1 /* @generated by `generate-fortify-tests.lua "stdio"` */ 2 3 #define _FORTIFY_SOURCE 2 4 #define TMPFILE_SIZE (1024 * 32) 5 6 #include <sys/param.h> 7 #include <sys/random.h> 8 #include <sys/resource.h> 9 #include <sys/time.h> 10 #include <sys/uio.h> 11 #include <sys/wait.h> 12 #include <dirent.h> 13 #include <errno.h> 14 #include <fcntl.h> 15 #include <limits.h> 16 #include <poll.h> 17 #include <signal.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <string.h> 21 #include <strings.h> 22 #include <sysexits.h> 23 #include <unistd.h> 24 #include <wchar.h> 25 #include <atf-c.h> 26 27 static FILE * __unused 28 new_fp(size_t __len) 29 { 30 static char fpbuf[LINE_MAX]; 31 FILE *fp; 32 33 ATF_REQUIRE(__len <= sizeof(fpbuf)); 34 35 memset(fpbuf, 'A', sizeof(fpbuf) - 1); 36 fpbuf[sizeof(fpbuf) - 1] = '\0'; 37 38 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); 39 ATF_REQUIRE(fp != NULL); 40 41 return (fp); 42 } 43 44 /* 45 * Create a new symlink to use for readlink(2) style tests, we'll just use a 46 * random target name to have something interesting to look at. 47 */ 48 static const char * __unused 49 new_symlink(size_t __len) 50 { 51 static const char linkname[] = "link"; 52 char target[MAXNAMLEN]; 53 int error; 54 55 ATF_REQUIRE(__len <= sizeof(target)); 56 57 arc4random_buf(target, sizeof(target)); 58 59 error = unlink(linkname); 60 ATF_REQUIRE(error == 0 || errno == ENOENT); 61 62 error = symlink(target, linkname); 63 ATF_REQUIRE(error == 0); 64 65 return (linkname); 66 } 67 68 /* 69 * Constructs a tmpfile that we can use for testing read(2) and friends. 70 */ 71 static int __unused 72 new_tmpfile(void) 73 { 74 char buf[1024]; 75 ssize_t rv; 76 size_t written; 77 int fd; 78 79 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); 80 ATF_REQUIRE(fd >= 0); 81 82 written = 0; 83 while (written < TMPFILE_SIZE) { 84 rv = write(fd, buf, sizeof(buf)); 85 ATF_REQUIRE(rv > 0); 86 87 written += rv; 88 } 89 90 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); 91 return (fd); 92 } 93 94 static void 95 disable_coredumps(void) 96 { 97 struct rlimit rl = { 0 }; 98 99 if (setrlimit(RLIMIT_CORE, &rl) == -1) 100 _exit(EX_OSERR); 101 } 102 103 /* 104 * Replaces stdin with a file that we can actually read from, for tests where 105 * we want a FILE * or fd that we can get data from. 106 */ 107 static void __unused 108 replace_stdin(void) 109 { 110 int fd; 111 112 fd = new_tmpfile(); 113 114 (void)dup2(fd, STDIN_FILENO); 115 if (fd != STDIN_FILENO) 116 close(fd); 117 } 118 119 ATF_TC_WITHOUT_HEAD(ctermid_before_end); 120 ATF_TC_BODY(ctermid_before_end, tc) 121 { 122 #define BUF &__stack.__buf 123 struct { 124 uint8_t padding_l; 125 unsigned char __buf[L_ctermid + 1]; 126 uint8_t padding_r; 127 } __stack; 128 const size_t __bufsz __unused = sizeof(__stack.__buf); 129 const size_t __len = L_ctermid + 1; 130 const size_t __idx __unused = __len - 1; 131 132 ctermid(__stack.__buf); 133 #undef BUF 134 135 } 136 137 ATF_TC_WITHOUT_HEAD(ctermid_end); 138 ATF_TC_BODY(ctermid_end, tc) 139 { 140 #define BUF &__stack.__buf 141 struct { 142 uint8_t padding_l; 143 unsigned char __buf[L_ctermid]; 144 uint8_t padding_r; 145 } __stack; 146 const size_t __bufsz __unused = sizeof(__stack.__buf); 147 const size_t __len = L_ctermid; 148 const size_t __idx __unused = __len - 1; 149 150 ctermid(__stack.__buf); 151 #undef BUF 152 153 } 154 155 ATF_TC_WITHOUT_HEAD(ctermid_heap_before_end); 156 ATF_TC_BODY(ctermid_heap_before_end, tc) 157 { 158 #define BUF __stack.__buf 159 struct { 160 uint8_t padding_l; 161 unsigned char * __buf; 162 uint8_t padding_r; 163 } __stack; 164 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 165 const size_t __len = L_ctermid + 1; 166 const size_t __idx __unused = __len - 1; 167 168 __stack.__buf = malloc(__bufsz); 169 170 ctermid(__stack.__buf); 171 #undef BUF 172 173 } 174 175 ATF_TC_WITHOUT_HEAD(ctermid_heap_end); 176 ATF_TC_BODY(ctermid_heap_end, tc) 177 { 178 #define BUF __stack.__buf 179 struct { 180 uint8_t padding_l; 181 unsigned char * __buf; 182 uint8_t padding_r; 183 } __stack; 184 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 185 const size_t __len = L_ctermid; 186 const size_t __idx __unused = __len - 1; 187 188 __stack.__buf = malloc(__bufsz); 189 190 ctermid(__stack.__buf); 191 #undef BUF 192 193 } 194 195 ATF_TC_WITHOUT_HEAD(ctermid_heap_after_end); 196 ATF_TC_BODY(ctermid_heap_after_end, tc) 197 { 198 #define BUF __stack.__buf 199 struct { 200 uint8_t padding_l; 201 unsigned char * __buf; 202 uint8_t padding_r; 203 } __stack; 204 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 205 const size_t __len = L_ctermid - 1; 206 const size_t __idx __unused = __len - 1; 207 pid_t __child; 208 int __status; 209 210 __child = fork(); 211 ATF_REQUIRE(__child >= 0); 212 if (__child > 0) 213 goto monitor; 214 215 /* Child */ 216 disable_coredumps(); 217 __stack.__buf = malloc(__bufsz); 218 219 ctermid(__stack.__buf); 220 _exit(EX_SOFTWARE); /* Should have aborted. */ 221 222 monitor: 223 while (waitpid(__child, &__status, 0) != __child) { 224 ATF_REQUIRE_EQ(EINTR, errno); 225 } 226 227 if (!WIFSIGNALED(__status)) { 228 switch (WEXITSTATUS(__status)) { 229 case EX_SOFTWARE: 230 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 231 break; 232 case EX_OSERR: 233 atf_tc_fail("setrlimit(2) failed"); 234 break; 235 default: 236 atf_tc_fail("child exited with status %d", 237 WEXITSTATUS(__status)); 238 } 239 } else { 240 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 241 } 242 #undef BUF 243 244 } 245 246 ATF_TC_WITHOUT_HEAD(ctermid_r_before_end); 247 ATF_TC_BODY(ctermid_r_before_end, tc) 248 { 249 #define BUF &__stack.__buf 250 struct { 251 uint8_t padding_l; 252 unsigned char __buf[L_ctermid + 1]; 253 uint8_t padding_r; 254 } __stack; 255 const size_t __bufsz __unused = sizeof(__stack.__buf); 256 const size_t __len = L_ctermid + 1; 257 const size_t __idx __unused = __len - 1; 258 259 ctermid_r(__stack.__buf); 260 #undef BUF 261 262 } 263 264 ATF_TC_WITHOUT_HEAD(ctermid_r_end); 265 ATF_TC_BODY(ctermid_r_end, tc) 266 { 267 #define BUF &__stack.__buf 268 struct { 269 uint8_t padding_l; 270 unsigned char __buf[L_ctermid]; 271 uint8_t padding_r; 272 } __stack; 273 const size_t __bufsz __unused = sizeof(__stack.__buf); 274 const size_t __len = L_ctermid; 275 const size_t __idx __unused = __len - 1; 276 277 ctermid_r(__stack.__buf); 278 #undef BUF 279 280 } 281 282 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_before_end); 283 ATF_TC_BODY(ctermid_r_heap_before_end, tc) 284 { 285 #define BUF __stack.__buf 286 struct { 287 uint8_t padding_l; 288 unsigned char * __buf; 289 uint8_t padding_r; 290 } __stack; 291 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 292 const size_t __len = L_ctermid + 1; 293 const size_t __idx __unused = __len - 1; 294 295 __stack.__buf = malloc(__bufsz); 296 297 ctermid_r(__stack.__buf); 298 #undef BUF 299 300 } 301 302 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_end); 303 ATF_TC_BODY(ctermid_r_heap_end, tc) 304 { 305 #define BUF __stack.__buf 306 struct { 307 uint8_t padding_l; 308 unsigned char * __buf; 309 uint8_t padding_r; 310 } __stack; 311 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 312 const size_t __len = L_ctermid; 313 const size_t __idx __unused = __len - 1; 314 315 __stack.__buf = malloc(__bufsz); 316 317 ctermid_r(__stack.__buf); 318 #undef BUF 319 320 } 321 322 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_after_end); 323 ATF_TC_BODY(ctermid_r_heap_after_end, tc) 324 { 325 #define BUF __stack.__buf 326 struct { 327 uint8_t padding_l; 328 unsigned char * __buf; 329 uint8_t padding_r; 330 } __stack; 331 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 332 const size_t __len = L_ctermid - 1; 333 const size_t __idx __unused = __len - 1; 334 pid_t __child; 335 int __status; 336 337 __child = fork(); 338 ATF_REQUIRE(__child >= 0); 339 if (__child > 0) 340 goto monitor; 341 342 /* Child */ 343 disable_coredumps(); 344 __stack.__buf = malloc(__bufsz); 345 346 ctermid_r(__stack.__buf); 347 _exit(EX_SOFTWARE); /* Should have aborted. */ 348 349 monitor: 350 while (waitpid(__child, &__status, 0) != __child) { 351 ATF_REQUIRE_EQ(EINTR, errno); 352 } 353 354 if (!WIFSIGNALED(__status)) { 355 switch (WEXITSTATUS(__status)) { 356 case EX_SOFTWARE: 357 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 358 break; 359 case EX_OSERR: 360 atf_tc_fail("setrlimit(2) failed"); 361 break; 362 default: 363 atf_tc_fail("child exited with status %d", 364 WEXITSTATUS(__status)); 365 } 366 } else { 367 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 368 } 369 #undef BUF 370 371 } 372 373 ATF_TC_WITHOUT_HEAD(fread_before_end); 374 ATF_TC_BODY(fread_before_end, tc) 375 { 376 #define BUF &__stack.__buf 377 struct { 378 uint8_t padding_l; 379 unsigned char __buf[42]; 380 uint8_t padding_r; 381 } __stack; 382 const size_t __bufsz __unused = sizeof(__stack.__buf); 383 const size_t __len = 42 - 1; 384 const size_t __idx __unused = __len - 1; 385 386 replace_stdin(); 387 388 fread(__stack.__buf, __len, 1, stdin); 389 #undef BUF 390 391 } 392 393 ATF_TC_WITHOUT_HEAD(fread_end); 394 ATF_TC_BODY(fread_end, tc) 395 { 396 #define BUF &__stack.__buf 397 struct { 398 uint8_t padding_l; 399 unsigned char __buf[42]; 400 uint8_t padding_r; 401 } __stack; 402 const size_t __bufsz __unused = sizeof(__stack.__buf); 403 const size_t __len = 42; 404 const size_t __idx __unused = __len - 1; 405 406 replace_stdin(); 407 408 fread(__stack.__buf, __len, 1, stdin); 409 #undef BUF 410 411 } 412 413 ATF_TC_WITHOUT_HEAD(fread_heap_before_end); 414 ATF_TC_BODY(fread_heap_before_end, tc) 415 { 416 #define BUF __stack.__buf 417 struct { 418 uint8_t padding_l; 419 unsigned char * __buf; 420 uint8_t padding_r; 421 } __stack; 422 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 423 const size_t __len = 42 - 1; 424 const size_t __idx __unused = __len - 1; 425 426 __stack.__buf = malloc(__bufsz); 427 replace_stdin(); 428 429 fread(__stack.__buf, __len, 1, stdin); 430 #undef BUF 431 432 } 433 434 ATF_TC_WITHOUT_HEAD(fread_heap_end); 435 ATF_TC_BODY(fread_heap_end, tc) 436 { 437 #define BUF __stack.__buf 438 struct { 439 uint8_t padding_l; 440 unsigned char * __buf; 441 uint8_t padding_r; 442 } __stack; 443 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 444 const size_t __len = 42; 445 const size_t __idx __unused = __len - 1; 446 447 __stack.__buf = malloc(__bufsz); 448 replace_stdin(); 449 450 fread(__stack.__buf, __len, 1, stdin); 451 #undef BUF 452 453 } 454 455 ATF_TC_WITHOUT_HEAD(fread_heap_after_end); 456 ATF_TC_BODY(fread_heap_after_end, tc) 457 { 458 #define BUF __stack.__buf 459 struct { 460 uint8_t padding_l; 461 unsigned char * __buf; 462 uint8_t padding_r; 463 } __stack; 464 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 465 const size_t __len = 42 + 1; 466 const size_t __idx __unused = __len - 1; 467 pid_t __child; 468 int __status; 469 470 __child = fork(); 471 ATF_REQUIRE(__child >= 0); 472 if (__child > 0) 473 goto monitor; 474 475 /* Child */ 476 disable_coredumps(); 477 __stack.__buf = malloc(__bufsz); 478 replace_stdin(); 479 480 fread(__stack.__buf, __len, 1, stdin); 481 _exit(EX_SOFTWARE); /* Should have aborted. */ 482 483 monitor: 484 while (waitpid(__child, &__status, 0) != __child) { 485 ATF_REQUIRE_EQ(EINTR, errno); 486 } 487 488 if (!WIFSIGNALED(__status)) { 489 switch (WEXITSTATUS(__status)) { 490 case EX_SOFTWARE: 491 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 492 break; 493 case EX_OSERR: 494 atf_tc_fail("setrlimit(2) failed"); 495 break; 496 default: 497 atf_tc_fail("child exited with status %d", 498 WEXITSTATUS(__status)); 499 } 500 } else { 501 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 502 } 503 #undef BUF 504 505 } 506 507 ATF_TC_WITHOUT_HEAD(fread_unlocked_before_end); 508 ATF_TC_BODY(fread_unlocked_before_end, tc) 509 { 510 #define BUF &__stack.__buf 511 struct { 512 uint8_t padding_l; 513 unsigned char __buf[42]; 514 uint8_t padding_r; 515 } __stack; 516 const size_t __bufsz __unused = sizeof(__stack.__buf); 517 const size_t __len = 42 - 1; 518 const size_t __idx __unused = __len - 1; 519 520 replace_stdin(); 521 522 fread_unlocked(__stack.__buf, __len, 1, stdin); 523 #undef BUF 524 525 } 526 527 ATF_TC_WITHOUT_HEAD(fread_unlocked_end); 528 ATF_TC_BODY(fread_unlocked_end, tc) 529 { 530 #define BUF &__stack.__buf 531 struct { 532 uint8_t padding_l; 533 unsigned char __buf[42]; 534 uint8_t padding_r; 535 } __stack; 536 const size_t __bufsz __unused = sizeof(__stack.__buf); 537 const size_t __len = 42; 538 const size_t __idx __unused = __len - 1; 539 540 replace_stdin(); 541 542 fread_unlocked(__stack.__buf, __len, 1, stdin); 543 #undef BUF 544 545 } 546 547 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_before_end); 548 ATF_TC_BODY(fread_unlocked_heap_before_end, tc) 549 { 550 #define BUF __stack.__buf 551 struct { 552 uint8_t padding_l; 553 unsigned char * __buf; 554 uint8_t padding_r; 555 } __stack; 556 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 557 const size_t __len = 42 - 1; 558 const size_t __idx __unused = __len - 1; 559 560 __stack.__buf = malloc(__bufsz); 561 replace_stdin(); 562 563 fread_unlocked(__stack.__buf, __len, 1, stdin); 564 #undef BUF 565 566 } 567 568 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_end); 569 ATF_TC_BODY(fread_unlocked_heap_end, tc) 570 { 571 #define BUF __stack.__buf 572 struct { 573 uint8_t padding_l; 574 unsigned char * __buf; 575 uint8_t padding_r; 576 } __stack; 577 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 578 const size_t __len = 42; 579 const size_t __idx __unused = __len - 1; 580 581 __stack.__buf = malloc(__bufsz); 582 replace_stdin(); 583 584 fread_unlocked(__stack.__buf, __len, 1, stdin); 585 #undef BUF 586 587 } 588 589 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_after_end); 590 ATF_TC_BODY(fread_unlocked_heap_after_end, tc) 591 { 592 #define BUF __stack.__buf 593 struct { 594 uint8_t padding_l; 595 unsigned char * __buf; 596 uint8_t padding_r; 597 } __stack; 598 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 599 const size_t __len = 42 + 1; 600 const size_t __idx __unused = __len - 1; 601 pid_t __child; 602 int __status; 603 604 __child = fork(); 605 ATF_REQUIRE(__child >= 0); 606 if (__child > 0) 607 goto monitor; 608 609 /* Child */ 610 disable_coredumps(); 611 __stack.__buf = malloc(__bufsz); 612 replace_stdin(); 613 614 fread_unlocked(__stack.__buf, __len, 1, stdin); 615 _exit(EX_SOFTWARE); /* Should have aborted. */ 616 617 monitor: 618 while (waitpid(__child, &__status, 0) != __child) { 619 ATF_REQUIRE_EQ(EINTR, errno); 620 } 621 622 if (!WIFSIGNALED(__status)) { 623 switch (WEXITSTATUS(__status)) { 624 case EX_SOFTWARE: 625 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 626 break; 627 case EX_OSERR: 628 atf_tc_fail("setrlimit(2) failed"); 629 break; 630 default: 631 atf_tc_fail("child exited with status %d", 632 WEXITSTATUS(__status)); 633 } 634 } else { 635 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 636 } 637 #undef BUF 638 639 } 640 641 ATF_TC_WITHOUT_HEAD(gets_s_before_end); 642 ATF_TC_BODY(gets_s_before_end, tc) 643 { 644 #define BUF &__stack.__buf 645 struct { 646 uint8_t padding_l; 647 unsigned char __buf[42]; 648 uint8_t padding_r; 649 } __stack; 650 const size_t __bufsz __unused = sizeof(__stack.__buf); 651 const size_t __len = 42 - 1; 652 const size_t __idx __unused = __len - 1; 653 654 replace_stdin(); 655 656 gets_s(__stack.__buf, __len); 657 #undef BUF 658 659 } 660 661 ATF_TC_WITHOUT_HEAD(gets_s_end); 662 ATF_TC_BODY(gets_s_end, tc) 663 { 664 #define BUF &__stack.__buf 665 struct { 666 uint8_t padding_l; 667 unsigned char __buf[42]; 668 uint8_t padding_r; 669 } __stack; 670 const size_t __bufsz __unused = sizeof(__stack.__buf); 671 const size_t __len = 42; 672 const size_t __idx __unused = __len - 1; 673 674 replace_stdin(); 675 676 gets_s(__stack.__buf, __len); 677 #undef BUF 678 679 } 680 681 ATF_TC_WITHOUT_HEAD(gets_s_heap_before_end); 682 ATF_TC_BODY(gets_s_heap_before_end, tc) 683 { 684 #define BUF __stack.__buf 685 struct { 686 uint8_t padding_l; 687 unsigned char * __buf; 688 uint8_t padding_r; 689 } __stack; 690 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 691 const size_t __len = 42 - 1; 692 const size_t __idx __unused = __len - 1; 693 694 __stack.__buf = malloc(__bufsz); 695 replace_stdin(); 696 697 gets_s(__stack.__buf, __len); 698 #undef BUF 699 700 } 701 702 ATF_TC_WITHOUT_HEAD(gets_s_heap_end); 703 ATF_TC_BODY(gets_s_heap_end, tc) 704 { 705 #define BUF __stack.__buf 706 struct { 707 uint8_t padding_l; 708 unsigned char * __buf; 709 uint8_t padding_r; 710 } __stack; 711 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 712 const size_t __len = 42; 713 const size_t __idx __unused = __len - 1; 714 715 __stack.__buf = malloc(__bufsz); 716 replace_stdin(); 717 718 gets_s(__stack.__buf, __len); 719 #undef BUF 720 721 } 722 723 ATF_TC_WITHOUT_HEAD(gets_s_heap_after_end); 724 ATF_TC_BODY(gets_s_heap_after_end, tc) 725 { 726 #define BUF __stack.__buf 727 struct { 728 uint8_t padding_l; 729 unsigned char * __buf; 730 uint8_t padding_r; 731 } __stack; 732 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 733 const size_t __len = 42 + 1; 734 const size_t __idx __unused = __len - 1; 735 pid_t __child; 736 int __status; 737 738 __child = fork(); 739 ATF_REQUIRE(__child >= 0); 740 if (__child > 0) 741 goto monitor; 742 743 /* Child */ 744 disable_coredumps(); 745 __stack.__buf = malloc(__bufsz); 746 replace_stdin(); 747 748 gets_s(__stack.__buf, __len); 749 _exit(EX_SOFTWARE); /* Should have aborted. */ 750 751 monitor: 752 while (waitpid(__child, &__status, 0) != __child) { 753 ATF_REQUIRE_EQ(EINTR, errno); 754 } 755 756 if (!WIFSIGNALED(__status)) { 757 switch (WEXITSTATUS(__status)) { 758 case EX_SOFTWARE: 759 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 760 break; 761 case EX_OSERR: 762 atf_tc_fail("setrlimit(2) failed"); 763 break; 764 default: 765 atf_tc_fail("child exited with status %d", 766 WEXITSTATUS(__status)); 767 } 768 } else { 769 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 770 } 771 #undef BUF 772 773 } 774 775 ATF_TC_WITHOUT_HEAD(sprintf_before_end); 776 ATF_TC_BODY(sprintf_before_end, tc) 777 { 778 #define BUF &__stack.__buf 779 struct { 780 uint8_t padding_l; 781 unsigned char __buf[42]; 782 uint8_t padding_r; 783 } __stack; 784 const size_t __bufsz __unused = sizeof(__stack.__buf); 785 const size_t __len = 42 - 1; 786 const size_t __idx __unused = __len - 1; 787 char srcvar[__len + 10]; 788 789 memset(srcvar, 'A', sizeof(srcvar) - 1); 790 srcvar[sizeof(srcvar) - 1] = '\0'; 791 792 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 793 #undef BUF 794 795 } 796 797 ATF_TC_WITHOUT_HEAD(sprintf_end); 798 ATF_TC_BODY(sprintf_end, tc) 799 { 800 #define BUF &__stack.__buf 801 struct { 802 uint8_t padding_l; 803 unsigned char __buf[42]; 804 uint8_t padding_r; 805 } __stack; 806 const size_t __bufsz __unused = sizeof(__stack.__buf); 807 const size_t __len = 42; 808 const size_t __idx __unused = __len - 1; 809 char srcvar[__len + 10]; 810 811 memset(srcvar, 'A', sizeof(srcvar) - 1); 812 srcvar[sizeof(srcvar) - 1] = '\0'; 813 814 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 815 #undef BUF 816 817 } 818 819 ATF_TC_WITHOUT_HEAD(sprintf_heap_before_end); 820 ATF_TC_BODY(sprintf_heap_before_end, tc) 821 { 822 #define BUF __stack.__buf 823 struct { 824 uint8_t padding_l; 825 unsigned char * __buf; 826 uint8_t padding_r; 827 } __stack; 828 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 829 const size_t __len = 42 - 1; 830 const size_t __idx __unused = __len - 1; 831 char srcvar[__len + 10]; 832 833 __stack.__buf = malloc(__bufsz); 834 memset(srcvar, 'A', sizeof(srcvar) - 1); 835 srcvar[sizeof(srcvar) - 1] = '\0'; 836 837 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 838 #undef BUF 839 840 } 841 842 ATF_TC_WITHOUT_HEAD(sprintf_heap_end); 843 ATF_TC_BODY(sprintf_heap_end, tc) 844 { 845 #define BUF __stack.__buf 846 struct { 847 uint8_t padding_l; 848 unsigned char * __buf; 849 uint8_t padding_r; 850 } __stack; 851 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 852 const size_t __len = 42; 853 const size_t __idx __unused = __len - 1; 854 char srcvar[__len + 10]; 855 856 __stack.__buf = malloc(__bufsz); 857 memset(srcvar, 'A', sizeof(srcvar) - 1); 858 srcvar[sizeof(srcvar) - 1] = '\0'; 859 860 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 861 #undef BUF 862 863 } 864 865 ATF_TC_WITHOUT_HEAD(sprintf_heap_after_end); 866 ATF_TC_BODY(sprintf_heap_after_end, tc) 867 { 868 #define BUF __stack.__buf 869 struct { 870 uint8_t padding_l; 871 unsigned char * __buf; 872 uint8_t padding_r; 873 } __stack; 874 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 875 const size_t __len = 42 + 1; 876 const size_t __idx __unused = __len - 1; 877 pid_t __child; 878 int __status; 879 char srcvar[__len + 10]; 880 881 __child = fork(); 882 ATF_REQUIRE(__child >= 0); 883 if (__child > 0) 884 goto monitor; 885 886 /* Child */ 887 disable_coredumps(); 888 __stack.__buf = malloc(__bufsz); 889 memset(srcvar, 'A', sizeof(srcvar) - 1); 890 srcvar[sizeof(srcvar) - 1] = '\0'; 891 892 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 893 _exit(EX_SOFTWARE); /* Should have aborted. */ 894 895 monitor: 896 while (waitpid(__child, &__status, 0) != __child) { 897 ATF_REQUIRE_EQ(EINTR, errno); 898 } 899 900 if (!WIFSIGNALED(__status)) { 901 switch (WEXITSTATUS(__status)) { 902 case EX_SOFTWARE: 903 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 904 break; 905 case EX_OSERR: 906 atf_tc_fail("setrlimit(2) failed"); 907 break; 908 default: 909 atf_tc_fail("child exited with status %d", 910 WEXITSTATUS(__status)); 911 } 912 } else { 913 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 914 } 915 #undef BUF 916 917 } 918 919 ATF_TC_WITHOUT_HEAD(snprintf_before_end); 920 ATF_TC_BODY(snprintf_before_end, tc) 921 { 922 #define BUF &__stack.__buf 923 struct { 924 uint8_t padding_l; 925 unsigned char __buf[42]; 926 uint8_t padding_r; 927 } __stack; 928 const size_t __bufsz __unused = sizeof(__stack.__buf); 929 const size_t __len = 42 - 1; 930 const size_t __idx __unused = __len - 1; 931 char srcvar[__len + 10]; 932 933 memset(srcvar, 'A', sizeof(srcvar) - 1); 934 srcvar[sizeof(srcvar) - 1] = '\0'; 935 936 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 937 #undef BUF 938 939 } 940 941 ATF_TC_WITHOUT_HEAD(snprintf_end); 942 ATF_TC_BODY(snprintf_end, tc) 943 { 944 #define BUF &__stack.__buf 945 struct { 946 uint8_t padding_l; 947 unsigned char __buf[42]; 948 uint8_t padding_r; 949 } __stack; 950 const size_t __bufsz __unused = sizeof(__stack.__buf); 951 const size_t __len = 42; 952 const size_t __idx __unused = __len - 1; 953 char srcvar[__len + 10]; 954 955 memset(srcvar, 'A', sizeof(srcvar) - 1); 956 srcvar[sizeof(srcvar) - 1] = '\0'; 957 958 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 959 #undef BUF 960 961 } 962 963 ATF_TC_WITHOUT_HEAD(snprintf_heap_before_end); 964 ATF_TC_BODY(snprintf_heap_before_end, tc) 965 { 966 #define BUF __stack.__buf 967 struct { 968 uint8_t padding_l; 969 unsigned char * __buf; 970 uint8_t padding_r; 971 } __stack; 972 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 973 const size_t __len = 42 - 1; 974 const size_t __idx __unused = __len - 1; 975 char srcvar[__len + 10]; 976 977 __stack.__buf = malloc(__bufsz); 978 memset(srcvar, 'A', sizeof(srcvar) - 1); 979 srcvar[sizeof(srcvar) - 1] = '\0'; 980 981 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 982 #undef BUF 983 984 } 985 986 ATF_TC_WITHOUT_HEAD(snprintf_heap_end); 987 ATF_TC_BODY(snprintf_heap_end, tc) 988 { 989 #define BUF __stack.__buf 990 struct { 991 uint8_t padding_l; 992 unsigned char * __buf; 993 uint8_t padding_r; 994 } __stack; 995 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 996 const size_t __len = 42; 997 const size_t __idx __unused = __len - 1; 998 char srcvar[__len + 10]; 999 1000 __stack.__buf = malloc(__bufsz); 1001 memset(srcvar, 'A', sizeof(srcvar) - 1); 1002 srcvar[sizeof(srcvar) - 1] = '\0'; 1003 1004 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1005 #undef BUF 1006 1007 } 1008 1009 ATF_TC_WITHOUT_HEAD(snprintf_heap_after_end); 1010 ATF_TC_BODY(snprintf_heap_after_end, tc) 1011 { 1012 #define BUF __stack.__buf 1013 struct { 1014 uint8_t padding_l; 1015 unsigned char * __buf; 1016 uint8_t padding_r; 1017 } __stack; 1018 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1019 const size_t __len = 42 + 1; 1020 const size_t __idx __unused = __len - 1; 1021 pid_t __child; 1022 int __status; 1023 char srcvar[__len + 10]; 1024 1025 __child = fork(); 1026 ATF_REQUIRE(__child >= 0); 1027 if (__child > 0) 1028 goto monitor; 1029 1030 /* Child */ 1031 disable_coredumps(); 1032 __stack.__buf = malloc(__bufsz); 1033 memset(srcvar, 'A', sizeof(srcvar) - 1); 1034 srcvar[sizeof(srcvar) - 1] = '\0'; 1035 1036 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1037 _exit(EX_SOFTWARE); /* Should have aborted. */ 1038 1039 monitor: 1040 while (waitpid(__child, &__status, 0) != __child) { 1041 ATF_REQUIRE_EQ(EINTR, errno); 1042 } 1043 1044 if (!WIFSIGNALED(__status)) { 1045 switch (WEXITSTATUS(__status)) { 1046 case EX_SOFTWARE: 1047 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1048 break; 1049 case EX_OSERR: 1050 atf_tc_fail("setrlimit(2) failed"); 1051 break; 1052 default: 1053 atf_tc_fail("child exited with status %d", 1054 WEXITSTATUS(__status)); 1055 } 1056 } else { 1057 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1058 } 1059 #undef BUF 1060 1061 } 1062 1063 ATF_TC_WITHOUT_HEAD(tmpnam_before_end); 1064 ATF_TC_BODY(tmpnam_before_end, tc) 1065 { 1066 #define BUF &__stack.__buf 1067 struct { 1068 uint8_t padding_l; 1069 unsigned char __buf[L_tmpnam + 1]; 1070 uint8_t padding_r; 1071 } __stack; 1072 const size_t __bufsz __unused = sizeof(__stack.__buf); 1073 const size_t __len = L_tmpnam + 1; 1074 const size_t __idx __unused = __len - 1; 1075 1076 tmpnam(__stack.__buf); 1077 #undef BUF 1078 1079 } 1080 1081 ATF_TC_WITHOUT_HEAD(tmpnam_end); 1082 ATF_TC_BODY(tmpnam_end, tc) 1083 { 1084 #define BUF &__stack.__buf 1085 struct { 1086 uint8_t padding_l; 1087 unsigned char __buf[L_tmpnam]; 1088 uint8_t padding_r; 1089 } __stack; 1090 const size_t __bufsz __unused = sizeof(__stack.__buf); 1091 const size_t __len = L_tmpnam; 1092 const size_t __idx __unused = __len - 1; 1093 1094 tmpnam(__stack.__buf); 1095 #undef BUF 1096 1097 } 1098 1099 ATF_TC_WITHOUT_HEAD(tmpnam_heap_before_end); 1100 ATF_TC_BODY(tmpnam_heap_before_end, tc) 1101 { 1102 #define BUF __stack.__buf 1103 struct { 1104 uint8_t padding_l; 1105 unsigned char * __buf; 1106 uint8_t padding_r; 1107 } __stack; 1108 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam + 1); 1109 const size_t __len = L_tmpnam + 1; 1110 const size_t __idx __unused = __len - 1; 1111 1112 __stack.__buf = malloc(__bufsz); 1113 1114 tmpnam(__stack.__buf); 1115 #undef BUF 1116 1117 } 1118 1119 ATF_TC_WITHOUT_HEAD(tmpnam_heap_end); 1120 ATF_TC_BODY(tmpnam_heap_end, tc) 1121 { 1122 #define BUF __stack.__buf 1123 struct { 1124 uint8_t padding_l; 1125 unsigned char * __buf; 1126 uint8_t padding_r; 1127 } __stack; 1128 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam); 1129 const size_t __len = L_tmpnam; 1130 const size_t __idx __unused = __len - 1; 1131 1132 __stack.__buf = malloc(__bufsz); 1133 1134 tmpnam(__stack.__buf); 1135 #undef BUF 1136 1137 } 1138 1139 ATF_TC_WITHOUT_HEAD(tmpnam_heap_after_end); 1140 ATF_TC_BODY(tmpnam_heap_after_end, tc) 1141 { 1142 #define BUF __stack.__buf 1143 struct { 1144 uint8_t padding_l; 1145 unsigned char * __buf; 1146 uint8_t padding_r; 1147 } __stack; 1148 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam - 1); 1149 const size_t __len = L_tmpnam - 1; 1150 const size_t __idx __unused = __len - 1; 1151 pid_t __child; 1152 int __status; 1153 1154 __child = fork(); 1155 ATF_REQUIRE(__child >= 0); 1156 if (__child > 0) 1157 goto monitor; 1158 1159 /* Child */ 1160 disable_coredumps(); 1161 __stack.__buf = malloc(__bufsz); 1162 1163 tmpnam(__stack.__buf); 1164 _exit(EX_SOFTWARE); /* Should have aborted. */ 1165 1166 monitor: 1167 while (waitpid(__child, &__status, 0) != __child) { 1168 ATF_REQUIRE_EQ(EINTR, errno); 1169 } 1170 1171 if (!WIFSIGNALED(__status)) { 1172 switch (WEXITSTATUS(__status)) { 1173 case EX_SOFTWARE: 1174 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1175 break; 1176 case EX_OSERR: 1177 atf_tc_fail("setrlimit(2) failed"); 1178 break; 1179 default: 1180 atf_tc_fail("child exited with status %d", 1181 WEXITSTATUS(__status)); 1182 } 1183 } else { 1184 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1185 } 1186 #undef BUF 1187 1188 } 1189 1190 ATF_TC_WITHOUT_HEAD(fgets_before_end); 1191 ATF_TC_BODY(fgets_before_end, tc) 1192 { 1193 #define BUF &__stack.__buf 1194 struct { 1195 uint8_t padding_l; 1196 unsigned char __buf[42]; 1197 uint8_t padding_r; 1198 } __stack; 1199 const size_t __bufsz __unused = sizeof(__stack.__buf); 1200 const size_t __len = 42 - 1; 1201 const size_t __idx __unused = __len - 1; 1202 FILE *fp; 1203 1204 fp = new_fp(__len); 1205 1206 fgets(__stack.__buf, __len, fp); 1207 #undef BUF 1208 1209 } 1210 1211 ATF_TC_WITHOUT_HEAD(fgets_end); 1212 ATF_TC_BODY(fgets_end, tc) 1213 { 1214 #define BUF &__stack.__buf 1215 struct { 1216 uint8_t padding_l; 1217 unsigned char __buf[42]; 1218 uint8_t padding_r; 1219 } __stack; 1220 const size_t __bufsz __unused = sizeof(__stack.__buf); 1221 const size_t __len = 42; 1222 const size_t __idx __unused = __len - 1; 1223 FILE *fp; 1224 1225 fp = new_fp(__len); 1226 1227 fgets(__stack.__buf, __len, fp); 1228 #undef BUF 1229 1230 } 1231 1232 ATF_TC_WITHOUT_HEAD(fgets_heap_before_end); 1233 ATF_TC_BODY(fgets_heap_before_end, tc) 1234 { 1235 #define BUF __stack.__buf 1236 struct { 1237 uint8_t padding_l; 1238 unsigned char * __buf; 1239 uint8_t padding_r; 1240 } __stack; 1241 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1242 const size_t __len = 42 - 1; 1243 const size_t __idx __unused = __len - 1; 1244 FILE *fp; 1245 1246 __stack.__buf = malloc(__bufsz); 1247 fp = new_fp(__len); 1248 1249 fgets(__stack.__buf, __len, fp); 1250 #undef BUF 1251 1252 } 1253 1254 ATF_TC_WITHOUT_HEAD(fgets_heap_end); 1255 ATF_TC_BODY(fgets_heap_end, tc) 1256 { 1257 #define BUF __stack.__buf 1258 struct { 1259 uint8_t padding_l; 1260 unsigned char * __buf; 1261 uint8_t padding_r; 1262 } __stack; 1263 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1264 const size_t __len = 42; 1265 const size_t __idx __unused = __len - 1; 1266 FILE *fp; 1267 1268 __stack.__buf = malloc(__bufsz); 1269 fp = new_fp(__len); 1270 1271 fgets(__stack.__buf, __len, fp); 1272 #undef BUF 1273 1274 } 1275 1276 ATF_TC_WITHOUT_HEAD(fgets_heap_after_end); 1277 ATF_TC_BODY(fgets_heap_after_end, tc) 1278 { 1279 #define BUF __stack.__buf 1280 struct { 1281 uint8_t padding_l; 1282 unsigned char * __buf; 1283 uint8_t padding_r; 1284 } __stack; 1285 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1286 const size_t __len = 42 + 1; 1287 const size_t __idx __unused = __len - 1; 1288 pid_t __child; 1289 int __status; 1290 FILE *fp; 1291 1292 __child = fork(); 1293 ATF_REQUIRE(__child >= 0); 1294 if (__child > 0) 1295 goto monitor; 1296 1297 /* Child */ 1298 disable_coredumps(); 1299 __stack.__buf = malloc(__bufsz); 1300 fp = new_fp(__len); 1301 1302 fgets(__stack.__buf, __len, fp); 1303 _exit(EX_SOFTWARE); /* Should have aborted. */ 1304 1305 monitor: 1306 while (waitpid(__child, &__status, 0) != __child) { 1307 ATF_REQUIRE_EQ(EINTR, errno); 1308 } 1309 1310 if (!WIFSIGNALED(__status)) { 1311 switch (WEXITSTATUS(__status)) { 1312 case EX_SOFTWARE: 1313 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1314 break; 1315 case EX_OSERR: 1316 atf_tc_fail("setrlimit(2) failed"); 1317 break; 1318 default: 1319 atf_tc_fail("child exited with status %d", 1320 WEXITSTATUS(__status)); 1321 } 1322 } else { 1323 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1324 } 1325 #undef BUF 1326 1327 } 1328 1329 ATF_TP_ADD_TCS(tp) 1330 { 1331 ATF_TP_ADD_TC(tp, ctermid_before_end); 1332 ATF_TP_ADD_TC(tp, ctermid_end); 1333 ATF_TP_ADD_TC(tp, ctermid_heap_before_end); 1334 ATF_TP_ADD_TC(tp, ctermid_heap_end); 1335 ATF_TP_ADD_TC(tp, ctermid_heap_after_end); 1336 ATF_TP_ADD_TC(tp, ctermid_r_before_end); 1337 ATF_TP_ADD_TC(tp, ctermid_r_end); 1338 ATF_TP_ADD_TC(tp, ctermid_r_heap_before_end); 1339 ATF_TP_ADD_TC(tp, ctermid_r_heap_end); 1340 ATF_TP_ADD_TC(tp, ctermid_r_heap_after_end); 1341 ATF_TP_ADD_TC(tp, fread_before_end); 1342 ATF_TP_ADD_TC(tp, fread_end); 1343 ATF_TP_ADD_TC(tp, fread_heap_before_end); 1344 ATF_TP_ADD_TC(tp, fread_heap_end); 1345 ATF_TP_ADD_TC(tp, fread_heap_after_end); 1346 ATF_TP_ADD_TC(tp, fread_unlocked_before_end); 1347 ATF_TP_ADD_TC(tp, fread_unlocked_end); 1348 ATF_TP_ADD_TC(tp, fread_unlocked_heap_before_end); 1349 ATF_TP_ADD_TC(tp, fread_unlocked_heap_end); 1350 ATF_TP_ADD_TC(tp, fread_unlocked_heap_after_end); 1351 ATF_TP_ADD_TC(tp, gets_s_before_end); 1352 ATF_TP_ADD_TC(tp, gets_s_end); 1353 ATF_TP_ADD_TC(tp, gets_s_heap_before_end); 1354 ATF_TP_ADD_TC(tp, gets_s_heap_end); 1355 ATF_TP_ADD_TC(tp, gets_s_heap_after_end); 1356 ATF_TP_ADD_TC(tp, sprintf_before_end); 1357 ATF_TP_ADD_TC(tp, sprintf_end); 1358 ATF_TP_ADD_TC(tp, sprintf_heap_before_end); 1359 ATF_TP_ADD_TC(tp, sprintf_heap_end); 1360 ATF_TP_ADD_TC(tp, sprintf_heap_after_end); 1361 ATF_TP_ADD_TC(tp, snprintf_before_end); 1362 ATF_TP_ADD_TC(tp, snprintf_end); 1363 ATF_TP_ADD_TC(tp, snprintf_heap_before_end); 1364 ATF_TP_ADD_TC(tp, snprintf_heap_end); 1365 ATF_TP_ADD_TC(tp, snprintf_heap_after_end); 1366 ATF_TP_ADD_TC(tp, tmpnam_before_end); 1367 ATF_TP_ADD_TC(tp, tmpnam_end); 1368 ATF_TP_ADD_TC(tp, tmpnam_heap_before_end); 1369 ATF_TP_ADD_TC(tp, tmpnam_heap_end); 1370 ATF_TP_ADD_TC(tp, tmpnam_heap_after_end); 1371 ATF_TP_ADD_TC(tp, fgets_before_end); 1372 ATF_TP_ADD_TC(tp, fgets_end); 1373 ATF_TP_ADD_TC(tp, fgets_heap_before_end); 1374 ATF_TP_ADD_TC(tp, fgets_heap_end); 1375 ATF_TP_ADD_TC(tp, fgets_heap_after_end); 1376 return (atf_no_error()); 1377 } 1378