1 /* @generated by `generate-fortify-tests.lua "stdio"` */ 2 3 #define _FORTIFY_SOURCE 2 4 #define TMPFILE_SIZE (1024 * 32) 5 6 #include <sys/param.h> 7 #include <sys/resource.h> 8 #include <sys/time.h> 9 #include <sys/wait.h> 10 #include <dirent.h> 11 #include <errno.h> 12 #include <fcntl.h> 13 #include <limits.h> 14 #include <signal.h> 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <string.h> 18 #include <strings.h> 19 #include <sysexits.h> 20 #include <unistd.h> 21 #include <atf-c.h> 22 23 static FILE * __unused 24 new_fp(size_t __len) 25 { 26 static char fpbuf[LINE_MAX]; 27 FILE *fp; 28 29 ATF_REQUIRE(__len <= sizeof(fpbuf)); 30 31 memset(fpbuf, 'A', sizeof(fpbuf) - 1); 32 fpbuf[sizeof(fpbuf) - 1] = '\0'; 33 34 fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); 35 ATF_REQUIRE(fp != NULL); 36 37 return (fp); 38 } 39 40 /* 41 * Create a new symlink to use for readlink(2) style tests, we'll just use a 42 * random target name to have something interesting to look at. 43 */ 44 static const char * __unused 45 new_symlink(size_t __len) 46 { 47 static const char linkname[] = "link"; 48 char target[MAXNAMLEN]; 49 int error; 50 51 ATF_REQUIRE(__len <= sizeof(target)); 52 53 arc4random_buf(target, sizeof(target)); 54 55 error = unlink(linkname); 56 ATF_REQUIRE(error == 0 || errno == ENOENT); 57 58 error = symlink(target, linkname); 59 ATF_REQUIRE(error == 0); 60 61 return (linkname); 62 } 63 64 /* 65 * Constructs a tmpfile that we can use for testing read(2) and friends. 66 */ 67 static int __unused 68 new_tmpfile(void) 69 { 70 char buf[1024]; 71 ssize_t rv; 72 size_t written; 73 int fd; 74 75 fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); 76 ATF_REQUIRE(fd >= 0); 77 78 written = 0; 79 while (written < TMPFILE_SIZE) { 80 rv = write(fd, buf, sizeof(buf)); 81 ATF_REQUIRE(rv > 0); 82 83 written += rv; 84 } 85 86 ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); 87 return (fd); 88 } 89 90 static void 91 disable_coredumps(void) 92 { 93 struct rlimit rl = { 0 }; 94 95 if (setrlimit(RLIMIT_CORE, &rl) == -1) 96 _exit(EX_OSERR); 97 } 98 99 /* 100 * Replaces stdin with a file that we can actually read from, for tests where 101 * we want a FILE * or fd that we can get data from. 102 */ 103 static void __unused 104 replace_stdin(void) 105 { 106 int fd; 107 108 fd = new_tmpfile(); 109 110 (void)dup2(fd, STDIN_FILENO); 111 if (fd != STDIN_FILENO) 112 close(fd); 113 } 114 115 ATF_TC_WITHOUT_HEAD(ctermid_before_end); 116 ATF_TC_BODY(ctermid_before_end, tc) 117 { 118 #define BUF &__stack.__buf 119 struct { 120 uint8_t padding_l; 121 unsigned char __buf[L_ctermid + 1]; 122 uint8_t padding_r; 123 } __stack; 124 const size_t __bufsz __unused = sizeof(__stack.__buf); 125 const size_t __len = L_ctermid + 1; 126 const size_t __idx __unused = __len - 1; 127 128 ctermid(__stack.__buf); 129 #undef BUF 130 131 } 132 133 ATF_TC_WITHOUT_HEAD(ctermid_end); 134 ATF_TC_BODY(ctermid_end, tc) 135 { 136 #define BUF &__stack.__buf 137 struct { 138 uint8_t padding_l; 139 unsigned char __buf[L_ctermid]; 140 uint8_t padding_r; 141 } __stack; 142 const size_t __bufsz __unused = sizeof(__stack.__buf); 143 const size_t __len = L_ctermid; 144 const size_t __idx __unused = __len - 1; 145 146 ctermid(__stack.__buf); 147 #undef BUF 148 149 } 150 151 ATF_TC_WITHOUT_HEAD(ctermid_heap_before_end); 152 ATF_TC_BODY(ctermid_heap_before_end, tc) 153 { 154 #define BUF __stack.__buf 155 struct { 156 uint8_t padding_l; 157 unsigned char * __buf; 158 uint8_t padding_r; 159 } __stack; 160 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 161 const size_t __len = L_ctermid + 1; 162 const size_t __idx __unused = __len - 1; 163 164 __stack.__buf = malloc(__bufsz); 165 166 ctermid(__stack.__buf); 167 #undef BUF 168 169 } 170 171 ATF_TC_WITHOUT_HEAD(ctermid_heap_end); 172 ATF_TC_BODY(ctermid_heap_end, tc) 173 { 174 #define BUF __stack.__buf 175 struct { 176 uint8_t padding_l; 177 unsigned char * __buf; 178 uint8_t padding_r; 179 } __stack; 180 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 181 const size_t __len = L_ctermid; 182 const size_t __idx __unused = __len - 1; 183 184 __stack.__buf = malloc(__bufsz); 185 186 ctermid(__stack.__buf); 187 #undef BUF 188 189 } 190 191 ATF_TC_WITHOUT_HEAD(ctermid_heap_after_end); 192 ATF_TC_BODY(ctermid_heap_after_end, tc) 193 { 194 #define BUF __stack.__buf 195 struct { 196 uint8_t padding_l; 197 unsigned char * __buf; 198 uint8_t padding_r; 199 } __stack; 200 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 201 const size_t __len = L_ctermid - 1; 202 const size_t __idx __unused = __len - 1; 203 pid_t __child; 204 int __status; 205 206 __child = fork(); 207 ATF_REQUIRE(__child >= 0); 208 if (__child > 0) 209 goto monitor; 210 211 /* Child */ 212 disable_coredumps(); 213 __stack.__buf = malloc(__bufsz); 214 215 ctermid(__stack.__buf); 216 _exit(EX_SOFTWARE); /* Should have aborted. */ 217 218 monitor: 219 while (waitpid(__child, &__status, 0) != __child) { 220 ATF_REQUIRE_EQ(EINTR, errno); 221 } 222 223 if (!WIFSIGNALED(__status)) { 224 switch (WEXITSTATUS(__status)) { 225 case EX_SOFTWARE: 226 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 227 break; 228 case EX_OSERR: 229 atf_tc_fail("setrlimit(2) failed"); 230 break; 231 default: 232 atf_tc_fail("child exited with status %d", 233 WEXITSTATUS(__status)); 234 } 235 } else { 236 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 237 } 238 #undef BUF 239 240 } 241 242 ATF_TC_WITHOUT_HEAD(ctermid_r_before_end); 243 ATF_TC_BODY(ctermid_r_before_end, tc) 244 { 245 #define BUF &__stack.__buf 246 struct { 247 uint8_t padding_l; 248 unsigned char __buf[L_ctermid + 1]; 249 uint8_t padding_r; 250 } __stack; 251 const size_t __bufsz __unused = sizeof(__stack.__buf); 252 const size_t __len = L_ctermid + 1; 253 const size_t __idx __unused = __len - 1; 254 255 ctermid_r(__stack.__buf); 256 #undef BUF 257 258 } 259 260 ATF_TC_WITHOUT_HEAD(ctermid_r_end); 261 ATF_TC_BODY(ctermid_r_end, tc) 262 { 263 #define BUF &__stack.__buf 264 struct { 265 uint8_t padding_l; 266 unsigned char __buf[L_ctermid]; 267 uint8_t padding_r; 268 } __stack; 269 const size_t __bufsz __unused = sizeof(__stack.__buf); 270 const size_t __len = L_ctermid; 271 const size_t __idx __unused = __len - 1; 272 273 ctermid_r(__stack.__buf); 274 #undef BUF 275 276 } 277 278 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_before_end); 279 ATF_TC_BODY(ctermid_r_heap_before_end, tc) 280 { 281 #define BUF __stack.__buf 282 struct { 283 uint8_t padding_l; 284 unsigned char * __buf; 285 uint8_t padding_r; 286 } __stack; 287 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid + 1); 288 const size_t __len = L_ctermid + 1; 289 const size_t __idx __unused = __len - 1; 290 291 __stack.__buf = malloc(__bufsz); 292 293 ctermid_r(__stack.__buf); 294 #undef BUF 295 296 } 297 298 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_end); 299 ATF_TC_BODY(ctermid_r_heap_end, tc) 300 { 301 #define BUF __stack.__buf 302 struct { 303 uint8_t padding_l; 304 unsigned char * __buf; 305 uint8_t padding_r; 306 } __stack; 307 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid); 308 const size_t __len = L_ctermid; 309 const size_t __idx __unused = __len - 1; 310 311 __stack.__buf = malloc(__bufsz); 312 313 ctermid_r(__stack.__buf); 314 #undef BUF 315 316 } 317 318 ATF_TC_WITHOUT_HEAD(ctermid_r_heap_after_end); 319 ATF_TC_BODY(ctermid_r_heap_after_end, tc) 320 { 321 #define BUF __stack.__buf 322 struct { 323 uint8_t padding_l; 324 unsigned char * __buf; 325 uint8_t padding_r; 326 } __stack; 327 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_ctermid - 1); 328 const size_t __len = L_ctermid - 1; 329 const size_t __idx __unused = __len - 1; 330 pid_t __child; 331 int __status; 332 333 __child = fork(); 334 ATF_REQUIRE(__child >= 0); 335 if (__child > 0) 336 goto monitor; 337 338 /* Child */ 339 disable_coredumps(); 340 __stack.__buf = malloc(__bufsz); 341 342 ctermid_r(__stack.__buf); 343 _exit(EX_SOFTWARE); /* Should have aborted. */ 344 345 monitor: 346 while (waitpid(__child, &__status, 0) != __child) { 347 ATF_REQUIRE_EQ(EINTR, errno); 348 } 349 350 if (!WIFSIGNALED(__status)) { 351 switch (WEXITSTATUS(__status)) { 352 case EX_SOFTWARE: 353 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 354 break; 355 case EX_OSERR: 356 atf_tc_fail("setrlimit(2) failed"); 357 break; 358 default: 359 atf_tc_fail("child exited with status %d", 360 WEXITSTATUS(__status)); 361 } 362 } else { 363 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 364 } 365 #undef BUF 366 367 } 368 369 ATF_TC_WITHOUT_HEAD(fread_before_end); 370 ATF_TC_BODY(fread_before_end, tc) 371 { 372 #define BUF &__stack.__buf 373 struct { 374 uint8_t padding_l; 375 unsigned char __buf[42]; 376 uint8_t padding_r; 377 } __stack; 378 const size_t __bufsz __unused = sizeof(__stack.__buf); 379 const size_t __len = 42 - 1; 380 const size_t __idx __unused = __len - 1; 381 382 replace_stdin(); 383 384 fread(__stack.__buf, __len, 1, stdin); 385 #undef BUF 386 387 } 388 389 ATF_TC_WITHOUT_HEAD(fread_end); 390 ATF_TC_BODY(fread_end, tc) 391 { 392 #define BUF &__stack.__buf 393 struct { 394 uint8_t padding_l; 395 unsigned char __buf[42]; 396 uint8_t padding_r; 397 } __stack; 398 const size_t __bufsz __unused = sizeof(__stack.__buf); 399 const size_t __len = 42; 400 const size_t __idx __unused = __len - 1; 401 402 replace_stdin(); 403 404 fread(__stack.__buf, __len, 1, stdin); 405 #undef BUF 406 407 } 408 409 ATF_TC_WITHOUT_HEAD(fread_heap_before_end); 410 ATF_TC_BODY(fread_heap_before_end, tc) 411 { 412 #define BUF __stack.__buf 413 struct { 414 uint8_t padding_l; 415 unsigned char * __buf; 416 uint8_t padding_r; 417 } __stack; 418 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 419 const size_t __len = 42 - 1; 420 const size_t __idx __unused = __len - 1; 421 422 __stack.__buf = malloc(__bufsz); 423 replace_stdin(); 424 425 fread(__stack.__buf, __len, 1, stdin); 426 #undef BUF 427 428 } 429 430 ATF_TC_WITHOUT_HEAD(fread_heap_end); 431 ATF_TC_BODY(fread_heap_end, tc) 432 { 433 #define BUF __stack.__buf 434 struct { 435 uint8_t padding_l; 436 unsigned char * __buf; 437 uint8_t padding_r; 438 } __stack; 439 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 440 const size_t __len = 42; 441 const size_t __idx __unused = __len - 1; 442 443 __stack.__buf = malloc(__bufsz); 444 replace_stdin(); 445 446 fread(__stack.__buf, __len, 1, stdin); 447 #undef BUF 448 449 } 450 451 ATF_TC_WITHOUT_HEAD(fread_heap_after_end); 452 ATF_TC_BODY(fread_heap_after_end, tc) 453 { 454 #define BUF __stack.__buf 455 struct { 456 uint8_t padding_l; 457 unsigned char * __buf; 458 uint8_t padding_r; 459 } __stack; 460 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 461 const size_t __len = 42 + 1; 462 const size_t __idx __unused = __len - 1; 463 pid_t __child; 464 int __status; 465 466 __child = fork(); 467 ATF_REQUIRE(__child >= 0); 468 if (__child > 0) 469 goto monitor; 470 471 /* Child */ 472 disable_coredumps(); 473 __stack.__buf = malloc(__bufsz); 474 replace_stdin(); 475 476 fread(__stack.__buf, __len, 1, stdin); 477 _exit(EX_SOFTWARE); /* Should have aborted. */ 478 479 monitor: 480 while (waitpid(__child, &__status, 0) != __child) { 481 ATF_REQUIRE_EQ(EINTR, errno); 482 } 483 484 if (!WIFSIGNALED(__status)) { 485 switch (WEXITSTATUS(__status)) { 486 case EX_SOFTWARE: 487 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 488 break; 489 case EX_OSERR: 490 atf_tc_fail("setrlimit(2) failed"); 491 break; 492 default: 493 atf_tc_fail("child exited with status %d", 494 WEXITSTATUS(__status)); 495 } 496 } else { 497 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 498 } 499 #undef BUF 500 501 } 502 503 ATF_TC_WITHOUT_HEAD(fread_unlocked_before_end); 504 ATF_TC_BODY(fread_unlocked_before_end, tc) 505 { 506 #define BUF &__stack.__buf 507 struct { 508 uint8_t padding_l; 509 unsigned char __buf[42]; 510 uint8_t padding_r; 511 } __stack; 512 const size_t __bufsz __unused = sizeof(__stack.__buf); 513 const size_t __len = 42 - 1; 514 const size_t __idx __unused = __len - 1; 515 516 replace_stdin(); 517 518 fread_unlocked(__stack.__buf, __len, 1, stdin); 519 #undef BUF 520 521 } 522 523 ATF_TC_WITHOUT_HEAD(fread_unlocked_end); 524 ATF_TC_BODY(fread_unlocked_end, tc) 525 { 526 #define BUF &__stack.__buf 527 struct { 528 uint8_t padding_l; 529 unsigned char __buf[42]; 530 uint8_t padding_r; 531 } __stack; 532 const size_t __bufsz __unused = sizeof(__stack.__buf); 533 const size_t __len = 42; 534 const size_t __idx __unused = __len - 1; 535 536 replace_stdin(); 537 538 fread_unlocked(__stack.__buf, __len, 1, stdin); 539 #undef BUF 540 541 } 542 543 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_before_end); 544 ATF_TC_BODY(fread_unlocked_heap_before_end, tc) 545 { 546 #define BUF __stack.__buf 547 struct { 548 uint8_t padding_l; 549 unsigned char * __buf; 550 uint8_t padding_r; 551 } __stack; 552 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 553 const size_t __len = 42 - 1; 554 const size_t __idx __unused = __len - 1; 555 556 __stack.__buf = malloc(__bufsz); 557 replace_stdin(); 558 559 fread_unlocked(__stack.__buf, __len, 1, stdin); 560 #undef BUF 561 562 } 563 564 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_end); 565 ATF_TC_BODY(fread_unlocked_heap_end, tc) 566 { 567 #define BUF __stack.__buf 568 struct { 569 uint8_t padding_l; 570 unsigned char * __buf; 571 uint8_t padding_r; 572 } __stack; 573 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 574 const size_t __len = 42; 575 const size_t __idx __unused = __len - 1; 576 577 __stack.__buf = malloc(__bufsz); 578 replace_stdin(); 579 580 fread_unlocked(__stack.__buf, __len, 1, stdin); 581 #undef BUF 582 583 } 584 585 ATF_TC_WITHOUT_HEAD(fread_unlocked_heap_after_end); 586 ATF_TC_BODY(fread_unlocked_heap_after_end, tc) 587 { 588 #define BUF __stack.__buf 589 struct { 590 uint8_t padding_l; 591 unsigned char * __buf; 592 uint8_t padding_r; 593 } __stack; 594 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 595 const size_t __len = 42 + 1; 596 const size_t __idx __unused = __len - 1; 597 pid_t __child; 598 int __status; 599 600 __child = fork(); 601 ATF_REQUIRE(__child >= 0); 602 if (__child > 0) 603 goto monitor; 604 605 /* Child */ 606 disable_coredumps(); 607 __stack.__buf = malloc(__bufsz); 608 replace_stdin(); 609 610 fread_unlocked(__stack.__buf, __len, 1, stdin); 611 _exit(EX_SOFTWARE); /* Should have aborted. */ 612 613 monitor: 614 while (waitpid(__child, &__status, 0) != __child) { 615 ATF_REQUIRE_EQ(EINTR, errno); 616 } 617 618 if (!WIFSIGNALED(__status)) { 619 switch (WEXITSTATUS(__status)) { 620 case EX_SOFTWARE: 621 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 622 break; 623 case EX_OSERR: 624 atf_tc_fail("setrlimit(2) failed"); 625 break; 626 default: 627 atf_tc_fail("child exited with status %d", 628 WEXITSTATUS(__status)); 629 } 630 } else { 631 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 632 } 633 #undef BUF 634 635 } 636 637 ATF_TC_WITHOUT_HEAD(gets_s_before_end); 638 ATF_TC_BODY(gets_s_before_end, tc) 639 { 640 #define BUF &__stack.__buf 641 struct { 642 uint8_t padding_l; 643 unsigned char __buf[42]; 644 uint8_t padding_r; 645 } __stack; 646 const size_t __bufsz __unused = sizeof(__stack.__buf); 647 const size_t __len = 42 - 1; 648 const size_t __idx __unused = __len - 1; 649 650 replace_stdin(); 651 652 gets_s(__stack.__buf, __len); 653 #undef BUF 654 655 } 656 657 ATF_TC_WITHOUT_HEAD(gets_s_end); 658 ATF_TC_BODY(gets_s_end, tc) 659 { 660 #define BUF &__stack.__buf 661 struct { 662 uint8_t padding_l; 663 unsigned char __buf[42]; 664 uint8_t padding_r; 665 } __stack; 666 const size_t __bufsz __unused = sizeof(__stack.__buf); 667 const size_t __len = 42; 668 const size_t __idx __unused = __len - 1; 669 670 replace_stdin(); 671 672 gets_s(__stack.__buf, __len); 673 #undef BUF 674 675 } 676 677 ATF_TC_WITHOUT_HEAD(gets_s_heap_before_end); 678 ATF_TC_BODY(gets_s_heap_before_end, tc) 679 { 680 #define BUF __stack.__buf 681 struct { 682 uint8_t padding_l; 683 unsigned char * __buf; 684 uint8_t padding_r; 685 } __stack; 686 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 687 const size_t __len = 42 - 1; 688 const size_t __idx __unused = __len - 1; 689 690 __stack.__buf = malloc(__bufsz); 691 replace_stdin(); 692 693 gets_s(__stack.__buf, __len); 694 #undef BUF 695 696 } 697 698 ATF_TC_WITHOUT_HEAD(gets_s_heap_end); 699 ATF_TC_BODY(gets_s_heap_end, tc) 700 { 701 #define BUF __stack.__buf 702 struct { 703 uint8_t padding_l; 704 unsigned char * __buf; 705 uint8_t padding_r; 706 } __stack; 707 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 708 const size_t __len = 42; 709 const size_t __idx __unused = __len - 1; 710 711 __stack.__buf = malloc(__bufsz); 712 replace_stdin(); 713 714 gets_s(__stack.__buf, __len); 715 #undef BUF 716 717 } 718 719 ATF_TC_WITHOUT_HEAD(gets_s_heap_after_end); 720 ATF_TC_BODY(gets_s_heap_after_end, tc) 721 { 722 #define BUF __stack.__buf 723 struct { 724 uint8_t padding_l; 725 unsigned char * __buf; 726 uint8_t padding_r; 727 } __stack; 728 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 729 const size_t __len = 42 + 1; 730 const size_t __idx __unused = __len - 1; 731 pid_t __child; 732 int __status; 733 734 __child = fork(); 735 ATF_REQUIRE(__child >= 0); 736 if (__child > 0) 737 goto monitor; 738 739 /* Child */ 740 disable_coredumps(); 741 __stack.__buf = malloc(__bufsz); 742 replace_stdin(); 743 744 gets_s(__stack.__buf, __len); 745 _exit(EX_SOFTWARE); /* Should have aborted. */ 746 747 monitor: 748 while (waitpid(__child, &__status, 0) != __child) { 749 ATF_REQUIRE_EQ(EINTR, errno); 750 } 751 752 if (!WIFSIGNALED(__status)) { 753 switch (WEXITSTATUS(__status)) { 754 case EX_SOFTWARE: 755 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 756 break; 757 case EX_OSERR: 758 atf_tc_fail("setrlimit(2) failed"); 759 break; 760 default: 761 atf_tc_fail("child exited with status %d", 762 WEXITSTATUS(__status)); 763 } 764 } else { 765 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 766 } 767 #undef BUF 768 769 } 770 771 ATF_TC_WITHOUT_HEAD(sprintf_before_end); 772 ATF_TC_BODY(sprintf_before_end, tc) 773 { 774 #define BUF &__stack.__buf 775 struct { 776 uint8_t padding_l; 777 unsigned char __buf[42]; 778 uint8_t padding_r; 779 } __stack; 780 const size_t __bufsz __unused = sizeof(__stack.__buf); 781 const size_t __len = 42 - 1; 782 const size_t __idx __unused = __len - 1; 783 char srcvar[__len + 10]; 784 785 memset(srcvar, 'A', sizeof(srcvar) - 1); 786 srcvar[sizeof(srcvar) - 1] = '\0'; 787 788 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 789 #undef BUF 790 791 } 792 793 ATF_TC_WITHOUT_HEAD(sprintf_end); 794 ATF_TC_BODY(sprintf_end, tc) 795 { 796 #define BUF &__stack.__buf 797 struct { 798 uint8_t padding_l; 799 unsigned char __buf[42]; 800 uint8_t padding_r; 801 } __stack; 802 const size_t __bufsz __unused = sizeof(__stack.__buf); 803 const size_t __len = 42; 804 const size_t __idx __unused = __len - 1; 805 char srcvar[__len + 10]; 806 807 memset(srcvar, 'A', sizeof(srcvar) - 1); 808 srcvar[sizeof(srcvar) - 1] = '\0'; 809 810 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 811 #undef BUF 812 813 } 814 815 ATF_TC_WITHOUT_HEAD(sprintf_heap_before_end); 816 ATF_TC_BODY(sprintf_heap_before_end, tc) 817 { 818 #define BUF __stack.__buf 819 struct { 820 uint8_t padding_l; 821 unsigned char * __buf; 822 uint8_t padding_r; 823 } __stack; 824 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 825 const size_t __len = 42 - 1; 826 const size_t __idx __unused = __len - 1; 827 char srcvar[__len + 10]; 828 829 __stack.__buf = malloc(__bufsz); 830 memset(srcvar, 'A', sizeof(srcvar) - 1); 831 srcvar[sizeof(srcvar) - 1] = '\0'; 832 833 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 834 #undef BUF 835 836 } 837 838 ATF_TC_WITHOUT_HEAD(sprintf_heap_end); 839 ATF_TC_BODY(sprintf_heap_end, tc) 840 { 841 #define BUF __stack.__buf 842 struct { 843 uint8_t padding_l; 844 unsigned char * __buf; 845 uint8_t padding_r; 846 } __stack; 847 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 848 const size_t __len = 42; 849 const size_t __idx __unused = __len - 1; 850 char srcvar[__len + 10]; 851 852 __stack.__buf = malloc(__bufsz); 853 memset(srcvar, 'A', sizeof(srcvar) - 1); 854 srcvar[sizeof(srcvar) - 1] = '\0'; 855 856 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 857 #undef BUF 858 859 } 860 861 ATF_TC_WITHOUT_HEAD(sprintf_heap_after_end); 862 ATF_TC_BODY(sprintf_heap_after_end, tc) 863 { 864 #define BUF __stack.__buf 865 struct { 866 uint8_t padding_l; 867 unsigned char * __buf; 868 uint8_t padding_r; 869 } __stack; 870 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 871 const size_t __len = 42 + 1; 872 const size_t __idx __unused = __len - 1; 873 pid_t __child; 874 int __status; 875 char srcvar[__len + 10]; 876 877 __child = fork(); 878 ATF_REQUIRE(__child >= 0); 879 if (__child > 0) 880 goto monitor; 881 882 /* Child */ 883 disable_coredumps(); 884 __stack.__buf = malloc(__bufsz); 885 memset(srcvar, 'A', sizeof(srcvar) - 1); 886 srcvar[sizeof(srcvar) - 1] = '\0'; 887 888 sprintf(__stack.__buf, "%.*s", (int)__len - 1, srcvar); 889 _exit(EX_SOFTWARE); /* Should have aborted. */ 890 891 monitor: 892 while (waitpid(__child, &__status, 0) != __child) { 893 ATF_REQUIRE_EQ(EINTR, errno); 894 } 895 896 if (!WIFSIGNALED(__status)) { 897 switch (WEXITSTATUS(__status)) { 898 case EX_SOFTWARE: 899 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 900 break; 901 case EX_OSERR: 902 atf_tc_fail("setrlimit(2) failed"); 903 break; 904 default: 905 atf_tc_fail("child exited with status %d", 906 WEXITSTATUS(__status)); 907 } 908 } else { 909 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 910 } 911 #undef BUF 912 913 } 914 915 ATF_TC_WITHOUT_HEAD(snprintf_before_end); 916 ATF_TC_BODY(snprintf_before_end, tc) 917 { 918 #define BUF &__stack.__buf 919 struct { 920 uint8_t padding_l; 921 unsigned char __buf[42]; 922 uint8_t padding_r; 923 } __stack; 924 const size_t __bufsz __unused = sizeof(__stack.__buf); 925 const size_t __len = 42 - 1; 926 const size_t __idx __unused = __len - 1; 927 char srcvar[__len + 10]; 928 929 memset(srcvar, 'A', sizeof(srcvar) - 1); 930 srcvar[sizeof(srcvar) - 1] = '\0'; 931 932 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 933 #undef BUF 934 935 } 936 937 ATF_TC_WITHOUT_HEAD(snprintf_end); 938 ATF_TC_BODY(snprintf_end, tc) 939 { 940 #define BUF &__stack.__buf 941 struct { 942 uint8_t padding_l; 943 unsigned char __buf[42]; 944 uint8_t padding_r; 945 } __stack; 946 const size_t __bufsz __unused = sizeof(__stack.__buf); 947 const size_t __len = 42; 948 const size_t __idx __unused = __len - 1; 949 char srcvar[__len + 10]; 950 951 memset(srcvar, 'A', sizeof(srcvar) - 1); 952 srcvar[sizeof(srcvar) - 1] = '\0'; 953 954 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 955 #undef BUF 956 957 } 958 959 ATF_TC_WITHOUT_HEAD(snprintf_heap_before_end); 960 ATF_TC_BODY(snprintf_heap_before_end, tc) 961 { 962 #define BUF __stack.__buf 963 struct { 964 uint8_t padding_l; 965 unsigned char * __buf; 966 uint8_t padding_r; 967 } __stack; 968 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 969 const size_t __len = 42 - 1; 970 const size_t __idx __unused = __len - 1; 971 char srcvar[__len + 10]; 972 973 __stack.__buf = malloc(__bufsz); 974 memset(srcvar, 'A', sizeof(srcvar) - 1); 975 srcvar[sizeof(srcvar) - 1] = '\0'; 976 977 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 978 #undef BUF 979 980 } 981 982 ATF_TC_WITHOUT_HEAD(snprintf_heap_end); 983 ATF_TC_BODY(snprintf_heap_end, tc) 984 { 985 #define BUF __stack.__buf 986 struct { 987 uint8_t padding_l; 988 unsigned char * __buf; 989 uint8_t padding_r; 990 } __stack; 991 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 992 const size_t __len = 42; 993 const size_t __idx __unused = __len - 1; 994 char srcvar[__len + 10]; 995 996 __stack.__buf = malloc(__bufsz); 997 memset(srcvar, 'A', sizeof(srcvar) - 1); 998 srcvar[sizeof(srcvar) - 1] = '\0'; 999 1000 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1001 #undef BUF 1002 1003 } 1004 1005 ATF_TC_WITHOUT_HEAD(snprintf_heap_after_end); 1006 ATF_TC_BODY(snprintf_heap_after_end, tc) 1007 { 1008 #define BUF __stack.__buf 1009 struct { 1010 uint8_t padding_l; 1011 unsigned char * __buf; 1012 uint8_t padding_r; 1013 } __stack; 1014 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1015 const size_t __len = 42 + 1; 1016 const size_t __idx __unused = __len - 1; 1017 pid_t __child; 1018 int __status; 1019 char srcvar[__len + 10]; 1020 1021 __child = fork(); 1022 ATF_REQUIRE(__child >= 0); 1023 if (__child > 0) 1024 goto monitor; 1025 1026 /* Child */ 1027 disable_coredumps(); 1028 __stack.__buf = malloc(__bufsz); 1029 memset(srcvar, 'A', sizeof(srcvar) - 1); 1030 srcvar[sizeof(srcvar) - 1] = '\0'; 1031 1032 snprintf(__stack.__buf, __len, "%.*s", (int)__len - 1, srcvar); 1033 _exit(EX_SOFTWARE); /* Should have aborted. */ 1034 1035 monitor: 1036 while (waitpid(__child, &__status, 0) != __child) { 1037 ATF_REQUIRE_EQ(EINTR, errno); 1038 } 1039 1040 if (!WIFSIGNALED(__status)) { 1041 switch (WEXITSTATUS(__status)) { 1042 case EX_SOFTWARE: 1043 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1044 break; 1045 case EX_OSERR: 1046 atf_tc_fail("setrlimit(2) failed"); 1047 break; 1048 default: 1049 atf_tc_fail("child exited with status %d", 1050 WEXITSTATUS(__status)); 1051 } 1052 } else { 1053 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1054 } 1055 #undef BUF 1056 1057 } 1058 1059 ATF_TC_WITHOUT_HEAD(tmpnam_before_end); 1060 ATF_TC_BODY(tmpnam_before_end, tc) 1061 { 1062 #define BUF &__stack.__buf 1063 struct { 1064 uint8_t padding_l; 1065 unsigned char __buf[L_tmpnam + 1]; 1066 uint8_t padding_r; 1067 } __stack; 1068 const size_t __bufsz __unused = sizeof(__stack.__buf); 1069 const size_t __len = L_tmpnam + 1; 1070 const size_t __idx __unused = __len - 1; 1071 1072 tmpnam(__stack.__buf); 1073 #undef BUF 1074 1075 } 1076 1077 ATF_TC_WITHOUT_HEAD(tmpnam_end); 1078 ATF_TC_BODY(tmpnam_end, tc) 1079 { 1080 #define BUF &__stack.__buf 1081 struct { 1082 uint8_t padding_l; 1083 unsigned char __buf[L_tmpnam]; 1084 uint8_t padding_r; 1085 } __stack; 1086 const size_t __bufsz __unused = sizeof(__stack.__buf); 1087 const size_t __len = L_tmpnam; 1088 const size_t __idx __unused = __len - 1; 1089 1090 tmpnam(__stack.__buf); 1091 #undef BUF 1092 1093 } 1094 1095 ATF_TC_WITHOUT_HEAD(tmpnam_heap_before_end); 1096 ATF_TC_BODY(tmpnam_heap_before_end, tc) 1097 { 1098 #define BUF __stack.__buf 1099 struct { 1100 uint8_t padding_l; 1101 unsigned char * __buf; 1102 uint8_t padding_r; 1103 } __stack; 1104 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam + 1); 1105 const size_t __len = L_tmpnam + 1; 1106 const size_t __idx __unused = __len - 1; 1107 1108 __stack.__buf = malloc(__bufsz); 1109 1110 tmpnam(__stack.__buf); 1111 #undef BUF 1112 1113 } 1114 1115 ATF_TC_WITHOUT_HEAD(tmpnam_heap_end); 1116 ATF_TC_BODY(tmpnam_heap_end, tc) 1117 { 1118 #define BUF __stack.__buf 1119 struct { 1120 uint8_t padding_l; 1121 unsigned char * __buf; 1122 uint8_t padding_r; 1123 } __stack; 1124 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam); 1125 const size_t __len = L_tmpnam; 1126 const size_t __idx __unused = __len - 1; 1127 1128 __stack.__buf = malloc(__bufsz); 1129 1130 tmpnam(__stack.__buf); 1131 #undef BUF 1132 1133 } 1134 1135 ATF_TC_WITHOUT_HEAD(tmpnam_heap_after_end); 1136 ATF_TC_BODY(tmpnam_heap_after_end, tc) 1137 { 1138 #define BUF __stack.__buf 1139 struct { 1140 uint8_t padding_l; 1141 unsigned char * __buf; 1142 uint8_t padding_r; 1143 } __stack; 1144 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (L_tmpnam - 1); 1145 const size_t __len = L_tmpnam - 1; 1146 const size_t __idx __unused = __len - 1; 1147 pid_t __child; 1148 int __status; 1149 1150 __child = fork(); 1151 ATF_REQUIRE(__child >= 0); 1152 if (__child > 0) 1153 goto monitor; 1154 1155 /* Child */ 1156 disable_coredumps(); 1157 __stack.__buf = malloc(__bufsz); 1158 1159 tmpnam(__stack.__buf); 1160 _exit(EX_SOFTWARE); /* Should have aborted. */ 1161 1162 monitor: 1163 while (waitpid(__child, &__status, 0) != __child) { 1164 ATF_REQUIRE_EQ(EINTR, errno); 1165 } 1166 1167 if (!WIFSIGNALED(__status)) { 1168 switch (WEXITSTATUS(__status)) { 1169 case EX_SOFTWARE: 1170 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1171 break; 1172 case EX_OSERR: 1173 atf_tc_fail("setrlimit(2) failed"); 1174 break; 1175 default: 1176 atf_tc_fail("child exited with status %d", 1177 WEXITSTATUS(__status)); 1178 } 1179 } else { 1180 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1181 } 1182 #undef BUF 1183 1184 } 1185 1186 ATF_TC_WITHOUT_HEAD(fgets_before_end); 1187 ATF_TC_BODY(fgets_before_end, tc) 1188 { 1189 #define BUF &__stack.__buf 1190 struct { 1191 uint8_t padding_l; 1192 unsigned char __buf[42]; 1193 uint8_t padding_r; 1194 } __stack; 1195 const size_t __bufsz __unused = sizeof(__stack.__buf); 1196 const size_t __len = 42 - 1; 1197 const size_t __idx __unused = __len - 1; 1198 FILE *fp; 1199 1200 fp = new_fp(__len); 1201 1202 fgets(__stack.__buf, __len, fp); 1203 #undef BUF 1204 1205 } 1206 1207 ATF_TC_WITHOUT_HEAD(fgets_end); 1208 ATF_TC_BODY(fgets_end, tc) 1209 { 1210 #define BUF &__stack.__buf 1211 struct { 1212 uint8_t padding_l; 1213 unsigned char __buf[42]; 1214 uint8_t padding_r; 1215 } __stack; 1216 const size_t __bufsz __unused = sizeof(__stack.__buf); 1217 const size_t __len = 42; 1218 const size_t __idx __unused = __len - 1; 1219 FILE *fp; 1220 1221 fp = new_fp(__len); 1222 1223 fgets(__stack.__buf, __len, fp); 1224 #undef BUF 1225 1226 } 1227 1228 ATF_TC_WITHOUT_HEAD(fgets_heap_before_end); 1229 ATF_TC_BODY(fgets_heap_before_end, tc) 1230 { 1231 #define BUF __stack.__buf 1232 struct { 1233 uint8_t padding_l; 1234 unsigned char * __buf; 1235 uint8_t padding_r; 1236 } __stack; 1237 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1238 const size_t __len = 42 - 1; 1239 const size_t __idx __unused = __len - 1; 1240 FILE *fp; 1241 1242 __stack.__buf = malloc(__bufsz); 1243 fp = new_fp(__len); 1244 1245 fgets(__stack.__buf, __len, fp); 1246 #undef BUF 1247 1248 } 1249 1250 ATF_TC_WITHOUT_HEAD(fgets_heap_end); 1251 ATF_TC_BODY(fgets_heap_end, tc) 1252 { 1253 #define BUF __stack.__buf 1254 struct { 1255 uint8_t padding_l; 1256 unsigned char * __buf; 1257 uint8_t padding_r; 1258 } __stack; 1259 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1260 const size_t __len = 42; 1261 const size_t __idx __unused = __len - 1; 1262 FILE *fp; 1263 1264 __stack.__buf = malloc(__bufsz); 1265 fp = new_fp(__len); 1266 1267 fgets(__stack.__buf, __len, fp); 1268 #undef BUF 1269 1270 } 1271 1272 ATF_TC_WITHOUT_HEAD(fgets_heap_after_end); 1273 ATF_TC_BODY(fgets_heap_after_end, tc) 1274 { 1275 #define BUF __stack.__buf 1276 struct { 1277 uint8_t padding_l; 1278 unsigned char * __buf; 1279 uint8_t padding_r; 1280 } __stack; 1281 const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); 1282 const size_t __len = 42 + 1; 1283 const size_t __idx __unused = __len - 1; 1284 pid_t __child; 1285 int __status; 1286 FILE *fp; 1287 1288 __child = fork(); 1289 ATF_REQUIRE(__child >= 0); 1290 if (__child > 0) 1291 goto monitor; 1292 1293 /* Child */ 1294 disable_coredumps(); 1295 __stack.__buf = malloc(__bufsz); 1296 fp = new_fp(__len); 1297 1298 fgets(__stack.__buf, __len, fp); 1299 _exit(EX_SOFTWARE); /* Should have aborted. */ 1300 1301 monitor: 1302 while (waitpid(__child, &__status, 0) != __child) { 1303 ATF_REQUIRE_EQ(EINTR, errno); 1304 } 1305 1306 if (!WIFSIGNALED(__status)) { 1307 switch (WEXITSTATUS(__status)) { 1308 case EX_SOFTWARE: 1309 atf_tc_fail("FORTIFY_SOURCE failed to abort"); 1310 break; 1311 case EX_OSERR: 1312 atf_tc_fail("setrlimit(2) failed"); 1313 break; 1314 default: 1315 atf_tc_fail("child exited with status %d", 1316 WEXITSTATUS(__status)); 1317 } 1318 } else { 1319 ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); 1320 } 1321 #undef BUF 1322 1323 } 1324 1325 ATF_TP_ADD_TCS(tp) 1326 { 1327 ATF_TP_ADD_TC(tp, ctermid_before_end); 1328 ATF_TP_ADD_TC(tp, ctermid_end); 1329 ATF_TP_ADD_TC(tp, ctermid_heap_before_end); 1330 ATF_TP_ADD_TC(tp, ctermid_heap_end); 1331 ATF_TP_ADD_TC(tp, ctermid_heap_after_end); 1332 ATF_TP_ADD_TC(tp, ctermid_r_before_end); 1333 ATF_TP_ADD_TC(tp, ctermid_r_end); 1334 ATF_TP_ADD_TC(tp, ctermid_r_heap_before_end); 1335 ATF_TP_ADD_TC(tp, ctermid_r_heap_end); 1336 ATF_TP_ADD_TC(tp, ctermid_r_heap_after_end); 1337 ATF_TP_ADD_TC(tp, fread_before_end); 1338 ATF_TP_ADD_TC(tp, fread_end); 1339 ATF_TP_ADD_TC(tp, fread_heap_before_end); 1340 ATF_TP_ADD_TC(tp, fread_heap_end); 1341 ATF_TP_ADD_TC(tp, fread_heap_after_end); 1342 ATF_TP_ADD_TC(tp, fread_unlocked_before_end); 1343 ATF_TP_ADD_TC(tp, fread_unlocked_end); 1344 ATF_TP_ADD_TC(tp, fread_unlocked_heap_before_end); 1345 ATF_TP_ADD_TC(tp, fread_unlocked_heap_end); 1346 ATF_TP_ADD_TC(tp, fread_unlocked_heap_after_end); 1347 ATF_TP_ADD_TC(tp, gets_s_before_end); 1348 ATF_TP_ADD_TC(tp, gets_s_end); 1349 ATF_TP_ADD_TC(tp, gets_s_heap_before_end); 1350 ATF_TP_ADD_TC(tp, gets_s_heap_end); 1351 ATF_TP_ADD_TC(tp, gets_s_heap_after_end); 1352 ATF_TP_ADD_TC(tp, sprintf_before_end); 1353 ATF_TP_ADD_TC(tp, sprintf_end); 1354 ATF_TP_ADD_TC(tp, sprintf_heap_before_end); 1355 ATF_TP_ADD_TC(tp, sprintf_heap_end); 1356 ATF_TP_ADD_TC(tp, sprintf_heap_after_end); 1357 ATF_TP_ADD_TC(tp, snprintf_before_end); 1358 ATF_TP_ADD_TC(tp, snprintf_end); 1359 ATF_TP_ADD_TC(tp, snprintf_heap_before_end); 1360 ATF_TP_ADD_TC(tp, snprintf_heap_end); 1361 ATF_TP_ADD_TC(tp, snprintf_heap_after_end); 1362 ATF_TP_ADD_TC(tp, tmpnam_before_end); 1363 ATF_TP_ADD_TC(tp, tmpnam_end); 1364 ATF_TP_ADD_TC(tp, tmpnam_heap_before_end); 1365 ATF_TP_ADD_TC(tp, tmpnam_heap_end); 1366 ATF_TP_ADD_TC(tp, tmpnam_heap_after_end); 1367 ATF_TP_ADD_TC(tp, fgets_before_end); 1368 ATF_TP_ADD_TC(tp, fgets_end); 1369 ATF_TP_ADD_TC(tp, fgets_heap_before_end); 1370 ATF_TP_ADD_TC(tp, fgets_heap_end); 1371 ATF_TP_ADD_TC(tp, fgets_heap_after_end); 1372 return (atf_no_error()); 1373 } 1374