* Fill 31 bytes with valid characters. */
370 for (i = 0; i < sizeof(pad.buf) - 1; i++)
371 pad.buf[i] = i + '0';
372 /* Trailing bytes are still %NUL. */
373 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
374 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
376 /* String is terminated, so strlen() is valid. */
377 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
378 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
380 /* Make string unterminated, and recount. */
382 end = sizeof(pad.buf);
383 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
384 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
387 static void strnlen_test(struct kunit *test)
389 struct fortify_padding pad = { };
390 int i, end = sizeof(pad.buf) - 1;
392 /* Fill 31 bytes with valid characters. */
393 for (i = 0; i < sizeof(pad.buf) - 1; i++)
394 pad.buf[i] = i + '0';
395 /* Trailing bytes are still %NUL. */
396 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
397 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
399 /* String is terminated, so strnlen() is valid. */
400 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end);
401 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
402 /* A truncated strnlen() will be safe, too. */
403 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2),
404 sizeof(pad.buf) / 2);
405 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
407 /* Make string unterminated, and recount. */
409 end = sizeof(pad.buf);
410 /* Reading beyond with strncpy() will fail. */
411 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
412 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
413 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
414 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
416 /* Early-truncated is safe still, though. */
417 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
418 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
420 end = sizeof(pad.buf) / 2;
421 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
422 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
425 static void strcpy_test(struct kunit *test)
427 struct fortify_padding pad = { };
428 char src[sizeof(pad.buf) + 1] = { };
431 /* Fill 31 bytes with valid characters. */
432 for (i = 0; i < sizeof(src) - 2; i++)
435 /* Destination is %NUL-filled to start with. */
436 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
437 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
438 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
439 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
440 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
442 /* Legitimate strcpy() 1 less than of max size. */
443 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
445 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
446 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
447 /* Only last byte should be %NUL */
448 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
449 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
450 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
452 src[sizeof(src) - 2] = 'A';
453 /* But now we trip the overflow checking. */
454 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
456 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
457 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
458 /* Trailing %NUL -- thanks to FORTIFY. */
459 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
460 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
461 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
462 /* And we will not have gone beyond. */
463 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
465 src[sizeof(src) - 1] = 'A';
466 /* And for sure now, two bytes past. */
467 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
470 * Which trips both the strlen() on the unterminated src,
471 * and the resulting copy attempt.
473 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
474 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
475 /* Trailing %NUL -- thanks to FORTIFY. */
476 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
477 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
478 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
479 /* And we will not have gone beyond. */
480 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
483 static void strncpy_test(struct kunit *test)
485 struct fortify_padding pad = { };
486 char src[] = "Copy me fully into a small buffer and I will overflow!";
488 /* Destination is %NUL-filled to start with. */
489 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
490 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
491 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
492 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
493 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
495 /* Legitimate strncpy() 1 less than of max size. */
496 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
497 sizeof(pad.buf) + unconst - 1)
499 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
500 /* Only last byte should be %NUL */
501 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
502 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
503 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
505 /* Legitimate (though unterminated) max-size strncpy. */
506 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
507 sizeof(pad.buf) + unconst)
509 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
510 /* No trailing %NUL -- thanks strncpy API. */
511 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
512 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
513 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
514 /* But we will not have gone beyond. */
515 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
517 /* Now verify that FORTIFY is working... */
518 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
519 sizeof(pad.buf) + unconst + 1)
521 /* Should catch the overflow. */
522 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
523 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
524 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
525 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
526 /* And we will not have gone beyond. */
527 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
530 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
531 sizeof(pad.buf) + unconst + 2)
533 /* Should catch the overflow. */
534 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
535 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
536 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
537 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
538 /* And we will not have gone beyond. */
539 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
542 static void strscpy_test(struct kunit *test)
544 struct fortify_padding pad = { };
545 char src[] = "Copy me fully into a small buffer and I will overflow!";
547 /* Destination is %NUL-filled to start with. */
548 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
549 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
550 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
551 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
552 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
554 /* Legitimate strscpy() 1 less than of max size. */
555 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
556 sizeof(pad.buf) + unconst - 1),
558 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
559 /* Keeping space for %NUL, last two bytes should be %NUL */
560 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
561 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
562 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
564 /* Legitimate max-size strscpy. */
565 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
566 sizeof(pad.buf) + unconst),
568 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
569 /* A trailing %NUL will exist. */
570 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
571 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
572 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
574 /* Now verify that FORTIFY is working... */
575 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
576 sizeof(pad.buf) + unconst + 1),
578 /* Should catch the overflow. */
579 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
580 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
581 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
582 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
583 /* And we will not have gone beyond. */
584 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
586 /* And much further... */
587 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
588 sizeof(src) * 2 + unconst),
590 /* Should catch the overflow. */
591 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
592 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
593 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
594 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
595 /* And we will not have gone beyond. */
596 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
599 static void strcat_test(struct kunit *test)
601 struct fortify_padding pad = { };
602 char src[sizeof(pad.buf) / 2] = { };
607 /* Fill 15 bytes with valid characters. */
608 for (i = 0; i < sizeof(src) - 1; i++)
611 /* Destination is %NUL-filled to start with. */
612 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
613 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
614 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
615 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
616 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
618 /* Legitimate strcat() using less than half max size. */
619 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
620 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
621 /* Legitimate strcat() now 2 bytes shy of end. */
622 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
623 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
624 /* Last two bytes should be %NUL */
625 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
626 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
627 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
629 /* Add one more character to the end. */
630 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
631 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
632 /* Last byte should be %NUL */
633 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
634 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
635 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
637 /* And this one char will overflow. */
638 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
639 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
640 /* Last byte should be %NUL thanks to FORTIFY. */
641 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
642 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
643 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
644 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
646 /* And adding two will overflow more. */
647 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, two) == pad.buf);
648 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
649 /* Last byte should be %NUL thanks to FORTIFY. */
650 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
651 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
652 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
653 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
656 static void strncat_test(struct kunit *test)
658 struct fortify_padding pad = { };
659 char src[sizeof(pad.buf)] = { };
662 /* Fill 31 bytes with valid characters. */
663 partial = sizeof(src) / 2 - 1;
664 for (i = 0; i < partial; i++)
667 /* Destination is %NUL-filled to start with. */
668 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
669 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
670 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
671 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
672 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
674 /* Legitimate strncat() using less than half max size. */
675 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
676 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
677 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
678 /* Legitimate strncat() now 2 bytes shy of end. */
679 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
680 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
681 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
682 /* Last two bytes should be %NUL */
683 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
684 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
685 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
687 /* Add one more character to the end. */
688 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
689 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
690 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
691 /* Last byte should be %NUL */
692 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
693 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
694 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
696 /* And this one char will overflow. */
697 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
698 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
699 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
700 /* Last byte should be %NUL thanks to FORTIFY. */
701 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
702 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
703 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
704 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
706 /* And adding two will overflow more. */
707 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 2) == pad.buf);
708 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
709 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
710 /* Last byte should be %NUL thanks to FORTIFY. */
711 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
712 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
713 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
714 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
716 /* Force an unterminated destination, and overflow. */
717 pad.buf[sizeof(pad.buf) - 1] = 'A';
718 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
719 /* This will have tripped both strlen() and strcat(). */
720 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
721 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
722 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
723 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
724 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
725 /* But we should not go beyond the end. */
726 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
729 static void strlcat_test(struct kunit *test)
731 struct fortify_padding pad = { };
732 char src[sizeof(pad.buf)] = { };
734 int len = sizeof(pad.buf) + unconst;
736 /* Fill 15 bytes with valid characters. */
737 partial = sizeof(src) / 2 - 1;
738 for (i = 0; i < partial; i++)
741 /* Destination is %NUL-filled to start with. */
742 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
743 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
744 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
745 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
746 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
748 /* Legitimate strlcat() using less than half max size. */
749 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial);
750 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
751 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
752 /* Legitimate strlcat() now 2 bytes shy of end. */
753 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial * 2);
754 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
755 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
756 /* Last two bytes should be %NUL */
757 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
758 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
759 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
761 /* Add one more character to the end. */
762 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "Q", len), partial * 2 + 1);
763 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
764 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
765 /* Last byte should be %NUL */
766 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
767 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
768 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
770 /* And this one char will overflow. */
771 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "V", len * 2), len);
772 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
773 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
774 /* Last byte should be %NUL thanks to FORTIFY. */
775 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
776 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
777 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
778 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
780 /* And adding two will overflow more. */
781 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "QQ", len * 2), len + 1);
782 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
783 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
784 /* Last byte should be %NUL thanks to FORTIFY. */
785 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
786 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
787 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
788 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
790 /* Force an unterminated destination, and overflow. */
791 pad.buf[sizeof(pad.buf) - 1] = 'A';
792 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "TT", len * 2), len + 2);
793 /* This will have tripped both strlen() and strlcat(). */
794 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
795 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
796 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
797 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
798 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
799 /* But we should not go beyond the end. */
800 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
802 /* Force an unterminated source, and overflow. */
803 memset(src, 'B', sizeof(src));
804 pad.buf[sizeof(pad.buf) - 1] = '\0';
805 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len * 3), len - 1 + sizeof(src));
806 /* This will have tripped both strlen() and strlcat(). */
807 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
808 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
809 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
810 /* But we should not go beyond the end. */
811 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
814 static void memscan_test(struct kunit *test)
816 char haystack[] = "Where oh where is my memory range?";
817 char *mem = haystack + strlen("Where oh where is ");
819 size_t len = sizeof(haystack) + unconst;
821 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len),
823 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
824 /* Catch too-large range. */
825 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len + 1),
827 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
828 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len * 2),
830 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
833 static void memchr_test(struct kunit *test)
835 char haystack[] = "Where oh where is my memory range?";
836 char *mem = haystack + strlen("Where oh where is ");
838 size_t len = sizeof(haystack) + unconst;
840 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len),
842 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
843 /* Catch too-large range. */
844 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len + 1),
846 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
847 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len * 2),
849 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
852 static void memchr_inv_test(struct kunit *test)
854 char haystack[] = "Where oh where is my memory range?";
855 char *mem = haystack + 1;
857 size_t len = sizeof(haystack) + unconst;
859 /* Normal search is okay. */
860 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len),
862 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
863 /* Catch too-large range. */
864 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len + 1),
866 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
867 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len * 2),
869 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
872 static void memcmp_test(struct kunit *test)
874 char one[] = "My mind is going ...";
875 char two[] = "My mind is going ... I can feel it.";
876 size_t one_len = sizeof(one) + unconst - 1;
877 size_t two_len = sizeof(two) + unconst - 1;
879 /* We match the first string (ignoring the %NUL). */
880 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
881 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
882 /* Still in bounds, but no longer matching. */
883 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 1), -32);
884 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
886 /* Catch too-large ranges. */
887 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 2), INT_MIN);
888 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
890 KUNIT_ASSERT_EQ(test, memcmp(two, one, two_len + 2), INT_MIN);
891 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
894 static void kmemdup_test(struct kunit *test)
896 char src[] = "I got Doom running on it!";
898 size_t len = sizeof(src) + unconst;
900 /* Copy is within bounds. */
901 copy = kmemdup(src, len, GFP_KERNEL);
902 KUNIT_EXPECT_NOT_NULL(test, copy);
903 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
907 copy = kmemdup(src, len - 1, GFP_KERNEL);
908 KUNIT_EXPECT_NOT_NULL(test, copy);
909 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
913 copy = kmemdup(src, 1, GFP_KERNEL);
914 KUNIT_EXPECT_NOT_NULL(test, copy);
915 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
918 /* Out of bounds by 1 byte. */
919 copy = kmemdup(src, len + 1, GFP_KERNEL);
920 KUNIT_EXPECT_NULL(test, copy);
921 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
924 /* Way out of bounds. */
925 copy = kmemdup(src, len * 2, GFP_KERNEL);
926 KUNIT_EXPECT_NULL(test, copy);
927 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
930 /* Starting offset causing out of bounds. */
931 copy = kmemdup(src + 1, len, GFP_KERNEL);
932 KUNIT_EXPECT_NULL(test, copy);
933 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
937 static int fortify_test_init(struct kunit *test)
939 if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE))
940 kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y");
942 fortify_read_overflows = 0;
943 kunit_add_named_resource(test, NULL, NULL, &read_resource,
944 "fortify_read_overflows",
945 &fortify_read_overflows);
946 fortify_write_overflows = 0;
947 kunit_add_named_resource(test, NULL, NULL, &write_resource,
948 "fortify_write_overflows",
949 &fortify_write_overflows);
953 static struct kunit_case fortify_test_cases[] = {
954 KUNIT_CASE(known_sizes_test),
955 KUNIT_CASE(control_flow_split_test),
956 KUNIT_CASE(alloc_size_kmalloc_const_test),
957 KUNIT_CASE(alloc_size_kmalloc_dynamic_test),
958 KUNIT_CASE(alloc_size_vmalloc_const_test),
959 KUNIT_CASE(alloc_size_vmalloc_dynamic_test),
960 KUNIT_CASE(alloc_size_kvmalloc_const_test),
961 KUNIT_CASE(alloc_size_kvmalloc_dynamic_test),
962 KUNIT_CASE(alloc_size_devm_kmalloc_const_test),
963 KUNIT_CASE(alloc_size_devm_kmalloc_dynamic_test),
964 KUNIT_CASE(strlen_test),
965 KUNIT_CASE(strnlen_test),
966 KUNIT_CASE(strcpy_test),
967 KUNIT_CASE(strncpy_test),
968 KUNIT_CASE(strscpy_test),
969 KUNIT_CASE(strcat_test),
970 KUNIT_CASE(strncat_test),
971 KUNIT_CASE(strlcat_test),
972 /* skip memset: performs bounds checking on whole structs */
973 /* skip memcpy: still using warn-and-overwrite instead of hard-fail */
974 KUNIT_CASE(memscan_test),
975 KUNIT_CASE(memchr_test),
976 KUNIT_CASE(memchr_inv_test),
977 KUNIT_CASE(memcmp_test),
978 KUNIT_CASE(kmemdup_test),
982 static struct kunit_suite fortify_test_suite = {
984 .init = fortify_test_init,
985 .test_cases = fortify_test_cases,
988 kunit_test_suite(fortify_test_suite);
990 MODULE_LICENSE("GPL");
git.samba.org / sfrench / cifs-2.6.git / blob