1 /* @generated by `generate-fortify-tests.lua "stdio"` */ 2 3 #define _FORTIFY_SOURCE 2 4 #define TMPFILE_SIZE (1024 * 32) 5 6 #include <sys/param.h> 7 #include <sys/resource.h> 8 #include <sys/time.h> 9 #include <sys/wait.h> 10 #include <dirent.h> 11 #include <errno.h> 12 #include <fcntl.h> 13 #include <limits.h> 14 #include <poll.h> 15 #include <signal.h> 16 #include <stdio.h> 17 #include <stdlib.h> 18 #include <string.h> 19 #include <strings.h> 20 #include <sysexits.h> 21 #include <unistd.h> 22 #include <atf-c.h> 23 24 static FILE * __unused 25 new_fp(size_t __len) 26 { 27 static char fpbuf[LINE_MAX]; 28 FILE *fp; 29 30 ATF_REQUIRE(__len <= sizeof(fpbuf)); 31 32 memset(fpbuf, 'A', sizeof(fpbuf) - 1); 33 fpbuf[sizeof(fpbuf) - 1] = '\0'; 34 35 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); 36 ATF_REQUIRE(fp != NULL); 37 38 return (fp); 39 } 40 41 /* 42 * Create a new symlink to use for readlink(2) style tests, we'll just use a 43 * random target name to have something interesting to look at. 44 */ 45 static const char * __unused 46 new_symlink(size_t __len) 47 { 48 static const char linkname[] = "link"; 49 char target[MAXNAMLEN]; 50 int error; 51 52 ATF_REQUIRE(__len <= sizeof(target)); 53 54 arc4random_buf(target, sizeof(target)); 55 56 error = unlink(linkname); 57 ATF_REQUIRE(error == 0 || errno == ENOENT); 58 59 error = symlink(target, linkname); 60 ATF_REQUIRE(error == 0); 61 62 return (linkname); 63 } 64 65 /* 66 * Constructs a tmpfile that we can use for testing read(2) and friends. 67 */ 68 static int __unused 69 new_tmpfile(void) 70 { 71 char buf[1024]; 72 ssize_t rv; 73 size_t written; 74 int fd; 75 76 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); 77 ATF_REQUIRE(fd >= 0); 78 79 written = 0; 80 while (written < TMPFILE_SIZE) { 81 rv = write(fd, buf, sizeof(buf)); 82 ATF_REQUIRE(rv > 0); 83 84 written += rv; 85 } 86 87 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); 88 return (fd); 89 } 90 91 static void 92 disable_coredumps(void) 93 { 94 struct rlimit rl = { 0 }; 95 96 if (setrlimit(RLIMIT_CORE, &rl) == -1) 97 _exit(EX_OSERR); 98 } 99 100 /* 101 * Replaces stdin with a file that we can actually read from, for tests where 102 * we want a FILE * or fd that we can get data from. 103 */ 104 static void __unused 105 replace_stdin(void) 106 { 107 int fd; 108 109 fd = new_tmpfile(); 110 111 (void)dup2(fd, STDIN_FILENO); 112 if (fd != STDIN_FILENO) 113 close(fd); 114 } 115 116 ATF_TC_WITHOUT_HEAD(ctermid_before_end); 117 ATF_TC_BODY(ctermid_before_end, tc) 118 { 119 #define BUF &__stack.__buf 120 struct { 121 uint8_t padding_l; 122 unsigned char __buf[L_ctermid + 1]; 123 uint8_t padding_r; 124 } __stack; 125 const size_t __bufsz __unused = sizeof(__stack.__buf); 126 const size_t __len = L_ctermid + 1; 127 const size_t __idx __unused = __len - 1; 128 129 ctermid(__stack.__buf); 130 #undef BUF 131 132 } 133 134 ATF_TC_WITHOUT_HEAD(ctermid_end); 135 ATF_TC_BODY(ctermid_end, tc) 136 { 137 #define BUF &__stack.__buf 138 struct { 139 uint8_t padding_l; 140 unsigned char __buf[L_ctermid]; 141 uint8_t padding_r; 142 } __stack; 143 const size_t __bufsz __unused = sizeof(__stack.__buf); 144 const size_t __len = L_ctermid; 145 const size_t __idx __unused = __len - 1; 146 147 ctermid(__stack.__buf); 148 #undef BUF 149 150 } 151 152 ATF_TC_WITHOUT_HEAD(ctermid_heap_before_end); 153 ATF_TC_BODY(ctermid_heap_before_end, tc) 154 { 155 #define BUF __stack.__buf 156 struct { 157 uint8_t padding_l; 158 unsigned char * __buf; 159 uint8_t padding_r; 160 } __stack; 161 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 162 const size_t __len = L_ctermid + 1; 163 const size_t __idx __unused = __len - 1; 164 165 __stack.__buf = malloc(__bufsz); 166 167 ctermid(__stack.__buf); 168 #undef BUF 169 170 } 171 172 ATF_TC_WITHOUT_HEAD(ctermid_heap_end); 173 ATF_TC_BODY(ctermid_heap_end, tc) 174 { 175 #define BUF __stack.__buf 176 struct { 177 uint8_t padding_l; 178 unsigned char * __buf; 179 uint8_t padding_r; 180 } __stack; 181 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 182 const size_t __len = L_ctermid; 183 const size_t __idx __unused = __len - 1; 184 185 __stack.__buf = malloc(__bufsz); 186 187 ctermid(__stack.__buf); 188 #undef BUF 189 190 } 191 192 ATF_TC_WITHOUT_HEAD(ctermid_heap_after_end); 193 ATF_TC_BODY(ctermid_heap_after_end, tc) 194 { 195 #define BUF __stack.__buf 196 struct { 197 uint8_t padding_l; 198 unsigned char * __buf; 199 uint8_t padding_r; 200 } __stack; 201 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 202 const size_t __len = L_ctermid - 1; 203 const size_t __idx __unused = __len - 1; 204 pid_t __child; 205 int __status; 206 207 __child = fork(); 208 ATF_REQUIRE(__child >= 0); 209 if (__child > 0) 210 goto monitor; 211 212 /* Child */ 213 disable_coredumps(); 214 __stack.__buf = malloc(__bufsz); 215 216 ctermid(__stack.__buf); 217 _exit(EX_SOFTWARE); /* Should have aborted. */ 218 219 monitor: 220 while (waitpid(__child, &__status, 0) != __child) { 221 ATF_REQUIRE_EQ(EINTR, errno); 222 } 223 224 if (!WIFSIGNALED(__status)) { 225 switch (WEXITSTATUS(__status)) { 226 case EX_SOFTWARE: 227 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 228 break; 229 case EX_OSERR: 230 atf_tc_fail("setrlimit(2) failed"); 231 break; 232 default: 233 atf_tc_fail("child exited with status %d", 234 WEXITSTATUS(__status)); 235 } 236 } else { 237 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 238 } 239 #undef BUF 240 241 } 242 243 ATF_TC_WITHOUT_HEAD(ctermid_r_before_end); 244 ATF_TC_BODY(ctermid_r_before_end, tc) 245 { 246 #define BUF &__stack.__buf 247 struct { 248 uint8_t padding_l; 249 unsigned char __buf[L_ctermid + 1]; 250 uint8_t padding_r; 251 } __stack; 252 const size_t __bufsz __unused = sizeof(__stack.__buf); 253 const size_t __len = L_ctermid + 1; 254 const size_t __idx __unused = __len - 1; 255 256 ctermid_r(__stack.__buf); 257 #undef BUF 258 259 } 260 261 ATF_TC_WITHOUT_HEAD(ctermid_r_end); 262 ATF_TC_BODY(ctermid_r_end, tc) 263 { 264 #define BUF &__stack.__buf 265 struct { 266 uint8_t padding_l; 267 unsigned char __buf[L_ctermid]; 268 uint8_t padding_r; 269 } __stack; 270 const size_t __bufsz __unused = sizeof(__stack.__buf); 271 const size_t __len = L_ctermid; 272 const size_t __idx __unused = __len - 1; 273 274 ctermid_r(__stack.__buf); 275 #undef BUF 276 277 } 278 279 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_before_end); 280 ATF_TC_BODY(ctermid_r_heap_before_end, tc) 281 { 282 #define BUF __stack.__buf 283 struct { 284 uint8_t padding_l; 285 unsigned char * __buf; 286 uint8_t padding_r; 287 } __stack; 288 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 289 const size_t __len = L_ctermid + 1; 290 const size_t __idx __unused = __len - 1; 291 292 __stack.__buf = malloc(__bufsz); 293 294 ctermid_r(__stack.__buf); 295 #undef BUF 296 297 } 298 299 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_end); 300 ATF_TC_BODY(ctermid_r_heap_end, tc) 301 { 302 #define BUF __stack.__buf 303 struct { 304 uint8_t padding_l; 305 unsigned char * __buf; 306 uint8_t padding_r; 307 } __stack; 308 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 309 const size_t __len = L_ctermid; 310 const size_t __idx __unused = __len - 1; 311 312 __stack.__buf = malloc(__bufsz); 313 314 ctermid_r(__stack.__buf); 315 #undef BUF 316 317 } 318 319 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_after_end); 320 ATF_TC_BODY(ctermid_r_heap_after_end, tc) 321 { 322 #define BUF __stack.__buf 323 struct { 324 uint8_t padding_l; 325 unsigned char * __buf; 326 uint8_t padding_r; 327 } __stack; 328 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 329 const size_t __len = L_ctermid - 1; 330 const size_t __idx __unused = __len - 1; 331 pid_t __child; 332 int __status; 333 334 __child = fork(); 335 ATF_REQUIRE(__child >= 0); 336 if (__child > 0) 337 goto monitor; 338 339 /* Child */ 340 disable_coredumps(); 341 __stack.__buf = malloc(__bufsz); 342 343 ctermid_r(__stack.__buf); 344 _exit(EX_SOFTWARE); /* Should have aborted. */ 345 346 monitor: 347 while (waitpid(__child, &__status, 0) != __child) { 348 ATF_REQUIRE_EQ(EINTR, errno); 349 } 350 351 if (!WIFSIGNALED(__status)) { 352 switch (WEXITSTATUS(__status)) { 353 case EX_SOFTWARE: 354 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 355 break; 356 case EX_OSERR: 357 atf_tc_fail("setrlimit(2) failed"); 358 break; 359 default: 360 atf_tc_fail("child exited with status %d", 361 WEXITSTATUS(__status)); 362 } 363 } else { 364 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 365 } 366 #undef BUF 367 368 } 369 370 ATF_TC_WITHOUT_HEAD(fread_before_end); 371 ATF_TC_BODY(fread_before_end, tc) 372 { 373 #define BUF &__stack.__buf 374 struct { 375 uint8_t padding_l; 376 unsigned char __buf[42]; 377 uint8_t padding_r; 378 } __stack; 379 const size_t __bufsz __unused = sizeof(__stack.__buf); 380 const size_t __len = 42 - 1; 381 const size_t __idx __unused = __len - 1; 382 383 replace_stdin(); 384 385 fread(__stack.__buf, __len, 1, stdin); 386 #undef BUF 387 388 } 389 390 ATF_TC_WITHOUT_HEAD(fread_end); 391 ATF_TC_BODY(fread_end, tc) 392 { 393 #define BUF &__stack.__buf 394 struct { 395 uint8_t padding_l; 396 unsigned char __buf[42]; 397 uint8_t padding_r; 398 } __stack; 399 const size_t __bufsz __unused = sizeof(__stack.__buf); 400 const size_t __len = 42; 401 const size_t __idx __unused = __len - 1; 402 403 replace_stdin(); 404 405 fread(__stack.__buf, __len, 1, stdin); 406 #undef BUF 407 408 } 409 410 ATF_TC_WITHOUT_HEAD(fread_heap_before_end); 411 ATF_TC_BODY(fread_heap_before_end, tc) 412 { 413 #define BUF __stack.__buf 414 struct { 415 uint8_t padding_l; 416 unsigned char * __buf; 417 uint8_t padding_r; 418 } __stack; 419 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 420 const size_t __len = 42 - 1; 421 const size_t __idx __unused = __len - 1; 422 423 __stack.__buf = malloc(__bufsz); 424 replace_stdin(); 425 426 fread(__stack.__buf, __len, 1, stdin); 427 #undef BUF 428 429 } 430 431 ATF_TC_WITHOUT_HEAD(fread_heap_end); 432 ATF_TC_BODY(fread_heap_end, tc) 433 { 434 #define BUF __stack.__buf 435 struct { 436 uint8_t padding_l; 437 unsigned char * __buf; 438 uint8_t padding_r; 439 } __stack; 440 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 441 const size_t __len = 42; 442 const size_t __idx __unused = __len - 1; 443 444 __stack.__buf = malloc(__bufsz); 445 replace_stdin(); 446 447 fread(__stack.__buf, __len, 1, stdin); 448 #undef BUF 449 450 } 451 452 ATF_TC_WITHOUT_HEAD(fread_heap_after_end); 453 ATF_TC_BODY(fread_heap_after_end, tc) 454 { 455 #define BUF __stack.__buf 456 struct { 457 uint8_t padding_l; 458 unsigned char * __buf; 459 uint8_t padding_r; 460 } __stack; 461 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 462 const size_t __len = 42 + 1; 463 const size_t __idx __unused = __len - 1; 464 pid_t __child; 465 int __status; 466 467 __child = fork(); 468 ATF_REQUIRE(__child >= 0); 469 if (__child > 0) 470 goto monitor; 471 472 /* Child */ 473 disable_coredumps(); 474 __stack.__buf = malloc(__bufsz); 475 replace_stdin(); 476 477 fread(__stack.__buf, __len, 1, stdin); 478 _exit(EX_SOFTWARE); /* Should have aborted. */ 479 480 monitor: 481 while (waitpid(__child, &__status, 0) != __child) { 482 ATF_REQUIRE_EQ(EINTR, errno); 483 } 484 485 if (!WIFSIGNALED(__status)) { 486 switch (WEXITSTATUS(__status)) { 487 case EX_SOFTWARE: 488 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 489 break; 490 case EX_OSERR: 491 atf_tc_fail("setrlimit(2) failed"); 492 break; 493 default: 494 atf_tc_fail("child exited with status %d", 495 WEXITSTATUS(__status)); 496 } 497 } else { 498 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 499 } 500 #undef BUF 501 502 } 503 504 ATF_TC_WITHOUT_HEAD(fread_unlocked_before_end); 505 ATF_TC_BODY(fread_unlocked_before_end, tc) 506 { 507 #define BUF &__stack.__buf 508 struct { 509 uint8_t padding_l; 510 unsigned char __buf[42]; 511 uint8_t padding_r; 512 } __stack; 513 const size_t __bufsz __unused = sizeof(__stack.__buf); 514 const size_t __len = 42 - 1; 515 const size_t __idx __unused = __len - 1; 516 517 replace_stdin(); 518 519 fread_unlocked(__stack.__buf, __len, 1, stdin); 520 #undef BUF 521 522 } 523 524 ATF_TC_WITHOUT_HEAD(fread_unlocked_end); 525 ATF_TC_BODY(fread_unlocked_end, tc) 526 { 527 #define BUF &__stack.__buf 528 struct { 529 uint8_t padding_l; 530 unsigned char __buf[42]; 531 uint8_t padding_r; 532 } __stack; 533 const size_t __bufsz __unused = sizeof(__stack.__buf); 534 const size_t __len = 42; 535 const size_t __idx __unused = __len - 1; 536 537 replace_stdin(); 538 539 fread_unlocked(__stack.__buf, __len, 1, stdin); 540 #undef BUF 541 542 } 543 544 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_before_end); 545 ATF_TC_BODY(fread_unlocked_heap_before_end, tc) 546 { 547 #define BUF __stack.__buf 548 struct { 549 uint8_t padding_l; 550 unsigned char * __buf; 551 uint8_t padding_r; 552 } __stack; 553 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 554 const size_t __len = 42 - 1; 555 const size_t __idx __unused = __len - 1; 556 557 __stack.__buf = malloc(__bufsz); 558 replace_stdin(); 559 560 fread_unlocked(__stack.__buf, __len, 1, stdin); 561 #undef BUF 562 563 } 564 565 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_end); 566 ATF_TC_BODY(fread_unlocked_heap_end, tc) 567 { 568 #define BUF __stack.__buf 569 struct { 570 uint8_t padding_l; 571 unsigned char * __buf; 572 uint8_t padding_r; 573 } __stack; 574 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 575 const size_t __len = 42; 576 const size_t __idx __unused = __len - 1; 577 578 __stack.__buf = malloc(__bufsz); 579 replace_stdin(); 580 581 fread_unlocked(__stack.__buf, __len, 1, stdin); 582 #undef BUF 583 584 } 585 586 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_after_end); 587 ATF_TC_BODY(fread_unlocked_heap_after_end, tc) 588 { 589 #define BUF __stack.__buf 590 struct { 591 uint8_t padding_l; 592 unsigned char * __buf; 593 uint8_t padding_r; 594 } __stack; 595 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 596 const size_t __len = 42 + 1; 597 const size_t __idx __unused = __len - 1; 598 pid_t __child; 599 int __status; 600 601 __child = fork(); 602 ATF_REQUIRE(__child >= 0); 603 if (__child > 0) 604 goto monitor; 605 606 /* Child */ 607 disable_coredumps(); 608 __stack.__buf = malloc(__bufsz); 609 replace_stdin(); 610 611 fread_unlocked(__stack.__buf, __len, 1, stdin); 612 _exit(EX_SOFTWARE); /* Should have aborted. */ 613 614 monitor: 615 while (waitpid(__child, &__status, 0) != __child) { 616 ATF_REQUIRE_EQ(EINTR, errno); 617 } 618 619 if (!WIFSIGNALED(__status)) { 620 switch (WEXITSTATUS(__status)) { 621 case EX_SOFTWARE: 622 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 623 break; 624 case EX_OSERR: 625 atf_tc_fail("setrlimit(2) failed"); 626 break; 627 default: 628 atf_tc_fail("child exited with status %d", 629 WEXITSTATUS(__status)); 630 } 631 } else { 632 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 633 } 634 #undef BUF 635 636 } 637 638 ATF_TC_WITHOUT_HEAD(gets_s_before_end); 639 ATF_TC_BODY(gets_s_before_end, tc) 640 { 641 #define BUF &__stack.__buf 642 struct { 643 uint8_t padding_l; 644 unsigned char __buf[42]; 645 uint8_t padding_r; 646 } __stack; 647 const size_t __bufsz __unused = sizeof(__stack.__buf); 648 const size_t __len = 42 - 1; 649 const size_t __idx __unused = __len - 1; 650 651 replace_stdin(); 652 653 gets_s(__stack.__buf, __len); 654 #undef BUF 655 656 } 657 658 ATF_TC_WITHOUT_HEAD(gets_s_end); 659 ATF_TC_BODY(gets_s_end, tc) 660 { 661 #define BUF &__stack.__buf 662 struct { 663 uint8_t padding_l; 664 unsigned char __buf[42]; 665 uint8_t padding_r; 666 } __stack; 667 const size_t __bufsz __unused = sizeof(__stack.__buf); 668 const size_t __len = 42; 669 const size_t __idx __unused = __len - 1; 670 671 replace_stdin(); 672 673 gets_s(__stack.__buf, __len); 674 #undef BUF 675 676 } 677 678 ATF_TC_WITHOUT_HEAD(gets_s_heap_before_end); 679 ATF_TC_BODY(gets_s_heap_before_end, tc) 680 { 681 #define BUF __stack.__buf 682 struct { 683 uint8_t padding_l; 684 unsigned char * __buf; 685 uint8_t padding_r; 686 } __stack; 687 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 688 const size_t __len = 42 - 1; 689 const size_t __idx __unused = __len - 1; 690 691 __stack.__buf = malloc(__bufsz); 692 replace_stdin(); 693 694 gets_s(__stack.__buf, __len); 695 #undef BUF 696 697 } 698 699 ATF_TC_WITHOUT_HEAD(gets_s_heap_end); 700 ATF_TC_BODY(gets_s_heap_end, tc) 701 { 702 #define BUF __stack.__buf 703 struct { 704 uint8_t padding_l; 705 unsigned char * __buf; 706 uint8_t padding_r; 707 } __stack; 708 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 709 const size_t __len = 42; 710 const size_t __idx __unused = __len - 1; 711 712 __stack.__buf = malloc(__bufsz); 713 replace_stdin(); 714 715 gets_s(__stack.__buf, __len); 716 #undef BUF 717 718 } 719 720 ATF_TC_WITHOUT_HEAD(gets_s_heap_after_end); 721 ATF_TC_BODY(gets_s_heap_after_end, tc) 722 { 723 #define BUF __stack.__buf 724 struct { 725 uint8_t padding_l; 726 unsigned char * __buf; 727 uint8_t padding_r; 728 } __stack; 729 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 730 const size_t __len = 42 + 1; 731 const size_t __idx __unused = __len - 1; 732 pid_t __child; 733 int __status; 734 735 __child = fork(); 736 ATF_REQUIRE(__child >= 0); 737 if (__child > 0) 738 goto monitor; 739 740 /* Child */ 741 disable_coredumps(); 742 __stack.__buf = malloc(__bufsz); 743 replace_stdin(); 744 745 gets_s(__stack.__buf, __len); 746 _exit(EX_SOFTWARE); /* Should have aborted. */ 747 748 monitor: 749 while (waitpid(__child, &__status, 0) != __child) { 750 ATF_REQUIRE_EQ(EINTR, errno); 751 } 752 753 if (!WIFSIGNALED(__status)) { 754 switch (WEXITSTATUS(__status)) { 755 case EX_SOFTWARE: 756 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 757 break; 758 case EX_OSERR: 759 atf_tc_fail("setrlimit(2) failed"); 760 break; 761 default: 762 atf_tc_fail("child exited with status %d", 763 WEXITSTATUS(__status)); 764 } 765 } else { 766 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 767 } 768 #undef BUF 769 770 } 771 772 ATF_TC_WITHOUT_HEAD(sprintf_before_end); 773 ATF_TC_BODY(sprintf_before_end, tc) 774 { 775 #define BUF &__stack.__buf 776 struct { 777 uint8_t padding_l; 778 unsigned char __buf[42]; 779 uint8_t padding_r; 780 } __stack; 781 const size_t __bufsz __unused = sizeof(__stack.__buf); 782 const size_t __len = 42 - 1; 783 const size_t __idx __unused = __len - 1; 784 char srcvar[__len + 10]; 785 786 memset(srcvar, 'A', sizeof(srcvar) - 1); 787 srcvar[sizeof(srcvar) - 1] = '\0'; 788 789 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 790 #undef BUF 791 792 } 793 794 ATF_TC_WITHOUT_HEAD(sprintf_end); 795 ATF_TC_BODY(sprintf_end, tc) 796 { 797 #define BUF &__stack.__buf 798 struct { 799 uint8_t padding_l; 800 unsigned char __buf[42]; 801 uint8_t padding_r; 802 } __stack; 803 const size_t __bufsz __unused = sizeof(__stack.__buf); 804 const size_t __len = 42; 805 const size_t __idx __unused = __len - 1; 806 char srcvar[__len + 10]; 807 808 memset(srcvar, 'A', sizeof(srcvar) - 1); 809 srcvar[sizeof(srcvar) - 1] = '\0'; 810 811 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 812 #undef BUF 813 814 } 815 816 ATF_TC_WITHOUT_HEAD(sprintf_heap_before_end); 817 ATF_TC_BODY(sprintf_heap_before_end, tc) 818 { 819 #define BUF __stack.__buf 820 struct { 821 uint8_t padding_l; 822 unsigned char * __buf; 823 uint8_t padding_r; 824 } __stack; 825 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 826 const size_t __len = 42 - 1; 827 const size_t __idx __unused = __len - 1; 828 char srcvar[__len + 10]; 829 830 __stack.__buf = malloc(__bufsz); 831 memset(srcvar, 'A', sizeof(srcvar) - 1); 832 srcvar[sizeof(srcvar) - 1] = '\0'; 833 834 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 835 #undef BUF 836 837 } 838 839 ATF_TC_WITHOUT_HEAD(sprintf_heap_end); 840 ATF_TC_BODY(sprintf_heap_end, tc) 841 { 842 #define BUF __stack.__buf 843 struct { 844 uint8_t padding_l; 845 unsigned char * __buf; 846 uint8_t padding_r; 847 } __stack; 848 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 849 const size_t __len = 42; 850 const size_t __idx __unused = __len - 1; 851 char srcvar[__len + 10]; 852 853 __stack.__buf = malloc(__bufsz); 854 memset(srcvar, 'A', sizeof(srcvar) - 1); 855 srcvar[sizeof(srcvar) - 1] = '\0'; 856 857 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 858 #undef BUF 859 860 } 861 862 ATF_TC_WITHOUT_HEAD(sprintf_heap_after_end); 863 ATF_TC_BODY(sprintf_heap_after_end, tc) 864 { 865 #define BUF __stack.__buf 866 struct { 867 uint8_t padding_l; 868 unsigned char * __buf; 869 uint8_t padding_r; 870 } __stack; 871 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 872 const size_t __len = 42 + 1; 873 const size_t __idx __unused = __len - 1; 874 pid_t __child; 875 int __status; 876 char srcvar[__len + 10]; 877 878 __child = fork(); 879 ATF_REQUIRE(__child >= 0); 880 if (__child > 0) 881 goto monitor; 882 883 /* Child */ 884 disable_coredumps(); 885 __stack.__buf = malloc(__bufsz); 886 memset(srcvar, 'A', sizeof(srcvar) - 1); 887 srcvar[sizeof(srcvar) - 1] = '\0'; 888 889 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 890 _exit(EX_SOFTWARE); /* Should have aborted. */ 891 892 monitor: 893 while (waitpid(__child, &__status, 0) != __child) { 894 ATF_REQUIRE_EQ(EINTR, errno); 895 } 896 897 if (!WIFSIGNALED(__status)) { 898 switch (WEXITSTATUS(__status)) { 899 case EX_SOFTWARE: 900 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 901 break; 902 case EX_OSERR: 903 atf_tc_fail("setrlimit(2) failed"); 904 break; 905 default: 906 atf_tc_fail("child exited with status %d", 907 WEXITSTATUS(__status)); 908 } 909 } else { 910 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 911 } 912 #undef BUF 913 914 } 915 916 ATF_TC_WITHOUT_HEAD(snprintf_before_end); 917 ATF_TC_BODY(snprintf_before_end, tc) 918 { 919 #define BUF &__stack.__buf 920 struct { 921 uint8_t padding_l; 922 unsigned char __buf[42]; 923 uint8_t padding_r; 924 } __stack; 925 const size_t __bufsz __unused = sizeof(__stack.__buf); 926 const size_t __len = 42 - 1; 927 const size_t __idx __unused = __len - 1; 928 char srcvar[__len + 10]; 929 930 memset(srcvar, 'A', sizeof(srcvar) - 1); 931 srcvar[sizeof(srcvar) - 1] = '\0'; 932 933 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 934 #undef BUF 935 936 } 937 938 ATF_TC_WITHOUT_HEAD(snprintf_end); 939 ATF_TC_BODY(snprintf_end, tc) 940 { 941 #define BUF &__stack.__buf 942 struct { 943 uint8_t padding_l; 944 unsigned char __buf[42]; 945 uint8_t padding_r; 946 } __stack; 947 const size_t __bufsz __unused = sizeof(__stack.__buf); 948 const size_t __len = 42; 949 const size_t __idx __unused = __len - 1; 950 char srcvar[__len + 10]; 951 952 memset(srcvar, 'A', sizeof(srcvar) - 1); 953 srcvar[sizeof(srcvar) - 1] = '\0'; 954 955 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 956 #undef BUF 957 958 } 959 960 ATF_TC_WITHOUT_HEAD(snprintf_heap_before_end); 961 ATF_TC_BODY(snprintf_heap_before_end, tc) 962 { 963 #define BUF __stack.__buf 964 struct { 965 uint8_t padding_l; 966 unsigned char * __buf; 967 uint8_t padding_r; 968 } __stack; 969 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 970 const size_t __len = 42 - 1; 971 const size_t __idx __unused = __len - 1; 972 char srcvar[__len + 10]; 973 974 __stack.__buf = malloc(__bufsz); 975 memset(srcvar, 'A', sizeof(srcvar) - 1); 976 srcvar[sizeof(srcvar) - 1] = '\0'; 977 978 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 979 #undef BUF 980 981 } 982 983 ATF_TC_WITHOUT_HEAD(snprintf_heap_end); 984 ATF_TC_BODY(snprintf_heap_end, tc) 985 { 986 #define BUF __stack.__buf 987 struct { 988 uint8_t padding_l; 989 unsigned char * __buf; 990 uint8_t padding_r; 991 } __stack; 992 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 993 const size_t __len = 42; 994 const size_t __idx __unused = __len - 1; 995 char srcvar[__len + 10]; 996 997 __stack.__buf = malloc(__bufsz); 998 memset(srcvar, 'A', sizeof(srcvar) - 1); 999 srcvar[sizeof(srcvar) - 1] = '\0'; 1000 1001 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1002 #undef BUF 1003 1004 } 1005 1006 ATF_TC_WITHOUT_HEAD(snprintf_heap_after_end); 1007 ATF_TC_BODY(snprintf_heap_after_end, tc) 1008 { 1009 #define BUF __stack.__buf 1010 struct { 1011 uint8_t padding_l; 1012 unsigned char * __buf; 1013 uint8_t padding_r; 1014 } __stack; 1015 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1016 const size_t __len = 42 + 1; 1017 const size_t __idx __unused = __len - 1; 1018 pid_t __child; 1019 int __status; 1020 char srcvar[__len + 10]; 1021 1022 __child = fork(); 1023 ATF_REQUIRE(__child >= 0); 1024 if (__child > 0) 1025 goto monitor; 1026 1027 /* Child */ 1028 disable_coredumps(); 1029 __stack.__buf = malloc(__bufsz); 1030 memset(srcvar, 'A', sizeof(srcvar) - 1); 1031 srcvar[sizeof(srcvar) - 1] = '\0'; 1032 1033 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1034 _exit(EX_SOFTWARE); /* Should have aborted. */ 1035 1036 monitor: 1037 while (waitpid(__child, &__status, 0) != __child) { 1038 ATF_REQUIRE_EQ(EINTR, errno); 1039 } 1040 1041 if (!WIFSIGNALED(__status)) { 1042 switch (WEXITSTATUS(__status)) { 1043 case EX_SOFTWARE: 1044 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1045 break; 1046 case EX_OSERR: 1047 atf_tc_fail("setrlimit(2) failed"); 1048 break; 1049 default: 1050 atf_tc_fail("child exited with status %d", 1051 WEXITSTATUS(__status)); 1052 } 1053 } else { 1054 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1055 } 1056 #undef BUF 1057 1058 } 1059 1060 ATF_TC_WITHOUT_HEAD(tmpnam_before_end); 1061 ATF_TC_BODY(tmpnam_before_end, tc) 1062 { 1063 #define BUF &__stack.__buf 1064 struct { 1065 uint8_t padding_l; 1066 unsigned char __buf[L_tmpnam + 1]; 1067 uint8_t padding_r; 1068 } __stack; 1069 const size_t __bufsz __unused = sizeof(__stack.__buf); 1070 const size_t __len = L_tmpnam + 1; 1071 const size_t __idx __unused = __len - 1; 1072 1073 tmpnam(__stack.__buf); 1074 #undef BUF 1075 1076 } 1077 1078 ATF_TC_WITHOUT_HEAD(tmpnam_end); 1079 ATF_TC_BODY(tmpnam_end, tc) 1080 { 1081 #define BUF &__stack.__buf 1082 struct { 1083 uint8_t padding_l; 1084 unsigned char __buf[L_tmpnam]; 1085 uint8_t padding_r; 1086 } __stack; 1087 const size_t __bufsz __unused = sizeof(__stack.__buf); 1088 const size_t __len = L_tmpnam; 1089 const size_t __idx __unused = __len - 1; 1090 1091 tmpnam(__stack.__buf); 1092 #undef BUF 1093 1094 } 1095 1096 ATF_TC_WITHOUT_HEAD(tmpnam_heap_before_end); 1097 ATF_TC_BODY(tmpnam_heap_before_end, tc) 1098 { 1099 #define BUF __stack.__buf 1100 struct { 1101 uint8_t padding_l; 1102 unsigned char * __buf; 1103 uint8_t padding_r; 1104 } __stack; 1105 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam + 1); 1106 const size_t __len = L_tmpnam + 1; 1107 const size_t __idx __unused = __len - 1; 1108 1109 __stack.__buf = malloc(__bufsz); 1110 1111 tmpnam(__stack.__buf); 1112 #undef BUF 1113 1114 } 1115 1116 ATF_TC_WITHOUT_HEAD(tmpnam_heap_end); 1117 ATF_TC_BODY(tmpnam_heap_end, tc) 1118 { 1119 #define BUF __stack.__buf 1120 struct { 1121 uint8_t padding_l; 1122 unsigned char * __buf; 1123 uint8_t padding_r; 1124 } __stack; 1125 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam); 1126 const size_t __len = L_tmpnam; 1127 const size_t __idx __unused = __len - 1; 1128 1129 __stack.__buf = malloc(__bufsz); 1130 1131 tmpnam(__stack.__buf); 1132 #undef BUF 1133 1134 } 1135 1136 ATF_TC_WITHOUT_HEAD(tmpnam_heap_after_end); 1137 ATF_TC_BODY(tmpnam_heap_after_end, tc) 1138 { 1139 #define BUF __stack.__buf 1140 struct { 1141 uint8_t padding_l; 1142 unsigned char * __buf; 1143 uint8_t padding_r; 1144 } __stack; 1145 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam - 1); 1146 const size_t __len = L_tmpnam - 1; 1147 const size_t __idx __unused = __len - 1; 1148 pid_t __child; 1149 int __status; 1150 1151 __child = fork(); 1152 ATF_REQUIRE(__child >= 0); 1153 if (__child > 0) 1154 goto monitor; 1155 1156 /* Child */ 1157 disable_coredumps(); 1158 __stack.__buf = malloc(__bufsz); 1159 1160 tmpnam(__stack.__buf); 1161 _exit(EX_SOFTWARE); /* Should have aborted. */ 1162 1163 monitor: 1164 while (waitpid(__child, &__status, 0) != __child) { 1165 ATF_REQUIRE_EQ(EINTR, errno); 1166 } 1167 1168 if (!WIFSIGNALED(__status)) { 1169 switch (WEXITSTATUS(__status)) { 1170 case EX_SOFTWARE: 1171 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1172 break; 1173 case EX_OSERR: 1174 atf_tc_fail("setrlimit(2) failed"); 1175 break; 1176 default: 1177 atf_tc_fail("child exited with status %d", 1178 WEXITSTATUS(__status)); 1179 } 1180 } else { 1181 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1182 } 1183 #undef BUF 1184 1185 } 1186 1187 ATF_TC_WITHOUT_HEAD(fgets_before_end); 1188 ATF_TC_BODY(fgets_before_end, tc) 1189 { 1190 #define BUF &__stack.__buf 1191 struct { 1192 uint8_t padding_l; 1193 unsigned char __buf[42]; 1194 uint8_t padding_r; 1195 } __stack; 1196 const size_t __bufsz __unused = sizeof(__stack.__buf); 1197 const size_t __len = 42 - 1; 1198 const size_t __idx __unused = __len - 1; 1199 FILE *fp; 1200 1201 fp = new_fp(__len); 1202 1203 fgets(__stack.__buf, __len, fp); 1204 #undef BUF 1205 1206 } 1207 1208 ATF_TC_WITHOUT_HEAD(fgets_end); 1209 ATF_TC_BODY(fgets_end, tc) 1210 { 1211 #define BUF &__stack.__buf 1212 struct { 1213 uint8_t padding_l; 1214 unsigned char __buf[42]; 1215 uint8_t padding_r; 1216 } __stack; 1217 const size_t __bufsz __unused = sizeof(__stack.__buf); 1218 const size_t __len = 42; 1219 const size_t __idx __unused = __len - 1; 1220 FILE *fp; 1221 1222 fp = new_fp(__len); 1223 1224 fgets(__stack.__buf, __len, fp); 1225 #undef BUF 1226 1227 } 1228 1229 ATF_TC_WITHOUT_HEAD(fgets_heap_before_end); 1230 ATF_TC_BODY(fgets_heap_before_end, tc) 1231 { 1232 #define BUF __stack.__buf 1233 struct { 1234 uint8_t padding_l; 1235 unsigned char * __buf; 1236 uint8_t padding_r; 1237 } __stack; 1238 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1239 const size_t __len = 42 - 1; 1240 const size_t __idx __unused = __len - 1; 1241 FILE *fp; 1242 1243 __stack.__buf = malloc(__bufsz); 1244 fp = new_fp(__len); 1245 1246 fgets(__stack.__buf, __len, fp); 1247 #undef BUF 1248 1249 } 1250 1251 ATF_TC_WITHOUT_HEAD(fgets_heap_end); 1252 ATF_TC_BODY(fgets_heap_end, tc) 1253 { 1254 #define BUF __stack.__buf 1255 struct { 1256 uint8_t padding_l; 1257 unsigned char * __buf; 1258 uint8_t padding_r; 1259 } __stack; 1260 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1261 const size_t __len = 42; 1262 const size_t __idx __unused = __len - 1; 1263 FILE *fp; 1264 1265 __stack.__buf = malloc(__bufsz); 1266 fp = new_fp(__len); 1267 1268 fgets(__stack.__buf, __len, fp); 1269 #undef BUF 1270 1271 } 1272 1273 ATF_TC_WITHOUT_HEAD(fgets_heap_after_end); 1274 ATF_TC_BODY(fgets_heap_after_end, tc) 1275 { 1276 #define BUF __stack.__buf 1277 struct { 1278 uint8_t padding_l; 1279 unsigned char * __buf; 1280 uint8_t padding_r; 1281 } __stack; 1282 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1283 const size_t __len = 42 + 1; 1284 const size_t __idx __unused = __len - 1; 1285 pid_t __child; 1286 int __status; 1287 FILE *fp; 1288 1289 __child = fork(); 1290 ATF_REQUIRE(__child >= 0); 1291 if (__child > 0) 1292 goto monitor; 1293 1294 /* Child */ 1295 disable_coredumps(); 1296 __stack.__buf = malloc(__bufsz); 1297 fp = new_fp(__len); 1298 1299 fgets(__stack.__buf, __len, fp); 1300 _exit(EX_SOFTWARE); /* Should have aborted. */ 1301 1302 monitor: 1303 while (waitpid(__child, &__status, 0) != __child) { 1304 ATF_REQUIRE_EQ(EINTR, errno); 1305 } 1306 1307 if (!WIFSIGNALED(__status)) { 1308 switch (WEXITSTATUS(__status)) { 1309 case EX_SOFTWARE: 1310 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1311 break; 1312 case EX_OSERR: 1313 atf_tc_fail("setrlimit(2) failed"); 1314 break; 1315 default: 1316 atf_tc_fail("child exited with status %d", 1317 WEXITSTATUS(__status)); 1318 } 1319 } else { 1320 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1321 } 1322 #undef BUF 1323 1324 } 1325 1326 ATF_TP_ADD_TCS(tp) 1327 { 1328 ATF_TP_ADD_TC(tp, ctermid_before_end); 1329 ATF_TP_ADD_TC(tp, ctermid_end); 1330 ATF_TP_ADD_TC(tp, ctermid_heap_before_end); 1331 ATF_TP_ADD_TC(tp, ctermid_heap_end); 1332 ATF_TP_ADD_TC(tp, ctermid_heap_after_end); 1333 ATF_TP_ADD_TC(tp, ctermid_r_before_end); 1334 ATF_TP_ADD_TC(tp, ctermid_r_end); 1335 ATF_TP_ADD_TC(tp, ctermid_r_heap_before_end); 1336 ATF_TP_ADD_TC(tp, ctermid_r_heap_end); 1337 ATF_TP_ADD_TC(tp, ctermid_r_heap_after_end); 1338 ATF_TP_ADD_TC(tp, fread_before_end); 1339 ATF_TP_ADD_TC(tp, fread_end); 1340 ATF_TP_ADD_TC(tp, fread_heap_before_end); 1341 ATF_TP_ADD_TC(tp, fread_heap_end); 1342 ATF_TP_ADD_TC(tp, fread_heap_after_end); 1343 ATF_TP_ADD_TC(tp, fread_unlocked_before_end); 1344 ATF_TP_ADD_TC(tp, fread_unlocked_end); 1345 ATF_TP_ADD_TC(tp, fread_unlocked_heap_before_end); 1346 ATF_TP_ADD_TC(tp, fread_unlocked_heap_end); 1347 ATF_TP_ADD_TC(tp, fread_unlocked_heap_after_end); 1348 ATF_TP_ADD_TC(tp, gets_s_before_end); 1349 ATF_TP_ADD_TC(tp, gets_s_end); 1350 ATF_TP_ADD_TC(tp, gets_s_heap_before_end); 1351 ATF_TP_ADD_TC(tp, gets_s_heap_end); 1352 ATF_TP_ADD_TC(tp, gets_s_heap_after_end); 1353 ATF_TP_ADD_TC(tp, sprintf_before_end); 1354 ATF_TP_ADD_TC(tp, sprintf_end); 1355 ATF_TP_ADD_TC(tp, sprintf_heap_before_end); 1356 ATF_TP_ADD_TC(tp, sprintf_heap_end); 1357 ATF_TP_ADD_TC(tp, sprintf_heap_after_end); 1358 ATF_TP_ADD_TC(tp, snprintf_before_end); 1359 ATF_TP_ADD_TC(tp, snprintf_end); 1360 ATF_TP_ADD_TC(tp, snprintf_heap_before_end); 1361 ATF_TP_ADD_TC(tp, snprintf_heap_end); 1362 ATF_TP_ADD_TC(tp, snprintf_heap_after_end); 1363 ATF_TP_ADD_TC(tp, tmpnam_before_end); 1364 ATF_TP_ADD_TC(tp, tmpnam_end); 1365 ATF_TP_ADD_TC(tp, tmpnam_heap_before_end); 1366 ATF_TP_ADD_TC(tp, tmpnam_heap_end); 1367 ATF_TP_ADD_TC(tp, tmpnam_heap_after_end); 1368 ATF_TP_ADD_TC(tp, fgets_before_end); 1369 ATF_TP_ADD_TC(tp, fgets_end); 1370 ATF_TP_ADD_TC(tp, fgets_heap_before_end); 1371 ATF_TP_ADD_TC(tp, fgets_heap_end); 1372 ATF_TP_ADD_TC(tp, fgets_heap_after_end); 1373 return (atf_no_error()); 1374 } 1375