1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Runtime test cases for CONFIG_FORTIFY_SOURCE. For additional memcpy() 4 * testing see FORTIFY_MEM_* tests in LKDTM (drivers/misc/lkdtm/fortify.c). 5 * 6 * For corner cases with UBSAN, try testing with: 7 * 8 * ./tools/testing/kunit/kunit.py run --arch=x86_64 \ 9 * --kconfig_add CONFIG_FORTIFY_SOURCE=y \ 10 * --kconfig_add CONFIG_UBSAN=y \ 11 * --kconfig_add CONFIG_UBSAN_TRAP=y \ 12 * --kconfig_add CONFIG_UBSAN_BOUNDS=y \ 13 * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=y \ 14 * --make_options LLVM=1 fortify 15 */ 16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 17 18 /* We don't need to fill dmesg with the fortify WARNs during testing. */ 19 #ifdef DEBUG 20 # define FORTIFY_REPORT_KUNIT(x...) __fortify_report(x) 21 # define FORTIFY_WARN_KUNIT(x...) WARN_ONCE(x) 22 #else 23 # define FORTIFY_REPORT_KUNIT(x...) do { } while (0) 24 # define FORTIFY_WARN_KUNIT(x...) do { } while (0) 25 #endif 26 27 /* Redefine fortify_panic() to track failures. */ 28 void fortify_add_kunit_error(int write); 29 #define fortify_panic(func, write, avail, size, retfail) do { \ 30 FORTIFY_REPORT_KUNIT(FORTIFY_REASON(func, write), avail, size); \ 31 fortify_add_kunit_error(write); \ 32 return (retfail); \ 33 } while (0) 34 35 /* Redefine fortify_warn_once() to track memcpy() failures. */ 36 #define fortify_warn_once(chk_func, x...) do { \ 37 bool __result = chk_func; \ 38 FORTIFY_WARN_KUNIT(__result, x); \ 39 if (__result) \ 40 fortify_add_kunit_error(1); \ 41 } while (0) 42 43 #include <kunit/device.h> 44 #include <kunit/test.h> 45 #include <kunit/test-bug.h> 46 #include <linux/device.h> 47 #include <linux/slab.h> 48 #include <linux/string.h> 49 #include <linux/vmalloc.h> 50 51 /* Handle being built without CONFIG_FORTIFY_SOURCE */ 52 #ifndef __compiletime_strlen 53 # define __compiletime_strlen __builtin_strlen 54 #endif 55 56 static struct kunit_resource read_resource; 57 static struct kunit_resource write_resource; 58 static int fortify_read_overflows; 59 static int fortify_write_overflows; 60 61 static const char array_of_10[] = "this is 10"; 62 static const char *ptr_of_11 = "this is 11!"; 63 static const char * const unchanging_12 = "this is 12!!"; 64 static char array_unknown[] = "compiler thinks I might change"; 65 66 void fortify_add_kunit_error(int write) 67 { 68 struct kunit_resource *resource; 69 struct kunit *current_test; 70 71 current_test = kunit_get_current_test(); 72 if (!current_test) 73 return; 74 75 resource = kunit_find_named_resource(current_test, 76 write ? "fortify_write_overflows" 77 : "fortify_read_overflows"); 78 if (!resource) 79 return; 80 81 (*(int *)resource->data)++; 82 kunit_put_resource(resource); 83 } 84 85 static void fortify_test_known_sizes(struct kunit *test) 86 { 87 char stack[80] = "Test!"; 88 89 KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(stack))); 90 KUNIT_EXPECT_EQ(test, __compiletime_strlen(stack), 5); 91 92 KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen("88888888"))); 93 KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8); 94 95 KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen(array_of_10))); 96 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10); 97 98 KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(ptr_of_11))); 99 KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11); 100 101 KUNIT_EXPECT_TRUE(test, __is_constexpr(__builtin_strlen(unchanging_12))); 102 KUNIT_EXPECT_EQ(test, __compiletime_strlen(unchanging_12), 12); 103 104 KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(array_unknown))); 105 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX); 106 107 /* Externally defined and dynamically sized string pointer: */ 108 KUNIT_EXPECT_FALSE(test, __is_constexpr(__builtin_strlen(test->name))); 109 KUNIT_EXPECT_EQ(test, __compiletime_strlen(test->name), SIZE_MAX); 110 } 111 112 /* This is volatile so the optimizer can't perform DCE below. */ 113 static volatile int pick; 114 115 /* Not inline to keep optimizer from figuring out which string we want. */ 116 static noinline size_t want_minus_one(int pick) 117 { 118 const char *str; 119 120 switch (pick) { 121 case 1: 122 str = "4444"; 123 break; 124 case 2: 125 str = "333"; 126 break; 127 default: 128 str = "1"; 129 break; 130 } 131 return __compiletime_strlen(str); 132 } 133 134 static void fortify_test_control_flow_split(struct kunit *test) 135 { 136 KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX); 137 } 138 139 #define KUNIT_EXPECT_BOS(test, p, expected, name) \ 140 KUNIT_EXPECT_EQ_MSG(test, __builtin_object_size(p, 1), \ 141 expected, \ 142 "__alloc_size() not working with __bos on " name "\n") 143 144 #if !__has_builtin(__builtin_dynamic_object_size) 145 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \ 146 /* Silence "unused variable 'expected'" warning. */ \ 147 KUNIT_EXPECT_EQ(test, expected, expected) 148 #else 149 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \ 150 KUNIT_EXPECT_EQ_MSG(test, __builtin_dynamic_object_size(p, 1), \ 151 expected, \ 152 "__alloc_size() not working with __bdos on " name "\n") 153 #endif 154 155 /* If the execpted size is a constant value, __bos can see it. */ 156 #define check_const(_expected, alloc, free) do { \ 157 size_t expected = (_expected); \ 158 void *p = alloc; \ 159 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \ 160 KUNIT_EXPECT_BOS(test, p, expected, #alloc); \ 161 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \ 162 free; \ 163 } while (0) 164 165 /* If the execpted size is NOT a constant value, __bos CANNOT see it. */ 166 #define check_dynamic(_expected, alloc, free) do { \ 167 size_t expected = (_expected); \ 168 void *p = alloc; \ 169 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \ 170 KUNIT_EXPECT_BOS(test, p, SIZE_MAX, #alloc); \ 171 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \ 172 free; \ 173 } while (0) 174 175 /* Assortment of constant-value kinda-edge cases. */ 176 #define CONST_TEST_BODY(TEST_alloc) do { \ 177 /* Special-case vmalloc()-family to skip 0-sized allocs. */ \ 178 if (strcmp(#TEST_alloc, "TEST_vmalloc") != 0) \ 179 TEST_alloc(check_const, 0, 0); \ 180 TEST_alloc(check_const, 1, 1); \ 181 TEST_alloc(check_const, 128, 128); \ 182 TEST_alloc(check_const, 1023, 1023); \ 183 TEST_alloc(check_const, 1025, 1025); \ 184 TEST_alloc(check_const, 4096, 4096); \ 185 TEST_alloc(check_const, 4097, 4097); \ 186 } while (0) 187 188 static volatile size_t zero_size; 189 static volatile size_t unknown_size = 50; 190 191 #if !__has_builtin(__builtin_dynamic_object_size) 192 #define DYNAMIC_TEST_BODY(TEST_alloc) \ 193 kunit_skip(test, "Compiler is missing __builtin_dynamic_object_size() support\n") 194 #else 195 #define DYNAMIC_TEST_BODY(TEST_alloc) do { \ 196 size_t size = unknown_size; \ 197 \ 198 /* \ 199 * Expected size is "size" in each test, before it is then \ 200 * internally incremented in each test. Requires we disable \ 201 * -Wunsequenced. \ 202 */ \ 203 TEST_alloc(check_dynamic, size, size++); \ 204 /* Make sure incrementing actually happened. */ \ 205 KUNIT_EXPECT_NE(test, size, unknown_size); \ 206 } while (0) 207 #endif 208 209 #define DEFINE_ALLOC_SIZE_TEST_PAIR(allocator) \ 210 static void fortify_test_alloc_size_##allocator##_const(struct kunit *test) \ 211 { \ 212 CONST_TEST_BODY(TEST_##allocator); \ 213 } \ 214 static void fortify_test_alloc_size_##allocator##_dynamic(struct kunit *test) \ 215 { \ 216 DYNAMIC_TEST_BODY(TEST_##allocator); \ 217 } 218 219 #define TEST_kmalloc(checker, expected_size, alloc_size) do { \ 220 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ 221 void *orig; \ 222 size_t len; \ 223 \ 224 checker(expected_size, kmalloc(alloc_size, gfp), \ 225 kfree(p)); \ 226 checker(expected_size, \ 227 kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \ 228 kfree(p)); \ 229 checker(expected_size, kzalloc(alloc_size, gfp), \ 230 kfree(p)); \ 231 checker(expected_size, \ 232 kzalloc_node(alloc_size, gfp, NUMA_NO_NODE), \ 233 kfree(p)); \ 234 checker(expected_size, kcalloc(1, alloc_size, gfp), \ 235 kfree(p)); \ 236 checker(expected_size, kcalloc(alloc_size, 1, gfp), \ 237 kfree(p)); \ 238 checker(expected_size, \ 239 kcalloc_node(1, alloc_size, gfp, NUMA_NO_NODE), \ 240 kfree(p)); \ 241 checker(expected_size, \ 242 kcalloc_node(alloc_size, 1, gfp, NUMA_NO_NODE), \ 243 kfree(p)); \ 244 checker(expected_size, kmalloc_array(1, alloc_size, gfp), \ 245 kfree(p)); \ 246 checker(expected_size, kmalloc_array(alloc_size, 1, gfp), \ 247 kfree(p)); \ 248 checker(expected_size, \ 249 kmalloc_array_node(1, alloc_size, gfp, NUMA_NO_NODE), \ 250 kfree(p)); \ 251 checker(expected_size, \ 252 kmalloc_array_node(alloc_size, 1, gfp, NUMA_NO_NODE), \ 253 kfree(p)); \ 254 \ 255 orig = kmalloc(alloc_size, gfp); \ 256 KUNIT_EXPECT_TRUE(test, orig != NULL); \ 257 checker((expected_size) * 2, \ 258 krealloc(orig, (alloc_size) * 2, gfp), \ 259 kfree(p)); \ 260 orig = kmalloc(alloc_size, gfp); \ 261 KUNIT_EXPECT_TRUE(test, orig != NULL); \ 262 checker((expected_size) * 2, \ 263 krealloc_array(orig, 1, (alloc_size) * 2, gfp), \ 264 kfree(p)); \ 265 orig = kmalloc(alloc_size, gfp); \ 266 KUNIT_EXPECT_TRUE(test, orig != NULL); \ 267 checker((expected_size) * 2, \ 268 krealloc_array(orig, (alloc_size) * 2, 1, gfp), \ 269 kfree(p)); \ 270 \ 271 len = 11; \ 272 /* Using memdup() with fixed size, so force unknown length. */ \ 273 if (!__builtin_constant_p(expected_size)) \ 274 len += zero_size; \ 275 checker(len, kmemdup("hello there", len, gfp), kfree(p)); \ 276 } while (0) 277 DEFINE_ALLOC_SIZE_TEST_PAIR(kmalloc) 278 279 /* Sizes are in pages, not bytes. */ 280 #define TEST_vmalloc(checker, expected_pages, alloc_pages) do { \ 281 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ 282 checker((expected_pages) * PAGE_SIZE, \ 283 vmalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \ 284 checker((expected_pages) * PAGE_SIZE, \ 285 vzalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \ 286 checker((expected_pages) * PAGE_SIZE, \ 287 __vmalloc((alloc_pages) * PAGE_SIZE, gfp), vfree(p)); \ 288 } while (0) 289 DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc) 290 291 /* Sizes are in pages (and open-coded for side-effects), not bytes. */ 292 #define TEST_kvmalloc(checker, expected_pages, alloc_pages) do { \ 293 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ 294 size_t prev_size; \ 295 void *orig; \ 296 \ 297 checker((expected_pages) * PAGE_SIZE, \ 298 kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \ 299 kvfree(p)); \ 300 checker((expected_pages) * PAGE_SIZE, \ 301 kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ 302 kvfree(p)); \ 303 checker((expected_pages) * PAGE_SIZE, \ 304 kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \ 305 kvfree(p)); \ 306 checker((expected_pages) * PAGE_SIZE, \ 307 kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \ 308 kvfree(p)); \ 309 checker((expected_pages) * PAGE_SIZE, \ 310 kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \ 311 kvfree(p)); \ 312 checker((expected_pages) * PAGE_SIZE, \ 313 kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \ 314 kvfree(p)); \ 315 checker((expected_pages) * PAGE_SIZE, \ 316 kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \ 317 kvfree(p)); \ 318 checker((expected_pages) * PAGE_SIZE, \ 319 kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \ 320 kvfree(p)); \ 321 \ 322 prev_size = (expected_pages) * PAGE_SIZE; \ 323 orig = kvmalloc(prev_size, gfp); \ 324 KUNIT_EXPECT_TRUE(test, orig != NULL); \ 325 checker(((expected_pages) * PAGE_SIZE) * 2, \ 326 kvrealloc(orig, ((alloc_pages) * PAGE_SIZE) * 2, gfp), \ 327 kvfree(p)); \ 328 } while (0) 329 DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc) 330 331 #define TEST_devm_kmalloc(checker, expected_size, alloc_size) do { \ 332 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \ 333 const char dev_name[] = "fortify-test"; \ 334 struct device *dev; \ 335 void *orig; \ 336 size_t len; \ 337 \ 338 /* Create dummy device for devm_kmalloc()-family tests. */ \ 339 dev = kunit_device_register(test, dev_name); \ 340 KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev), \ 341 "Cannot register test device\n"); \ 342 \ 343 checker(expected_size, devm_kmalloc(dev, alloc_size, gfp), \ 344 devm_kfree(dev, p)); \ 345 checker(expected_size, devm_kzalloc(dev, alloc_size, gfp), \ 346 devm_kfree(dev, p)); \ 347 checker(expected_size, \ 348 devm_kmalloc_array(dev, 1, alloc_size, gfp), \ 349 devm_kfree(dev, p)); \ 350 checker(expected_size, \ 351 devm_kmalloc_array(dev, alloc_size, 1, gfp), \ 352 devm_kfree(dev, p)); \ 353 checker(expected_size, \ 354 devm_kcalloc(dev, 1, alloc_size, gfp), \ 355 devm_kfree(dev, p)); \ 356 checker(expected_size, \ 357 devm_kcalloc(dev, alloc_size, 1, gfp), \ 358 devm_kfree(dev, p)); \ 359 \ 360 orig = devm_kmalloc(dev, alloc_size, gfp); \ 361 KUNIT_EXPECT_TRUE(test, orig != NULL); \ 362 checker((expected_size) * 2, \ 363 devm_krealloc(dev, orig, (alloc_size) * 2, gfp), \ 364 devm_kfree(dev, p)); \ 365 \ 366 len = 4; \ 367 /* Using memdup() with fixed size, so force unknown length. */ \ 368 if (!__builtin_constant_p(expected_size)) \ 369 len += zero_size; \ 370 checker(len, devm_kmemdup(dev, "Ohai", len, gfp), \ 371 devm_kfree(dev, p)); \ 372 \ 373 kunit_device_unregister(test, dev); \ 374 } while (0) 375 DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc) 376 377 static const char * const test_strs[] = { 378 "", 379 "Hello there", 380 "A longer string, just for variety", 381 }; 382 383 #define TEST_realloc(checker) do { \ 384 gfp_t gfp = GFP_KERNEL; \ 385 size_t len; \ 386 int i; \ 387 \ 388 for (i = 0; i < ARRAY_SIZE(test_strs); i++) { \ 389 len = strlen(test_strs[i]); \ 390 KUNIT_EXPECT_EQ(test, __builtin_constant_p(len), 0); \ 391 checker(len, kmemdup_array(test_strs[i], 1, len, gfp), \ 392 kfree(p)); \ 393 checker(len, kmemdup(test_strs[i], len, gfp), \ 394 kfree(p)); \ 395 } \ 396 } while (0) 397 static void fortify_test_realloc_size(struct kunit *test) 398 { 399 TEST_realloc(check_dynamic); 400 } 401 402 /* 403 * We can't have an array at the end of a structure or else 404 * builds without -fstrict-flex-arrays=3 will report them as 405 * being an unknown length. Additionally, add bytes before 406 * and after the string to catch over/underflows if tests 407 * fail. 408 */ 409 struct fortify_padding { 410 unsigned long bytes_before; 411 char buf[32]; 412 unsigned long bytes_after; 413 }; 414 415 static void fortify_test_strlen(struct kunit *test) 416 { 417 struct fortify_padding pad = { }; 418 int i, end = sizeof(pad.buf) - 1; 419 420 /* Fill 31 bytes with valid characters. */ 421 for (i = 0; i < sizeof(pad.buf) - 1; i++) 422 pad.buf[i] = i + '0'; 423 /* Trailing bytes are still %NUL. */ 424 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0'); 425 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 426 427 /* String is terminated, so strlen() is valid. */ 428 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end); 429 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 430 431 /* Make string unterminated, and recount. */ 432 pad.buf[end] = 'A'; 433 end = sizeof(pad.buf); 434 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end); 435 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 436 } 437 438 static void fortify_test_strnlen(struct kunit *test) 439 { 440 struct fortify_padding pad = { }; 441 int i, end = sizeof(pad.buf) - 1; 442 443 /* Fill 31 bytes with valid characters. */ 444 for (i = 0; i < sizeof(pad.buf) - 1; i++) 445 pad.buf[i] = i + '0'; 446 /* Trailing bytes are still %NUL. */ 447 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0'); 448 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 449 450 /* String is terminated, so strnlen() is valid. */ 451 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end); 452 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 453 /* A truncated strnlen() will be safe, too. */ 454 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2), 455 sizeof(pad.buf) / 2); 456 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 457 458 /* Make string unterminated, and recount. */ 459 pad.buf[end] = 'A'; 460 end = sizeof(pad.buf); 461 /* Reading beyond with strncpy() will fail. */ 462 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end); 463 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 464 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end); 465 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 466 467 /* Early-truncated is safe still, though. */ 468 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end); 469 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 470 471 end = sizeof(pad.buf) / 2; 472 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end); 473 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 474 } 475 476 static void fortify_test_strcpy(struct kunit *test) 477 { 478 struct fortify_padding pad = { }; 479 char src[sizeof(pad.buf) + 1] = { }; 480 int i; 481 482 /* Fill 31 bytes with valid characters. */ 483 for (i = 0; i < sizeof(src) - 2; i++) 484 src[i] = i + '0'; 485 486 /* Destination is %NUL-filled to start with. */ 487 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 488 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 489 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 490 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 491 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 492 493 /* Legitimate strcpy() 1 less than of max size. */ 494 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) 495 == pad.buf); 496 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 497 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 498 /* Only last byte should be %NUL */ 499 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 500 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 501 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 502 503 src[sizeof(src) - 2] = 'A'; 504 /* But now we trip the overflow checking. */ 505 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) 506 == pad.buf); 507 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 508 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 509 /* Trailing %NUL -- thanks to FORTIFY. */ 510 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 511 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 512 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 513 /* And we will not have gone beyond. */ 514 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 515 516 src[sizeof(src) - 1] = 'A'; 517 /* And for sure now, two bytes past. */ 518 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src) 519 == pad.buf); 520 /* 521 * Which trips both the strlen() on the unterminated src, 522 * and the resulting copy attempt. 523 */ 524 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 525 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 526 /* Trailing %NUL -- thanks to FORTIFY. */ 527 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 528 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 529 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 530 /* And we will not have gone beyond. */ 531 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 532 } 533 534 static void fortify_test_strncpy(struct kunit *test) 535 { 536 struct fortify_padding pad = { }; 537 char src[] = "Copy me fully into a small buffer and I will overflow!"; 538 size_t sizeof_buf = sizeof(pad.buf); 539 540 OPTIMIZER_HIDE_VAR(sizeof_buf); 541 542 /* Destination is %NUL-filled to start with. */ 543 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 544 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 545 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0'); 546 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0'); 547 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 548 549 /* Legitimate strncpy() 1 less than of max size. */ 550 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf - 1) 551 == pad.buf); 552 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 553 /* Only last byte should be %NUL */ 554 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 555 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 556 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0'); 557 558 /* Legitimate (though unterminated) max-size strncpy. */ 559 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf) 560 == pad.buf); 561 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 562 /* No trailing %NUL -- thanks strncpy API. */ 563 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0'); 564 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 565 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 566 /* But we will not have gone beyond. */ 567 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 568 569 /* Now verify that FORTIFY is working... */ 570 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 1) 571 == pad.buf); 572 /* Should catch the overflow. */ 573 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 574 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0'); 575 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 576 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 577 /* And we will not have gone beyond. */ 578 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 579 580 /* And further... */ 581 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src, sizeof_buf + 2) 582 == pad.buf); 583 /* Should catch the overflow. */ 584 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 585 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 1], '\0'); 586 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 587 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 588 /* And we will not have gone beyond. */ 589 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 590 } 591 592 static void fortify_test_strscpy(struct kunit *test) 593 { 594 struct fortify_padding pad = { }; 595 char src[] = "Copy me fully into a small buffer and I will overflow!"; 596 size_t sizeof_buf = sizeof(pad.buf); 597 size_t sizeof_src = sizeof(src); 598 599 OPTIMIZER_HIDE_VAR(sizeof_buf); 600 OPTIMIZER_HIDE_VAR(sizeof_src); 601 602 /* Destination is %NUL-filled to start with. */ 603 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 604 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 605 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0'); 606 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 3], '\0'); 607 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 608 609 /* Legitimate strscpy() 1 less than of max size. */ 610 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf - 1), 611 -E2BIG); 612 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 613 /* Keeping space for %NUL, last two bytes should be %NUL */ 614 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 615 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 2], '\0'); 616 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 3], '\0'); 617 618 /* Legitimate max-size strscpy. */ 619 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf), 620 -E2BIG); 621 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 622 /* A trailing %NUL will exist. */ 623 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 624 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 625 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 626 627 /* Now verify that FORTIFY is working... */ 628 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_buf + 1), 629 -E2BIG); 630 /* Should catch the overflow. */ 631 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 632 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 633 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 634 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 635 /* And we will not have gone beyond. */ 636 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 637 638 /* And much further... */ 639 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src, sizeof_src * 2), 640 -E2BIG); 641 /* Should catch the overflow. */ 642 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 643 KUNIT_EXPECT_EQ(test, pad.buf[sizeof_buf - 1], '\0'); 644 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 645 KUNIT_EXPECT_NE(test, pad.buf[sizeof_buf - 2], '\0'); 646 /* And we will not have gone beyond. */ 647 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 648 } 649 650 static void fortify_test_strcat(struct kunit *test) 651 { 652 struct fortify_padding pad = { }; 653 char src[sizeof(pad.buf) / 2] = { }; 654 char one[] = "A"; 655 char two[] = "BC"; 656 int i; 657 658 /* Fill 15 bytes with valid characters. */ 659 for (i = 0; i < sizeof(src) - 1; i++) 660 src[i] = i + 'A'; 661 662 /* Destination is %NUL-filled to start with. */ 663 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 664 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 665 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 666 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 667 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 668 669 /* Legitimate strcat() using less than half max size. */ 670 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf); 671 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 672 /* Legitimate strcat() now 2 bytes shy of end. */ 673 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf); 674 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 675 /* Last two bytes should be %NUL */ 676 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 677 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 678 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 679 680 /* Add one more character to the end. */ 681 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf); 682 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 683 /* Last byte should be %NUL */ 684 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 685 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 686 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 687 688 /* And this one char will overflow. */ 689 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf); 690 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 691 /* Last byte should be %NUL thanks to FORTIFY. */ 692 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 693 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 694 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 695 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 696 697 /* And adding two will overflow more. */ 698 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, two) == pad.buf); 699 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 700 /* Last byte should be %NUL thanks to FORTIFY. */ 701 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 702 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 703 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 704 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 705 } 706 707 static void fortify_test_strncat(struct kunit *test) 708 { 709 struct fortify_padding pad = { }; 710 char src[sizeof(pad.buf)] = { }; 711 int i, partial; 712 713 /* Fill 31 bytes with valid characters. */ 714 partial = sizeof(src) / 2 - 1; 715 for (i = 0; i < partial; i++) 716 src[i] = i + 'A'; 717 718 /* Destination is %NUL-filled to start with. */ 719 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 720 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 721 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 722 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 723 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 724 725 /* Legitimate strncat() using less than half max size. */ 726 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf); 727 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 728 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 729 /* Legitimate strncat() now 2 bytes shy of end. */ 730 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf); 731 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 732 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 733 /* Last two bytes should be %NUL */ 734 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 735 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 736 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 737 738 /* Add one more character to the end. */ 739 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); 740 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 741 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 742 /* Last byte should be %NUL */ 743 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 744 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 745 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 746 747 /* And this one char will overflow. */ 748 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); 749 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 750 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 751 /* Last byte should be %NUL thanks to FORTIFY. */ 752 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 753 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 754 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 755 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 756 757 /* And adding two will overflow more. */ 758 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 2) == pad.buf); 759 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 760 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 761 /* Last byte should be %NUL thanks to FORTIFY. */ 762 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 763 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 764 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 765 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 766 767 /* Force an unterminated destination, and overflow. */ 768 pad.buf[sizeof(pad.buf) - 1] = 'A'; 769 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf); 770 /* This will have tripped both strlen() and strcat(). */ 771 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 772 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3); 773 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 774 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 775 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 776 /* But we should not go beyond the end. */ 777 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 778 } 779 780 static void fortify_test_strlcat(struct kunit *test) 781 { 782 struct fortify_padding pad = { }; 783 char src[sizeof(pad.buf)] = { }; 784 int i, partial; 785 int len = sizeof(pad.buf); 786 787 OPTIMIZER_HIDE_VAR(len); 788 789 /* Fill 15 bytes with valid characters. */ 790 partial = sizeof(src) / 2 - 1; 791 for (i = 0; i < partial; i++) 792 src[i] = i + 'A'; 793 794 /* Destination is %NUL-filled to start with. */ 795 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0); 796 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 797 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 798 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 799 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 800 801 /* Legitimate strlcat() using less than half max size. */ 802 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial); 803 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 804 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 805 /* Legitimate strlcat() now 2 bytes shy of end. */ 806 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial * 2); 807 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 808 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 809 /* Last two bytes should be %NUL */ 810 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 811 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 812 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 813 814 /* Add one more character to the end. */ 815 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "Q", len), partial * 2 + 1); 816 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 817 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); 818 /* Last byte should be %NUL */ 819 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 820 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 821 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 822 823 /* And this one char will overflow. */ 824 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "V", len * 2), len); 825 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 826 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); 827 /* Last byte should be %NUL thanks to FORTIFY. */ 828 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 829 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 830 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 831 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 832 833 /* And adding two will overflow more. */ 834 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "QQ", len * 2), len + 1); 835 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 836 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 837 /* Last byte should be %NUL thanks to FORTIFY. */ 838 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 839 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 840 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 841 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 842 843 /* Force an unterminated destination, and overflow. */ 844 pad.buf[sizeof(pad.buf) - 1] = 'A'; 845 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "TT", len * 2), len + 2); 846 /* This will have tripped both strlen() and strlcat(). */ 847 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 848 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); 849 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 850 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0'); 851 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0'); 852 /* But we should not go beyond the end. */ 853 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 854 855 /* Force an unterminated source, and overflow. */ 856 memset(src, 'B', sizeof(src)); 857 pad.buf[sizeof(pad.buf) - 1] = '\0'; 858 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len * 3), len - 1 + sizeof(src)); 859 /* This will have tripped both strlen() and strlcat(). */ 860 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3); 861 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3); 862 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0'); 863 /* But we should not go beyond the end. */ 864 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); 865 } 866 867 /* Check for 0-sized arrays... */ 868 struct fortify_zero_sized { 869 unsigned long bytes_before; 870 char buf[0]; 871 unsigned long bytes_after; 872 }; 873 874 #define __fortify_test(memfunc) \ 875 static void fortify_test_##memfunc(struct kunit *test) \ 876 { \ 877 struct fortify_zero_sized empty = { }; \ 878 struct fortify_padding pad = { }; \ 879 char srcA[sizeof(pad.buf) + 2]; \ 880 char srcB[sizeof(pad.buf) + 2]; \ 881 size_t len = sizeof(pad.buf); \ 882 size_t zero = 0; \ 883 \ 884 OPTIMIZER_HIDE_VAR(len); \ 885 OPTIMIZER_HIDE_VAR(zero); \ 886 \ 887 memset(srcA, 'A', sizeof(srcA)); \ 888 KUNIT_ASSERT_EQ(test, srcA[0], 'A'); \ 889 memset(srcB, 'B', sizeof(srcB)); \ 890 KUNIT_ASSERT_EQ(test, srcB[0], 'B'); \ 891 \ 892 memfunc(pad.buf, srcA, zero); \ 893 KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \ 894 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 895 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 896 memfunc(pad.buf + 1, srcB, zero + 1); \ 897 KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \ 898 KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \ 899 KUNIT_EXPECT_EQ(test, pad.buf[2], '\0'); \ 900 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 901 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 902 memfunc(pad.buf, srcA, zero + 1); \ 903 KUNIT_EXPECT_EQ(test, pad.buf[0], 'A'); \ 904 KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \ 905 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 906 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 907 memfunc(pad.buf, srcA, len - 1); \ 908 KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \ 909 KUNIT_EXPECT_EQ(test, pad.buf[len - 1], '\0'); \ 910 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 911 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 912 memfunc(pad.buf, srcA, len); \ 913 KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \ 914 KUNIT_EXPECT_EQ(test, pad.buf[len - 1], 'A'); \ 915 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); \ 916 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 917 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 918 memfunc(pad.buf, srcA, len + 1); \ 919 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 920 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \ 921 memfunc(pad.buf + 1, srcB, len); \ 922 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 923 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); \ 924 \ 925 /* Reset error counter. */ \ 926 fortify_write_overflows = 0; \ 927 /* Copy nothing into nothing: no errors. */ \ 928 memfunc(empty.buf, srcB, zero); \ 929 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 930 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \ 931 memfunc(empty.buf, srcB, zero + 1); \ 932 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \ 933 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \ 934 } 935 __fortify_test(memcpy) 936 __fortify_test(memmove) 937 938 static void fortify_test_memscan(struct kunit *test) 939 { 940 char haystack[] = "Where oh where is my memory range?"; 941 char *mem = haystack + strlen("Where oh where is "); 942 char needle = 'm'; 943 size_t len = sizeof(haystack); 944 945 OPTIMIZER_HIDE_VAR(len); 946 947 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len), 948 mem); 949 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 950 /* Catch too-large range. */ 951 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len + 1), 952 NULL); 953 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 954 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len * 2), 955 NULL); 956 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 957 } 958 959 static void fortify_test_memchr(struct kunit *test) 960 { 961 char haystack[] = "Where oh where is my memory range?"; 962 char *mem = haystack + strlen("Where oh where is "); 963 char needle = 'm'; 964 size_t len = sizeof(haystack); 965 966 OPTIMIZER_HIDE_VAR(len); 967 968 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len), 969 mem); 970 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 971 /* Catch too-large range. */ 972 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len + 1), 973 NULL); 974 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 975 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len * 2), 976 NULL); 977 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 978 } 979 980 static void fortify_test_memchr_inv(struct kunit *test) 981 { 982 char haystack[] = "Where oh where is my memory range?"; 983 char *mem = haystack + 1; 984 char needle = 'W'; 985 size_t len = sizeof(haystack); 986 987 OPTIMIZER_HIDE_VAR(len); 988 989 /* Normal search is okay. */ 990 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len), 991 mem); 992 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 993 /* Catch too-large range. */ 994 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len + 1), 995 NULL); 996 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 997 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len * 2), 998 NULL); 999 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 1000 } 1001 1002 static void fortify_test_memcmp(struct kunit *test) 1003 { 1004 char one[] = "My mind is going ..."; 1005 char two[] = "My mind is going ... I can feel it."; 1006 volatile size_t one_len = sizeof(one) - 1; 1007 volatile size_t two_len = sizeof(two) - 1; 1008 1009 OPTIMIZER_HIDE_VAR(one_len); 1010 OPTIMIZER_HIDE_VAR(two_len); 1011 1012 /* We match the first string (ignoring the %NUL). */ 1013 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0); 1014 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 1015 /* Still in bounds, but no longer matching. */ 1016 KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0); 1017 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 1018 1019 /* Catch too-large ranges. */ 1020 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 2), INT_MIN); 1021 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 1022 1023 KUNIT_ASSERT_EQ(test, memcmp(two, one, two_len + 2), INT_MIN); 1024 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 1025 } 1026 1027 static void fortify_test_kmemdup(struct kunit *test) 1028 { 1029 char src[] = "I got Doom running on it!"; 1030 char *copy; 1031 size_t len = sizeof(src); 1032 1033 OPTIMIZER_HIDE_VAR(len); 1034 1035 /* Copy is within bounds. */ 1036 copy = kmemdup(src, len, GFP_KERNEL); 1037 KUNIT_EXPECT_NOT_NULL(test, copy); 1038 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 1039 kfree(copy); 1040 1041 /* Without %NUL. */ 1042 copy = kmemdup(src, len - 1, GFP_KERNEL); 1043 KUNIT_EXPECT_NOT_NULL(test, copy); 1044 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 1045 kfree(copy); 1046 1047 /* Tiny bounds. */ 1048 copy = kmemdup(src, 1, GFP_KERNEL); 1049 KUNIT_EXPECT_NOT_NULL(test, copy); 1050 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); 1051 kfree(copy); 1052 1053 /* Out of bounds by 1 byte. */ 1054 copy = kmemdup(src, len + 1, GFP_KERNEL); 1055 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); 1056 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1); 1057 kfree(copy); 1058 1059 /* Way out of bounds. */ 1060 copy = kmemdup(src, len * 2, GFP_KERNEL); 1061 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); 1062 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2); 1063 kfree(copy); 1064 1065 /* Starting offset causing out of bounds. */ 1066 copy = kmemdup(src + 1, len, GFP_KERNEL); 1067 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR); 1068 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3); 1069 kfree(copy); 1070 } 1071 1072 static int fortify_test_init(struct kunit *test) 1073 { 1074 if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE)) 1075 kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y"); 1076 1077 fortify_read_overflows = 0; 1078 kunit_add_named_resource(test, NULL, NULL, &read_resource, 1079 "fortify_read_overflows", 1080 &fortify_read_overflows); 1081 fortify_write_overflows = 0; 1082 kunit_add_named_resource(test, NULL, NULL, &write_resource, 1083 "fortify_write_overflows", 1084 &fortify_write_overflows); 1085 return 0; 1086 } 1087 1088 static struct kunit_case fortify_test_cases[] = { 1089 KUNIT_CASE(fortify_test_known_sizes), 1090 KUNIT_CASE(fortify_test_control_flow_split), 1091 KUNIT_CASE(fortify_test_alloc_size_kmalloc_const), 1092 KUNIT_CASE(fortify_test_alloc_size_kmalloc_dynamic), 1093 KUNIT_CASE(fortify_test_alloc_size_vmalloc_const), 1094 KUNIT_CASE(fortify_test_alloc_size_vmalloc_dynamic), 1095 KUNIT_CASE(fortify_test_alloc_size_kvmalloc_const), 1096 KUNIT_CASE(fortify_test_alloc_size_kvmalloc_dynamic), 1097 KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_const), 1098 KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_dynamic), 1099 KUNIT_CASE(fortify_test_realloc_size), 1100 KUNIT_CASE(fortify_test_strlen), 1101 KUNIT_CASE(fortify_test_strnlen), 1102 KUNIT_CASE(fortify_test_strcpy), 1103 KUNIT_CASE(fortify_test_strncpy), 1104 KUNIT_CASE(fortify_test_strscpy), 1105 KUNIT_CASE(fortify_test_strcat), 1106 KUNIT_CASE(fortify_test_strncat), 1107 KUNIT_CASE(fortify_test_strlcat), 1108 /* skip memset: performs bounds checking on whole structs */ 1109 KUNIT_CASE(fortify_test_memcpy), 1110 KUNIT_CASE(fortify_test_memmove), 1111 KUNIT_CASE(fortify_test_memscan), 1112 KUNIT_CASE(fortify_test_memchr), 1113 KUNIT_CASE(fortify_test_memchr_inv), 1114 KUNIT_CASE(fortify_test_memcmp), 1115 KUNIT_CASE(fortify_test_kmemdup), 1116 {} 1117 }; 1118 1119 static struct kunit_suite fortify_test_suite = { 1120 .name = "fortify", 1121 .init = fortify_test_init, 1122 .test_cases = fortify_test_cases, 1123 }; 1124 1125 kunit_test_suite(fortify_test_suite); 1126 1127 MODULE_DESCRIPTION("Runtime test cases for CONFIG_FORTIFY_SOURCE"); 1128 MODULE_LICENSE("GPL"); 1129