generate-fortify-tests.lua - OpenGrok cross reference for /freebsd/lib/libc/tests/secure/generate-fortify-tests.lua

Lines Matching +full:re +full:- +full:configurable
2 --
3 -- SPDX-License-Identifier: BSD-2-Clause
4 --
5 -- Copyright (c) 2024, Klara, Inc.
6 --
7 -- Redistribution and use in source and binary forms, with or without
8 -- modification, are permitted provided that the following conditions
9 -- are met:
10 -- 1. Redistributions of source code must retain the above copyright
11 --    notice, this list of conditions and the following disclaimer.
12 -- 2. Redistributions in binary form must reproduce the above copyright
13 --    notice, this list of conditions and the following disclaimer in the
14 --    documentation and/or other materials provided with the distribution.
15 --
16 -- THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 -- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 -- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 -- ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 -- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 -- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 -- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 -- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 -- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 -- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 -- SUCH DAMAGE.
27 --
29 -- THEORY OF OPERATION
30 --
31 -- generate-fortify-tests.lua is intended to test fortified functions as found
32 -- mostly in the various headers in /usr/include/ssp.  Each fortified function
33 -- gets three basic tests:
34 --
35 --   1. Write just before the end of the buffer,
36 --   2. Write right at the end of the buffer,
37 --   3. Write just after the end of the buffer.
38 --
39 -- Each test is actually generated twice: once with a buffer on the stack, and
40 -- again with a buffer on the heap, to confirm that __builtin_object_size(3) can
41 -- deduce the buffer size in both scenarios.  The tests work by setting up the
42 -- stack with our buffer (and some padding on either side to avoid tripping any
43 -- other stack or memory protection), doing any initialization as described by
44 -- the test definition, then calling the fortified function with the buffer as
45 -- outlined by the test definition.
46 --
47 -- For the 'before' and 'at' the end tests, we're ensuring that valid writes
48 -- that are on the verge of being invalid aren't accidentally being detected as
49 -- invalid.
50 --
51 -- The 'after' test is the one that actually tests the functional benefit of
52 -- _FORTIFY_SOURCE by violating a boundary that should trigger an abort.  As
53 -- such, this test differs more from the other two in that it has to fork() off
54 -- the fortified function call so that we can monitor for a SIGABRT and
55 -- pass/fail the test at function end appropriately.
57 -- Some tests, like the FD_*() macros, may define these differently.  For
58 -- instance, for fd sets we're varying the index we pass and not using arbitrary
59 -- buffers.  Other tests that don't use the length in any way may physically
60 -- vary the buffer size for each test case when we'd typically vary the length
61 -- we're requesting a write for.
86 	"atf-c.h",
91 -- Configuration for tests that want the host/domainname
95 -- Some of these will need to be excluded because clang sees the wrong size when
96 -- an array is embedded inside a struct, we'll get something that looks more
97 -- like __builtin_object_size(ptr, 0) than it does the correct
98 -- __builtin_object_size(ptr, 1) (i.e., includes the padding after).  This is
99 -- almost certainly a bug in llvm.
106 		__stack.__buf[i].fd = -1;
112 	memset(srcvar, 'A', sizeof(srcvar) - 1);
113 	srcvar[sizeof(srcvar) - 1] = '\0';
124 local socket_stackvars = "\tint sock[2] = { -1, -1 };\n"
144 	memset(src, 'A', __len - 1);
145 	src[__len - 1] = '\0';
151 	wmemset(src, 'A', __len - 1);
152 	src[__len - 1] = '\0';
155 -- Each test entry describes how to test a given function.  We need to know how
156 -- to construct the buffer, we need to know the argument set we're dealing with,
157 -- and we need to know what we're passing to each argument.  We could be passing
158 -- fixed values, or we could be passing the __buf under test.
159 --
160 -- definition:
161 --   func: name of the function under test to call
162 --   bufsize: size of buffer to generate, defaults to 42
163 --   buftype: type of buffer to generate, defaults to unsigned char[]
164 --   arguments: __buf, __len, or the name of a variable placed on the stack
165 --   exclude: a function(disposition, is_heap) that returns true if this combo
166 --     should be excluded.
167 --   stackvars: extra variables to be placed on the stack, should be a string
168 --     optionally formatted with tabs and newlines
169 --   init: extra code to inject just before the function call for initialization
170 --     of the buffer or any of the above-added stackvars; also a string
171 --   uses_len: bool-ish, necessary if arguments doesn't include either __idx or
172 --     or __len so that the test generator doesn't try to vary the size of the
173 --     buffer instead of just manipulating __idx/__len to try and induce an
174 --     overflow.
175 --
176 -- Most tests will just use the default bufsize/buftype, but under some
177 -- circumstances it's useful to use a different type (e.g., for alignment
178 -- requirements).
181 		-- <sys/random.h>
193 		-- <sys/select.h>
223 		-- <sys/socket.h>
375 			-- We'll assume that recvmsg is covering msghdr
376 			-- validation thoroughly enough, we'll just try tossing
377 			-- an error in the second element of a msgvec to try and
378 			-- make sure that each one is being validated.
404 		-- <sys/uio.h>
455 		-- <poll.h>
482 		-- <signal.h>
494 		-- <stdio.h>
547 				"(int)__len - 1",	-- - 1 for NUL terminator
560 				"(int)__len - 1",	-- - 1 for NUL terminator
590 		-- <stdlib.h>
619 		-- <string.h>
758 		-- <strings.h>
787 		-- <unistd.h>
941 		-- <wchar.h>
1123 local function configurable(def, idx)  function
1139 		-- Tests that don't use __len in their arguments may use an
1140 		-- inverted sense because we can't just specify a length that
1141 		-- would induce an access just after the end.  Instead, we have
1142 		-- to manipulate the buffer size to be too short so that the
1143 		-- function under test would write one too many.
1145 			return ((inverted and " + ") or " - ") .. "1"
1149 			return ((inverted and " - ") or " + ") .. "1"
1168 	-- This is perhaps a little convoluted, but we toss the buffer into a
1169 	-- struct on the stack to guarantee that we have at least one valid
1170 	-- byte on either side of the buffer -- a measure to make sure that
1171 	-- we're tripping _FORTIFY_SOURCE specifically in the buffer + 1 case,
1172 	-- rather than some other stack or memory protection.
1182 		-- If the length isn't in use, we have to vary the buffer size
1183 		-- since the fortified function likely has some internal size
1184 		-- constraint that it's supposed to be checking.
1189 		-- Array type: size goes after identifier
1195 		-- Heap tests obviously just put a pointer on the stack that
1196 		-- points to our new allocation, but we leave it in the padded
1197 		-- struct just to simplify our generator.
1204 	-- padding_r is our just-past-the-end padding that we use to make sure
1205 	-- that there's a valid portion after the buffer that isn't being
1206 	-- included in our function calls.  If we didn't have it, then we'd have
1207 	-- a hard time feeling confident that an abort on the just-after tests
1208 	-- isn't maybe from some other memory or stack protection.
1212 	-- Not all tests will use __bufsz, but some do for, e.g., clearing
1213 	-- memory..
1228 	vars = vars .. "\tconst size_t __idx __unused = __len - 1;\n"
1230 	-- For overflow testing, we need to fork() because we're expecting the
1231 	-- test to ultimately abort()/_exit().  Then we can collect the exit
1232 	-- status and report appropriately.
1238 	-- Any other stackvars defined by the test get placed after everything
1239 	-- else.
1240 	vars = vars .. (configurable(def, "stackvars") or "")
1265 	-- Setup the buffer
1269 	-- Any early initialization goes before we would fork for the just-after
1270 	-- tests, because they may want to skip the test based on some criteria
1271 	-- and we can't propagate that up very easily once we're forked.
1272 	local early_init = configurable(def, "early_init")
1278 	-- Fork off, iff we're testing some access past the end of the buffer.
1293 		-- Buffer needs to be initialized because it's a heap allocation.
1297 	-- Non-early init happens just after the fork in the child, not the
1298 	-- monitor.  This is used to setup any other buffers we may need, for
1299 	-- instance.
1300 	local extra_init = configurable(def, "init")
1307 	-- Setup the function call with arguments as described in the test
1308 	-- definition.
1335 	-- Monitor stuff follows, for OOB access.
1370 -- main()
1372 local tcat = assert(arg[1], "usage: generate-fortify-tests.lua <category>")
1383 fh:write("/* @" .. "generated" .. " by `generate-fortify-tests.lua \"" ..
1403 	memset(fpbuf, 'A', sizeof(fpbuf) - 1);
1404 	fpbuf[sizeof(fpbuf) - 1] = '\0';
1456 		rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0);
1460 		    rv, sizeof(sockbuf) - total, sizeof(sockbuf), total);
1470 	cmsg->cmsg_level = SOL_SOCKET;
1471 	cmsg->cmsg_type = SCM_RIGHTS;
1472 	cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
1477 	ATF_REQUIRE(error != -1);
1511 	if (setrlimit(RLIMIT_CORE, &rl) == -1)
1562 		-- Dispositions here are relative to the buffer size prescribed
1563 		-- by the test definition.
1564 		local dispositions = def.dispositions or { -1, 0, 1 }