From 950a58e24d1019eb9d814dbb16f111a6b61e3f23 Mon Sep 17 00:00:00 2001 From: Christopher Ferris Date: Fri, 4 Apr 2014 14:38:18 -0700 Subject: Add stpcpy/stpncpy. Add tests for the above. Add the fortify implementations of __stpcpy_chk and __stpncpy_chk. Modify the strncpy test to cover more cases and use this template for stpncpy. Add all of the fortify test cases. Bug: 13746695 Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344 --- tests/fortify_test.cpp | 120 ++++++++++++++++++++++--- tests/string_test.cpp | 235 ++++++++++++++++++++++++++++++++----------------- 2 files changed, 262 insertions(+), 93 deletions(-) (limited to 'tests') diff --git a/tests/fortify_test.cpp b/tests/fortify_test.cpp index 67e197e..d80b2f7 100644 --- a/tests/fortify_test.cpp +++ b/tests/fortify_test.cpp @@ -43,6 +43,31 @@ struct foo { #ifndef __clang__ // This test is disabled in clang because clang doesn't properly detect // this buffer overflow. TODO: Fix clang. +TEST(DEATHTEST, stpncpy_fortified2) { + ::testing::FLAGS_gtest_death_test_style = "threadsafe"; + foo myfoo; + int copy_amt = atoi("11"); + ASSERT_EXIT(stpncpy(myfoo.a, "01234567890", copy_amt), + testing::KilledBySignal(SIGABRT), ""); +} +#endif + +#ifndef __clang__ +// This test is disabled in clang because clang doesn't properly detect +// this buffer overflow. TODO: Fix clang. +TEST(DEATHTEST, stpncpy2_fortified2) { + ::testing::FLAGS_gtest_death_test_style = "threadsafe"; + foo myfoo; + memset(&myfoo, 0, sizeof(myfoo)); + myfoo.one[0] = 'A'; // not null terminated string + ASSERT_EXIT(stpncpy(myfoo.b, myfoo.one, sizeof(myfoo.b)), + testing::KilledBySignal(SIGABRT), ""); +} +#endif + +#ifndef __clang__ +// This test is disabled in clang because clang doesn't properly detect +// this buffer overflow. TODO: Fix clang. TEST(DEATHTEST, strncpy_fortified2) { ::testing::FLAGS_gtest_death_test_style = "threadsafe"; foo myfoo; @@ -144,6 +169,24 @@ TEST(DEATHTEST, vsnprintf2_fortified2) { // zero sized target with "\0" source (should fail) // This test is disabled in clang because clang doesn't properly detect // this buffer overflow. TODO: Fix clang. +TEST(DEATHTEST, stpcpy_fortified2) { +#if defined(__BIONIC__) + ::testing::FLAGS_gtest_death_test_style = "threadsafe"; + foo myfoo; + char* src = strdup(""); + ASSERT_EXIT(stpcpy(myfoo.empty, src), + testing::KilledBySignal(SIGABRT), ""); + free(src); +#else // __BIONIC__ + GTEST_LOG_(INFO) << "This test does nothing.\n"; +#endif // __BIONIC__ +} +#endif + +#ifndef __clang__ +// zero sized target with "\0" source (should fail) +// This test is disabled in clang because clang doesn't properly detect +// this buffer overflow. TODO: Fix clang. TEST(DEATHTEST, strcpy_fortified2) { #if defined(__BIONIC__) ::testing::FLAGS_gtest_death_test_style = "threadsafe"; @@ -559,6 +602,23 @@ TEST(DEATHTEST, memcpy_fortified) { ASSERT_EXIT(memcpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), ""); } +TEST(DEATHTEST, stpncpy_fortified) { + ::testing::FLAGS_gtest_death_test_style = "threadsafe"; + char bufa[15]; + char bufb[10]; + strcpy(bufa, "01234567890123"); + size_t n = strlen(bufa); + ASSERT_EXIT(stpncpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), ""); +} + +TEST(DEATHTEST, stpncpy2_fortified) { + ::testing::FLAGS_gtest_death_test_style = "threadsafe"; + char dest[11]; + char src[10]; + memcpy(src, "0123456789", sizeof(src)); // src is not null terminated + ASSERT_EXIT(stpncpy(dest, src, sizeof(dest)), testing::KilledBySignal(SIGABRT), ""); +} + TEST(DEATHTEST, strncpy_fortified) { ::testing::FLAGS_gtest_death_test_style = "threadsafe"; char bufa[15]; @@ -568,6 +628,7 @@ TEST(DEATHTEST, strncpy_fortified) { ASSERT_EXIT(strncpy(bufb, bufa, n), testing::KilledBySignal(SIGABRT), ""); } + TEST(DEATHTEST, strncpy2_fortified) { ::testing::FLAGS_gtest_death_test_style = "threadsafe"; char dest[11]; @@ -790,6 +851,45 @@ TEST(TEST_NAME, strcat2) { ASSERT_EQ('\0', buf[9]); } +TEST(TEST_NAME, stpncpy) { + char src[10]; + char dst[10]; + memcpy(src, "0123456789", sizeof(src)); // non null terminated string + stpncpy(dst, src, sizeof(dst)); + ASSERT_EQ('0', dst[0]); + ASSERT_EQ('1', dst[1]); + ASSERT_EQ('2', dst[2]); + ASSERT_EQ('3', dst[3]); + ASSERT_EQ('4', dst[4]); + ASSERT_EQ('5', dst[5]); + ASSERT_EQ('6', dst[6]); + ASSERT_EQ('7', dst[7]); + ASSERT_EQ('8', dst[8]); + ASSERT_EQ('9', dst[9]); +} + +TEST(TEST_NAME, stpncpy2) { + char src[10]; + char dst[15]; + memcpy(src, "012345678\0", sizeof(src)); + stpncpy(dst, src, sizeof(dst)); + ASSERT_EQ('0', dst[0]); + ASSERT_EQ('1', dst[1]); + ASSERT_EQ('2', dst[2]); + ASSERT_EQ('3', dst[3]); + ASSERT_EQ('4', dst[4]); + ASSERT_EQ('5', dst[5]); + ASSERT_EQ('6', dst[6]); + ASSERT_EQ('7', dst[7]); + ASSERT_EQ('8', dst[8]); + ASSERT_EQ('\0', dst[9]); + ASSERT_EQ('\0', dst[10]); + ASSERT_EQ('\0', dst[11]); + ASSERT_EQ('\0', dst[12]); + ASSERT_EQ('\0', dst[13]); + ASSERT_EQ('\0', dst[14]); +} + TEST(TEST_NAME, strncpy) { char src[10]; char dst[10]; @@ -848,22 +948,22 @@ TEST(TEST_NAME, strcat_chk_max_int_size) { ASSERT_EQ('\0', buf[9]); } +extern "C" char* __stpcpy_chk(char*, const char*, size_t); + +TEST(TEST_NAME, stpcpy_chk_max_int_size) { + char buf[10]; + char* res = __stpcpy_chk(buf, "012345678", (size_t)-1); + ASSERT_EQ(buf + strlen("012345678"), res); + ASSERT_STREQ("012345678", buf); +} + extern "C" char* __strcpy_chk(char*, const char*, size_t); TEST(TEST_NAME, strcpy_chk_max_int_size) { char buf[10]; char* res = __strcpy_chk(buf, "012345678", (size_t)-1); ASSERT_EQ(buf, res); - ASSERT_EQ('0', buf[0]); - ASSERT_EQ('1', buf[1]); - ASSERT_EQ('2', buf[2]); - ASSERT_EQ('3', buf[3]); - ASSERT_EQ('4', buf[4]); - ASSERT_EQ('5', buf[5]); - ASSERT_EQ('6', buf[6]); - ASSERT_EQ('7', buf[7]); - ASSERT_EQ('8', buf[8]); - ASSERT_EQ('\0', buf[9]); + ASSERT_STREQ("012345678", buf); } extern "C" void* __memcpy_chk(void*, const void*, size_t, size_t); diff --git a/tests/string_test.cpp b/tests/string_test.cpp index c35976a..14b284e 100644 --- a/tests/string_test.cpp +++ b/tests/string_test.cpp @@ -222,7 +222,7 @@ TEST(string, strcat) { TEST(string, strcpy2) { char buf[1]; char* orig = strdup(""); - strcpy(buf, orig); + ASSERT_EQ(buf, strcpy(buf, orig)); ASSERT_EQ('\0', buf[0]); free(orig); } @@ -232,13 +232,8 @@ TEST(string, strcpy3) { char buf[10]; char* orig = strdup("12345"); memset(buf, 'A', sizeof(buf)); - strcpy(buf, orig); - ASSERT_EQ('1', buf[0]); - ASSERT_EQ('2', buf[1]); - ASSERT_EQ('3', buf[2]); - ASSERT_EQ('4', buf[3]); - ASSERT_EQ('5', buf[4]); - ASSERT_EQ('\0', buf[5]); + ASSERT_EQ(buf, strcpy(buf, orig)); + ASSERT_STREQ("12345", buf); ASSERT_EQ('A', buf[6]); ASSERT_EQ('A', buf[7]); ASSERT_EQ('A', buf[8]); @@ -251,17 +246,41 @@ TEST(string, strcpy4) { char buf[10]; char* orig = strdup("123456789"); memset(buf, 'A', sizeof(buf)); - strcpy(buf, orig); - ASSERT_EQ('1', buf[0]); - ASSERT_EQ('2', buf[1]); - ASSERT_EQ('3', buf[2]); - ASSERT_EQ('4', buf[3]); - ASSERT_EQ('5', buf[4]); - ASSERT_EQ('6', buf[5]); - ASSERT_EQ('7', buf[6]); - ASSERT_EQ('8', buf[7]); - ASSERT_EQ('9', buf[8]); - ASSERT_EQ('\0', buf[9]); + ASSERT_EQ(buf, strcpy(buf, orig)); + ASSERT_STREQ("123456789", buf); + free(orig); +} + +// one byte target with "\0" source +TEST(string, stpcpy2) { + char buf[1]; + char* orig = strdup(""); + ASSERT_EQ(buf, stpcpy(buf, orig)); + ASSERT_EQ('\0', buf[0]); + free(orig); +} + +// multibyte target where we under fill target +TEST(string, stpcpy3) { + char buf[10]; + char* orig = strdup("12345"); + memset(buf, 'A', sizeof(buf)); + ASSERT_EQ(buf+strlen(orig), stpcpy(buf, orig)); + ASSERT_STREQ("12345", buf); + ASSERT_EQ('A', buf[6]); + ASSERT_EQ('A', buf[7]); + ASSERT_EQ('A', buf[8]); + ASSERT_EQ('A', buf[9]); + free(orig); +} + +// multibyte target where we fill target exactly +TEST(string, stpcpy4) { + char buf[10]; + char* orig = strdup("123456789"); + memset(buf, 'A', sizeof(buf)); + ASSERT_EQ(buf+strlen(orig), stpcpy(buf, orig)); + ASSERT_STREQ("123456789", buf); free(orig); } @@ -272,13 +291,7 @@ TEST(string, strcat2) { buf[1] = '\0'; char* res = strcat(buf, "01234"); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('\0', buf[6]); + ASSERT_STREQ("a01234", buf); ASSERT_EQ('A', buf[7]); ASSERT_EQ('A', buf[8]); ASSERT_EQ('A', buf[9]); @@ -291,16 +304,7 @@ TEST(string, strcat3) { buf[1] = '\0'; char* res = strcat(buf, "01234567"); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('5', buf[6]); - ASSERT_EQ('6', buf[7]); - ASSERT_EQ('7', buf[8]); - ASSERT_EQ('\0', buf[9]); + ASSERT_STREQ("a01234567", buf); } TEST(string, strncat2) { @@ -310,13 +314,7 @@ TEST(string, strncat2) { buf[1] = '\0'; char* res = strncat(buf, "01234", sizeof(buf) - strlen(buf) - 1); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('\0', buf[6]); + ASSERT_STREQ("a01234", buf); ASSERT_EQ('A', buf[7]); ASSERT_EQ('A', buf[8]); ASSERT_EQ('A', buf[9]); @@ -329,13 +327,7 @@ TEST(string, strncat3) { buf[1] = '\0'; char* res = strncat(buf, "0123456789", 5); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('\0', buf[6]); + ASSERT_STREQ("a01234", buf); ASSERT_EQ('A', buf[7]); ASSERT_EQ('A', buf[8]); ASSERT_EQ('A', buf[9]); @@ -348,16 +340,7 @@ TEST(string, strncat4) { buf[1] = '\0'; char* res = strncat(buf, "01234567", 8); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('5', buf[6]); - ASSERT_EQ('6', buf[7]); - ASSERT_EQ('7', buf[8]); - ASSERT_EQ('\0', buf[9]); + ASSERT_STREQ("a01234567", buf); } TEST(string, strncat5) { @@ -367,16 +350,7 @@ TEST(string, strncat5) { buf[1] = '\0'; char* res = strncat(buf, "01234567", 9); ASSERT_EQ(buf, res); - ASSERT_EQ('a', buf[0]); - ASSERT_EQ('0', buf[1]); - ASSERT_EQ('1', buf[2]); - ASSERT_EQ('2', buf[3]); - ASSERT_EQ('3', buf[4]); - ASSERT_EQ('4', buf[5]); - ASSERT_EQ('5', buf[6]); - ASSERT_EQ('6', buf[7]); - ASSERT_EQ('7', buf[8]); - ASSERT_EQ('\0', buf[9]); + ASSERT_STREQ("a01234567", buf); } TEST(string, strchr_with_0) { @@ -456,6 +430,32 @@ TEST(string, strcmp) { } } +TEST(string, stpcpy) { + StringTestState state(SMALL); + for (size_t j = 0; j < POS_ITER; j++) { + state.NewIteration(); + + size_t pos = random() % state.MAX_LEN; + + memset(state.ptr1, '\2', pos); + state.ptr1[pos] = '\0'; + state.ptr1[state.MAX_LEN - 1] = '\0'; + + memcpy(state.ptr, state.ptr1, state.MAX_LEN); + + memset(state.ptr2, '\1', state.MAX_LEN); + state.ptr2[state.MAX_LEN - 1] = '\0'; + + memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN); + memcpy(state.ptr + state.MAX_LEN, state.ptr1, pos + 1); + state.ptr[2 * state.MAX_LEN - 1] = '\0'; + + ASSERT_TRUE(stpcpy(state.ptr2, state.ptr1) == state.ptr2 + strlen(state.ptr1)); + ASSERT_FALSE((memcmp(state.ptr1, state.ptr, state.MAX_LEN)) != 0 || + (memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN) != 0)); + } +} + TEST(string, strcpy) { StringTestState state(SMALL); for (size_t j = 0; j < POS_ITER; j++) { @@ -482,7 +482,6 @@ TEST(string, strcpy) { } } - TEST(string, strlcat) { #if defined(__BIONIC__) StringTestState state(SMALL); @@ -614,30 +613,81 @@ TEST(string, strncmp) { } } -TEST(string, strncpy) { +TEST(string, stpncpy) { StringTestState state(SMALL); for (size_t j = 0; j < ITER; j++) { state.NewIteration(); - memset(state.ptr1, random() & 255, state.MAX_LEN); - state.ptr1[random () % state.MAX_LEN] = '\0'; + // Choose a random value to fill the string, except \0 (string terminator), + // or \1 (guarantees it's different from anything in ptr2). + memset(state.ptr1, (random() % 254) + 2, state.MAX_LEN); + // Choose a random size for our src buffer. + size_t ptr1_len = random() % state.MAX_LEN; + state.ptr1[ptr1_len] = '\0'; + // Copy ptr1 into ptr, used to verify that ptr1 does not get modified. memcpy(state.ptr, state.ptr1, state.MAX_LEN); + // Init ptr2 to a set value. + memset(state.ptr2, '\1', state.MAX_LEN); + // Choose a random amount of data to copy. + size_t copy_len = random() % state.MAX_LEN; + + // Set the second half of ptr to the expected pattern in ptr2. + memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN); + memcpy(state.ptr + state.MAX_LEN, state.ptr1, copy_len); + size_t expected_end; + if (copy_len > ptr1_len) { + memset(state.ptr + state.MAX_LEN + ptr1_len, '\0', copy_len - ptr1_len); + expected_end = ptr1_len; + } else { + expected_end = copy_len; + } + + ASSERT_EQ(state.ptr2 + expected_end, stpncpy(state.ptr2, state.ptr1, copy_len)); + + // Verify ptr1 was not modified. + ASSERT_EQ(0, memcmp(state.ptr1, state.ptr, state.MAX_LEN)); + // Verify ptr2 contains the expected data. + ASSERT_EQ(0, memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN)); + } +} + +TEST(string, strncpy) { + StringTestState state(SMALL); + for (size_t j = 0; j < ITER; j++) { + state.NewIteration(); + + // Choose a random value to fill the string, except \0 (string terminator), + // or \1 (guarantees it's different from anything in ptr2). + memset(state.ptr1, (random() % 254) + 2, state.MAX_LEN); + // Choose a random size for our src buffer. + size_t ptr1_len = random() % state.MAX_LEN; + state.ptr1[ptr1_len] = '\0'; + // Copy ptr1 into ptr, used to verify that ptr1 does not get modified. + memcpy(state.ptr, state.ptr1, state.MAX_LEN); + // Init ptr2 to a set value. memset(state.ptr2, '\1', state.MAX_LEN); - size_t pos; - if (memchr(state.ptr1, 0, state.MAX_LEN)) { - pos = strlen(state.ptr1); + // Choose a random amount of data to copy. + size_t copy_len = random() % state.MAX_LEN; + + // Set the second half of ptr to the expected pattern in ptr2. + memset(state.ptr + state.MAX_LEN, '\1', state.MAX_LEN); + memcpy(state.ptr + state.MAX_LEN, state.ptr1, copy_len); + size_t expected_end; + if (copy_len > ptr1_len) { + memset(state.ptr + state.MAX_LEN + ptr1_len, '\0', copy_len - ptr1_len); + expected_end = ptr1_len; } else { - pos = state.MAX_LEN - 1; + expected_end = copy_len; } - memset(state.ptr + state.MAX_LEN, '\0', state.MAX_LEN); - memcpy(state.ptr + state.MAX_LEN, state.ptr1, pos + 1); + ASSERT_EQ(state.ptr2 + expected_end, stpncpy(state.ptr2, state.ptr1, copy_len)); - ASSERT_TRUE(strncpy(state.ptr2, state.ptr1, state.MAX_LEN) == state.ptr2); - ASSERT_FALSE(memcmp(state.ptr1, state.ptr, state.MAX_LEN) != 0 || - memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN) != 0); + // Verify ptr1 was not modified. + ASSERT_EQ(0, memcmp(state.ptr1, state.ptr, state.MAX_LEN)); + // Verify ptr2 contains the expected data. + ASSERT_EQ(0, memcmp(state.ptr2, state.ptr + state.MAX_LEN, state.MAX_LEN)); } } @@ -966,6 +1016,25 @@ TEST(string, strcpy_overread) { RunSrcDstBufferOverreadTest(DoStrcpyTest); } +static void DoStpcpyTest(uint8_t* src, uint8_t* dst, size_t len) { + if (len >= 1) { + memset(src, (32 + (len % 96)), len - 1); + src[len-1] = '\0'; + memset(dst, 0, len); + ASSERT_EQ(dst+len-1, reinterpret_cast(stpcpy(reinterpret_cast(dst), + reinterpret_cast(src)))); + ASSERT_TRUE(memcmp(src, dst, len) == 0); + } +} + +TEST(string, stpcpy_align) { + RunSrcDstBufferAlignTest(LARGE, DoStpcpyTest); +} + +TEST(string, stpcpy_overread) { + RunSrcDstBufferOverreadTest(DoStpcpyTest); +} + // Use our own incrementer to cut down on the total number of calls. static size_t LargeSetIncrement(size_t len) { if (len >= 4096) { -- cgit v1.1