1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #ifndef __clang__
18 #error "Non-clang isn't supported"
19 #endif
20
21 //
22 // Clang compile-time and run-time tests for Bionic's FORTIFY.
23 //
24
25 // This file is compiled in two configurations to give us reasonable coverage of clang's
26 // FORTIFY implementation:
27 //
28 // 1. For compile-time checks, we use clang's diagnostic consumer
29 // (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
30 // to check diagnostics (e.g. the expected-* comments everywhere).
31 //
32 // 2. For run-time checks, we build and run as regular gtests.
33
34 // Note that these tests do things like leaking memory. That's WAI.
35
36 //
37 // Configuration for the compile-time checks. (These comments have side effects!)
38 //
39 // Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
40 // for this test case, and their line numbers may change over time.
41 // expected-note@* 0+{{from 'diagnose_if'}}
42 //
43 // Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
44 // expected-note@* 0+{{candidate function}}
45 //
46 // And finally, all explicitly-unavailable-here complaints from headers are
47 // uninteresting
48 // expected-note@* 0+{{has been explicitly marked unavailable here}}
49 //
50 // Note that some of these diagnostics come from clang itself, while others come from
51 // `diagnose_if`s sprinkled throughout Bionic.
52
53 #ifndef _FORTIFY_SOURCE
54 #error "_FORTIFY_SOURCE must be defined"
55 #endif
56
57 #include <sys/cdefs.h>
58
59 // This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
60 #ifndef __BIONIC__
61 // expected-no-diagnostics
62 #else
63
64 // As alluded to above, we're going to be doing some obviously very broken things in this file.
65 // FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
66 // let's wipe out any build-time errors.
67 #ifndef COMPILATION_TESTS
68 #undef __clang_error_if
69 #define __clang_error_if(...)
70 #undef __clang_warning_if
71 #define __clang_warning_if(...)
72 #pragma clang diagnostic ignored "-Wfortify-source"
73
74 // SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
75 // blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
76 #define SOMETIMES_CONST volatile
77 #else
78 #define SOMETIMES_CONST const
79 #endif
80
81 #include <err.h>
82 #include <fcntl.h>
83 #include <limits.h>
84 #include <poll.h>
85 #include <signal.h>
86 #include <stdio.h>
87 #include <stdlib.h>
88 #include <string.h>
89 #include <sys/socket.h>
90 #include <sys/stat.h>
91 #include <sys/wait.h>
92 #include <syslog.h>
93 #include <unistd.h>
94 #include <wchar.h>
95
96 #ifndef COMPILATION_TESTS
97 #include <android-base/silent_death_test.h>
98 #include <gtest/gtest.h>
99
100 #define CONCAT2(x, y) x##y
101 #define CONCAT(x, y) CONCAT2(x, y)
102 #define FORTIFY_TEST_NAME CONCAT(CONCAT(clang_fortify_test_, _FORTIFY_SOURCE), _DeathTest)
103
104 using FORTIFY_TEST_NAME = SilentDeathTest;
105
106 template <typename Fn>
ExitAfter(Fn && f)107 __attribute__((noreturn)) static void ExitAfter(Fn&& f) {
108 f();
109 // No need to tear things down; our parent process should handle that.
110 _exit(0);
111 }
112
113 // In any case (including failing tests), we always want to die after this.
114 #define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
115
116 // EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
117 // doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
118 // the *_STRUCT variants below.)
119 #define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
120 #define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
121 // Expecting death, but only if we're doing a "strict" struct-checking mode.
122 #if _FORTIFY_SOURCE > 1
123 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
124 #else
125 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
126 #endif
127
128 #define FORTIFY_TEST(test_name) TEST_F(FORTIFY_TEST_NAME, test_name)
129
130 #else // defined(COMPILATION_TESTS)
131
132 #define EXPECT_NO_DEATH(expr) expr
133 #define EXPECT_FORTIFY_DEATH(expr) expr
134 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
135 #define FORTIFY_TEST(test_name) void test_name()
136 #endif
137
138 const static int kBogusFD = -1;
139
FORTIFY_TEST(string)140 FORTIFY_TEST(string) {
141 char small_buffer[8] = {};
142
143 {
144 char large_buffer[sizeof(small_buffer) + 1] = {};
145 // expected-error@+1{{will always overflow}}
146 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
147 // expected-error@+1{{will always overflow}}
148 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
149 // FIXME(gbiv): look into removing mempcpy's diagnose_if bits once the b/149839606 roll sticks.
150 // expected-error@+2{{will always overflow}}
151 // expected-error@+1{{size bigger than buffer}}
152 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
153 // expected-error@+1{{will always overflow}}
154 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
155 // expected-warning@+1{{arguments got flipped?}}
156 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
157 // expected-error@+1{{size bigger than buffer}}
158 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
159 // expected-error@+1{{size bigger than buffer}}
160 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
161 }
162
163 {
164 const char large_string[] = "Hello!!!";
165 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
166
167 // expected-error@+2{{will always overflow}}
168 // expected-error@+1{{string bigger than buffer}}
169 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
170 // expected-error@+1{{string bigger than buffer}}
171 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
172 // expected-error@+1{{size argument is too large}}
173 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
174 // expected-error@+1{{size argument is too large}}
175 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
176 // expected-error@+1{{string bigger than buffer}}
177 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
178 // expected-error@+1{{size argument is too large}}
179 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
180 // expected-error@+1{{size bigger than buffer}}
181 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
182 // expected-error@+1{{size bigger than buffer}}
183 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
184 }
185
186 {
187 struct {
188 char tiny_buffer[4];
189 char tiny_buffer2[4];
190 } split = {};
191
192 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
193 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
194 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
195 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
196 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
197
198 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
199 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
200
201 const char small_string[] = "Hi!!";
202 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
203
204 #if _FORTIFY_SOURCE > 1
205 // expected-error@+3{{will always overflow}}
206 // expected-error@+2{{string bigger than buffer}}
207 #endif
208 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
209
210 #if _FORTIFY_SOURCE > 1
211 // expected-error@+2{{string bigger than buffer}}
212 #endif
213 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
214
215 #if _FORTIFY_SOURCE > 1
216 // expected-error@+2{{size argument is too large}}
217 #endif
218 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
219
220 #if _FORTIFY_SOURCE > 1
221 // expected-error@+2{{size argument is too large}}
222 #endif
223 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
224
225 #if _FORTIFY_SOURCE > 1
226 // expected-error@+2{{string bigger than buffer}}
227 #endif
228 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
229
230 #if _FORTIFY_SOURCE > 1
231 // expected-error@+2{{size argument is too large}}
232 #endif
233 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
234
235 #if _FORTIFY_SOURCE > 1
236 // expected-error@+2{{size bigger than buffer}}
237 #endif
238 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
239
240 #if _FORTIFY_SOURCE > 1
241 // expected-error@+2{{size bigger than buffer}}
242 #endif
243 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
244 }
245 }
246
FORTIFY_TEST(fcntl)247 FORTIFY_TEST(fcntl) {
248 const char target[] = "/dev/null";
249 int dirfd = 0;
250
251 // These all emit hard errors without diagnose_if, so running them is a bit
252 // more involved.
253 #ifdef COMPILATION_TESTS
254 // expected-error@+1{{too many arguments}}
255 open("/", 0, 0, 0);
256 // expected-error@+1{{too many arguments}}
257 open64("/", 0, 0, 0);
258 // expected-error@+1{{too many arguments}}
259 openat(0, "/", 0, 0, 0);
260 // expected-error@+1{{too many arguments}}
261 openat64(0, "/", 0, 0, 0);
262 #endif
263
264 // expected-error@+1{{missing mode}}
265 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
266 // expected-error@+1{{missing mode}}
267 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
268 // expected-error@+1{{missing mode}}
269 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
270 // expected-error@+1{{missing mode}}
271 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
272 // expected-error@+1{{missing mode}}
273 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
274 // expected-error@+1{{missing mode}}
275 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
276 // expected-error@+1{{missing mode}}
277 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
278 // expected-error@+1{{missing mode}}
279 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
280
281 // expected-warning@+1{{superfluous mode bits}}
282 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
283 // expected-warning@+1{{superfluous mode bits}}
284 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
285 // expected-warning@+1{{superfluous mode bits}}
286 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
287 // expected-warning@+1{{superfluous mode bits}}
288 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
289 }
290
291 // Since these emit hard errors, it's sort of hard to run them...
292 #ifdef COMPILATION_TESTS
293 namespace compilation_tests {
294 template <typename T>
declval()295 static T declval() {
296 __builtin_unreachable();
297 }
298
testFormatStrings()299 static void testFormatStrings() {
300 const auto unsigned_value = declval<unsigned long long>();
301 const auto* unknown_string = declval<const char*>();
302 const auto va = *declval<va_list*>();
303
304 {
305 auto some_fd = declval<int>();
306 // expected-warning@+1{{format specifies type 'int'}}
307 dprintf(some_fd, "%d", unsigned_value);
308 // expected-warning@+1{{format string is not a string literal}}
309 dprintf(some_fd, unknown_string, unsigned_value);
310 // expected-warning@+1{{format string is not a string literal}}
311 vdprintf(1, unknown_string, va);
312 }
313
314 {
315 auto* retval = declval<char*>();
316 #if 0
317 // expected-error@+2{{ignoring return value}}
318 #endif
319 // expected-warning@+1{{format specifies type 'int'}}
320 asprintf(&retval, "%d", unsigned_value);
321 #if 0
322 // expected-error@+2{{ignoring return value}}
323 #endif
324 // expected-warning@+1{{format string is not a string literal}}
325 asprintf(&retval, unknown_string, unsigned_value);
326 #if 0
327 // expected-error@+2{{ignoring return value}}
328 #endif
329 // expected-warning@+1{{format string is not a string literal}}
330 vasprintf(&retval, unknown_string, va);
331 }
332
333 // expected-warning@+1{{format specifies type 'int'}}
334 syslog(0, "%d", unsigned_value);
335 // expected-warning@+1{{format string is not a string literal}}
336 syslog(0, unknown_string, unsigned_value);
337 // expected-warning@+1{{format string is not a string literal}}
338 vsyslog(0, unknown_string, va);
339
340 {
341 auto* file = declval<FILE*>();
342 // expected-warning@+1{{format specifies type 'int'}}
343 fprintf(file, "%d", unsigned_value);
344 // expected-warning@+1{{format string is not a string literal}}
345 fprintf(file, unknown_string, unsigned_value);
346 // expected-warning@+1{{format string is not a string literal}}
347 vfprintf(file, unknown_string, va);
348 }
349
350 // expected-warning@+1{{format specifies type 'int'}}
351 printf("%d", unsigned_value);
352 // expected-warning@+1{{format string is not a string literal}}
353 printf(unknown_string, unsigned_value);
354 // expected-warning@+1{{format string is not a string literal}}
355 vprintf(unknown_string, va);
356
357 {
358 char buf[128];
359 // expected-warning@+1{{format specifies type 'int'}}
360 sprintf(buf, "%d", unsigned_value);
361 // expected-warning@+1{{format string is not a string literal}}
362 sprintf(buf, unknown_string, unsigned_value);
363 // expected-warning@+1{{format string is not a string literal}}
364 sprintf(buf, unknown_string, va);
365
366 // expected-warning@+1{{format specifies type 'int'}}
367 snprintf(buf, sizeof(buf), "%d", unsigned_value);
368 // expected-warning@+1{{format string is not a string literal}}
369 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
370 // expected-warning@+1{{format string is not a string literal}}
371 vsnprintf(buf, sizeof(buf), unknown_string, va);
372 }
373
374 // FIXME: below are general format string cases where clang should probably try to warn.
375 {
376 char buf[4];
377 sprintf(buf, "%s", "1234");
378 sprintf(buf, "1%s4", "23");
379 sprintf(buf, "%d", 1234);
380
381 // Similar thoughts for strncpy, etc.
382 }
383 }
384
testStdlib()385 static void testStdlib() {
386 #pragma clang diagnostic push
387 #pragma clang diagnostic ignored "-Wnonnull"
388 char path_buffer[PATH_MAX - 1];
389 // expected-warning@+2{{ignoring return value of function}}
390 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
391 realpath("/", path_buffer);
392 // expected-warning@+1{{ignoring return value of function}}
393 realpath("/", nullptr);
394
395 // expected-warning@+2{{ignoring return value of function}}
396 // expected-error@+1{{flipped arguments?}}
397 realpath(nullptr, path_buffer);
398
399 // expected-warning@+2{{ignoring return value of function}}
400 // expected-error@+1{{flipped arguments?}}
401 realpath(nullptr, nullptr);
402 #pragma clang diagnostic pop
403 }
404 } // namespace compilation_tests
405 #endif
406
FORTIFY_TEST(poll)407 FORTIFY_TEST(poll) {
408 int pipe_fds[2];
409 if (pipe(pipe_fds)) err(1, "pipe failed");
410
411 // after this, pipe_fds[0] should always report RDHUP
412 if (close(pipe_fds[1])) err(1, "close failed");
413
414 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
415 {
416 struct pollfd few_fds[] = { poll_fd, poll_fd };
417 // expected-error@+1{{fd_count is larger than the given buffer}}
418 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
419 // expected-error@+1{{fd_count is larger than the given buffer}}
420 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
421 // expected-error@+1{{fd_count is larger than the given buffer}}
422 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
423 }
424
425 {
426 struct {
427 struct pollfd few[2];
428 struct pollfd extra[1];
429 } fds = { { poll_fd, poll_fd }, { poll_fd } };
430 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
431
432 #if _FORTIFY_SOURCE > 1
433 // expected-error@+2{{fd_count is larger than the given buffer}}
434 #endif
435 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
436
437 struct timespec timeout = {};
438 #if _FORTIFY_SOURCE > 1
439 // expected-error@+2{{fd_count is larger than the given buffer}}
440 #endif
441 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
442
443 #if _FORTIFY_SOURCE > 1
444 // expected-error@+2{{fd_count is larger than the given buffer}}
445 #endif
446 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
447 }
448 }
449
FORTIFY_TEST(socket)450 FORTIFY_TEST(socket) {
451 {
452 char small_buffer[8];
453 // expected-error@+1{{size bigger than buffer}}
454 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
455 // expected-error@+1{{size bigger than buffer}}
456 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
457
458 // expected-error@+1{{size bigger than buffer}}
459 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
460 // expected-error@+1{{size bigger than buffer}}
461 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
462 }
463
464 {
465 struct {
466 char tiny_buffer[4];
467 char tiny_buffer2;
468 } split = {};
469
470 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
471 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
472 }
473 }
474
FORTIFY_TEST(sys_stat)475 FORTIFY_TEST(sys_stat) {
476 // expected-error@+1{{'umask' called with invalid mode}}
477 EXPECT_FORTIFY_DEATH(umask(01777));
478 }
479
FORTIFY_TEST(stdio)480 FORTIFY_TEST(stdio) {
481 char small_buffer[8] = {};
482 {
483 // expected-error@+1{{size argument is too large}}
484 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
485
486 va_list va;
487 // expected-error@+2{{size argument is too large}}
488 // expected-warning@+1{{format string is empty}}
489 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
490
491 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
492
493 // expected-error@+1{{format string will always overflow}}
494 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
495 }
496
497 // expected-error@+1{{size should not be negative}}
498 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
499 // expected-error@+1{{size is larger than the destination buffer}}
500 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
501
502 // expected-error@+1{{size * count overflows}}
503 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
504 // expected-error@+1{{size * count is too large for the given buffer}}
505 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
506
507 // expected-error@+1{{size * count overflows}}
508 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
509 // expected-error@+1{{size * count is too large for the given buffer}}
510 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
511 }
512
FORTIFY_TEST(unistd)513 FORTIFY_TEST(unistd) {
514 char small_buffer[8];
515
516 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
517 #if 0
518 // expected-error@+2{{ignoring return value of function}}
519 #endif
520 // expected-error@+1{{bytes overflows the given object}}
521 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
522 #if 0
523 // expected-error@+2{{ignoring return value of function}}
524 #endif
525 // expected-error@+1{{bytes overflows the given object}}
526 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
527 #if 0
528 // expected-error@+2{{ignoring return value of function}}
529 #endif
530 // expected-error@+1{{bytes overflows the given object}}
531 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
532 #if 0
533 // expected-error@+2{{ignoring return value of function}}
534 #endif
535 // expected-error@+1{{bytes overflows the given object}}
536 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
537 #if 0
538 // expected-error@+2{{ignoring return value of function}}
539 #endif
540 // expected-error@+1{{bytes overflows the given object}}
541 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
542 #if 0
543 // expected-error@+2{{ignoring return value of function}}
544 #endif
545 // expected-error@+1{{bytes overflows the given object}}
546 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
547 #if 0
548 // expected-error@+2{{ignoring return value of function}}
549 #endif
550 // expected-error@+1{{bytes overflows the given object}}
551 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
552 #if 0
553 // expected-error@+2{{ignoring return value of function}}
554 #endif
555 // expected-error@+1{{bytes overflows the given object}}
556 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
557
558 // getcwd allocates and returns a buffer if you pass null to getcwd
559 EXPECT_NO_DEATH(getcwd(nullptr, 0));
560 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
561
562 struct {
563 char tiny_buffer[4];
564 char tiny_buffer2[4];
565 } split;
566
567 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
568 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
569 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
570 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
571 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
572 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
573
574 #if _FORTIFY_SOURCE > 1
575 // expected-error@+2{{bytes overflows the given object}}
576 #endif
577 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
578 #if _FORTIFY_SOURCE > 1
579 // expected-error@+2{{bytes overflows the given object}}
580 #endif
581 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
582
583 {
584 char* volatile unknown = small_buffer;
585 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
586 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
587 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
588 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
589 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
590 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
591 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
592 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
593 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
594 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
595 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
596 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
597 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
598 }
599 }
600
601 #endif // defined(__BIONIC__)
602