History log of /bionic/tests/fortify_test.cpp
Revision Date Author Comments
42281880a8ac8614832ff918a14e4b950f35d05d 17-Apr-2015 Daniel Micay <danielmicay@gmail.com> add fortified readlink/readlinkat implementations

Change-Id: Ia4b1824d20cad3a072b9162047492dade8576779
e7e1c875b0f8eefb1d771f200a58f54e64c39d55 16-Apr-2015 Daniel Micay <danielmicay@gmail.com> add fortified implementations of pread/pread64

Change-Id: Iec39c3917e0bc94371bd81541619392f5abe29b9
f4fe6937aa5ac5a424b63bc68c5a953aaf46e1c6 04-Feb-2015 Yabin Cui <yabinc@google.com> Fix poll/ppoll fortify test to avoid hanging in failed fortify clang test.

Bug: 19220800
Change-Id: Ie75c640183c4a41a499556fefb4f824a134a5fb1
d036e94bb39a551768dc756a79366e6378fe95e3 02-Feb-2015 Elliott Hughes <enh@google.com> Explicitly check that the reason fortify tests abort is fortify.

Change-Id: I95291e2febf7b497c1d9f37fd7fa9acdd21e86a4
4674e3899afcc6b3ac8a48cdb716695d5489d26b 02-Feb-2015 Elliott Hughes <enh@google.com> Fortify poll and ppoll.

And remove the test for FD_ZERO fortification, which never made much
sense anyway.

Change-Id: Id1009c5298d461fa4722189e8ecaf22f0c529536
9df70403d95f5cfe6824e38a9a6c35f9b9bbc76a 06-Nov-2014 Yabin Cui <yabinc@google.com> make all bionic death tests not dumpable

Bug: 18067305

Change-Id: Ia1ecacf47eddecc9bc58aaac779e0c218f463179
884a3de60f442748a1d15c6a219f7058e03e38e2 06-Oct-2014 Nick Kralevich <nnk@google.com> Revert "cdefs.h: add artificial attribute to FORTIFY_SOURCE functions"

Broke the build.

In file included from frameworks/rs/cpu_ref/rsCpuCore.cpp:36:
system/core/include/cutils/properties.h:118:1: error: unknown attribute '__artificial__' ignored [-Werror,-Wunknown-attributes]
__BIONIC_FORTIFY_INLINE
^
bionic/libc/include/sys/cdefs.h:537:110: note: expanded from macro '__BIONIC_FORTIFY_INLINE'
#define __BIONIC_FORTIFY_INLINE extern __inline__ __always_inline __attribute__((gnu_inline)) __attribute__((__artificial__))
^
1 error generated.
make: *** [out/target/product/generic/obj/SHARED_LIBRARIES/libRSCpuRef_intermediates/rsCpuCore.o] Error 1
This reverts commit 9b543ffeac216189cc8125f7624da9a8cbcbe2e4.

Change-Id: I6a1198747505dcb402b722887c1bfbc3a628a8b8
9b543ffeac216189cc8125f7624da9a8cbcbe2e4 05-Oct-2014 Nick Kralevich <nnk@google.com> cdefs.h: add artificial attribute to FORTIFY_SOURCE functions

Otherwise the gcc compiler warning doesn't show up.

Delete some unittests. These unittests no longer compile cleanly
using -Wall -Werror, and rewriting them to compile cleanly
isn't feasible.

Bug: 17784968
Change-Id: I9bbdc7b6a1c2ac75754f5d0f90782e0dfae66721
92d8b2320a4c3911452227f560ae4a39e83b0abf 23-Jul-2014 Nick Kralevich <nnk@google.com> debuggerd: if PR_GET_DUMPABLE=0, don't ask for dumping

PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.

Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.

Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.

FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.

Bug: 16513137

(cherry picked from commit be0e43b77676338fd5e6a82c9cc2b6302d579de2)

Change-Id: I6e1a9bce564e94fc19893d639b15f38c549cabfa
1c5bb20b0d233183146ec8fc520e3b789cf843fb 23-Jul-2014 Nick Kralevich <nnk@google.com> debuggerd: if PR_GET_DUMPABLE=0, don't ask for dumping

PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.

Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.

Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.

FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.

Bug: 16513137

(cherry picked from commit be0e43b77676338fd5e6a82c9cc2b6302d579de2)

Change-Id: I1e2af2300db56e6c8e6f304a666e66f6904c2be6
be0e43b77676338fd5e6a82c9cc2b6302d579de2 23-Jul-2014 Nick Kralevich <nnk@google.com> debuggerd: if PR_GET_DUMPABLE=0, don't ask for dumping

PR_GET_DUMPABLE is used by an application to indicate whether or
not core dumps / PTRACE_ATTACH should work.

Security sensitive applications often set PR_SET_DUMPABLE to 0 to
disable core dumps, to avoid leaking sensitive memory to persistent
storage. Similarly, they also set PR_SET_DUMPABLE to zero to prevent
PTRACE_ATTACH from working, again to avoid leaking the contents
of sensitive memory.

Honor PR_GET_DUMPABLE when connecting to debuggerd. If an application
has said it doesn't want its memory dumped, then we shouldn't
ask debuggerd to dump memory on its behalf.

FORTIFY_SOURCE tests: Modify the fortify_source tests to set
PR_SET_DUMPABLE=0. This reduces the total runtime of
/data/nativetest/bionic-unit-tests/bionic-unit-tests32 from approx
53 seconds to 25 seconds. There's no need to connect to debuggerd
when running these tests.

Bug: 16513137
Change-Id: Idc7857b089f3545758f4d9b436b783d580fb653f
063525c61d24776094d76971f33920e2a2079530 13-May-2014 Elliott Hughes <enh@google.com> Consistently use #if defined(__BIONIC__) in tests.

I've also switched some tests to be positive rather than negative,
because !defined is slightly harder to reason about and there are
only two cases: bionic and glibc.

Change-Id: I8d3ac40420ca5aead3e88c69cf293f267273c8ef
409588cdae447a0e58bf136a9ea3a9b8d321fbf3 24-Apr-2014 Elliott Hughes <enh@google.com> Fix fallout from host GCC upgrade.

I'll raise a bug for the FD_ISSET fortification; we should do better too.

Change-Id: Id2bf277890ad06b010dc952e270d746714c2bea7
950a58e24d1019eb9d814dbb16f111a6b61e3f23 04-Apr-2014 Christopher Ferris <cferris@google.com> Add stpcpy/stpncpy.

Add tests for the above.

Add the fortify implementations of __stpcpy_chk and __stpncpy_chk.

Modify the strncpy test to cover more cases and use this template for
stpncpy.

Add all of the fortify test cases.

Bug: 13746695
Change-Id: I8c0f0d4991a878b8e8734fff12c8b73b07fdd344
f04935c85e0b466f0d30d2cd4c0fa2fff62e7d6d 21-Dec-2013 Christopher Ferris <cferris@google.com> Make sure that the same tests are on all platforms.

In order to be able to generate a list of tests for cts, the same set of
tests must exist across all platforms. This CL adds empty tests where a
test was conditionally compiled out.

This CL creates a single library libBionicTests that includes all of
the tests found in bionic-unit-tests-static.

Also fix a few missing include files in some test files.

Tested by running and compiling the tests for every platform and
verifying the same number of tests are on each platform.

Change-Id: I9989d4bfebb0f9c409a0ce7e87169299eac605a2
6e38072addd556e3894284b5bd040ac64fffa72e 11-Oct-2013 Stephen Hines <srhines@google.com> Wrap sprintf()/snprintf() macros to prevent expansion errors.

Previously, FORTIFY_SOURCE used single macros to define these standard
functions for use with clang. This can cause conflicts with other macros used
to call these functions, particularly when those macros expand the number of
arguments to the function. This change wraps our macro definitions, so that
expansion properly takes place for programmer arguments first.

Change-Id: I55929b1fd2a643b9d14a17631c4bcab3b0b712cf
b036b5ca36c1e12b075909b3eca6eab73ee611cf 10-Oct-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: fortify read()

Change-Id: Ic7de163fe121db13e00560adb257331bc709814d
8d2532763981d132b02df157e4cc363c39330090 10-Oct-2013 Nick Kralevich <nnk@google.com> Revert "FORTIFY_SOURCE: fortify read()"

This change reverts
* fb3f956d075676c0438f2ee2bf3a5be659dfc04b.
* 65c99de2cb7a569ea17ca35e2f8f1e033421864b

Change-Id: Id5774eeede41130579115cf67a72ee914f2b47d5
65c99de2cb7a569ea17ca35e2f8f1e033421864b 09-Oct-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: fortify read()

Change-Id: I3d7b4ec86d04efb865117ce7629a2e26917f3331
7943df62f70f686b0c77532f6617b47255d75763 03-Oct-2013 Nick Kralevich <nnk@google.com> Check memory size on FD_* functions

Make sure the buffer we're dealing with has enough room.
Might as well check for memory issues while we're here,
even though I don't imagine they'll happen in practice.

Change-Id: I0ae1f0f06aca9ceb91e58c70183bb14e275b92b5
5b9310e502003e584bcb3a028ca3db7aa4d3f01b 03-Oct-2013 Elliott Hughes <enh@google.com> Fix 32-bit issues in tests, and add a trivial test for the FD_* macros.

Change-Id: Ia3f21ce1f0ed9236527fe44d36ccb7de6bf63113
90201d5eca050414d50a433866ccb580415bb0d4 03-Oct-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: Add __FD_* checks

Add FORTIFY_SOURCE checks for the following macros:

* FD_CLR
* FD_ISSET
* FD_SET

Bug: 11047121
Change-Id: I3c5952136aec9eff3288b91b1318677ff971525c
b91791d71c58d14309cd4d842d222f5d36b3a5a8 02-Oct-2013 Nick Kralevich <nnk@google.com> Use alloc_size attribute on *alloc functions

malloc and family were not declared with __attribute__((alloc_size)).
This was (sometimes) preventing FORTIFY_SOURCE related functions
from knowing the size of the buffer it's dealing with, inhibiting
FORTIFY_SOURCE protections.

Add __attribute__((alloc_size))

Information about the alloc_size attribute can be found
at http://gcc.gnu.org/onlinedocs/gcc/Function-Attributes.html

Change-Id: Ia2f0a445f0170a7325f69259b5e7fb35a9f14921
60f4f9a5b99a0a66817f50edfc2194a49f8b5146 25-Sep-2013 Nick Kralevich <nnk@google.com> libc: fortify recvfrom()

Fortify calls to recv() and recvfrom().

We use __bos0 to match glibc's behavior, and because I haven't
tested using __bos.

Change-Id: Iad6ae96551a89af17a9c347b80cdefcf2020c505
16e185c9081530859c17270fbaf5798f0ea871f8 11-Sep-2013 Christopher Ferris <cferris@google.com> __memcpy_chk: Fix signed cmp of unsigned values.

I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.

Add three new tests to verify this failure is fixed.

Bug: 10691831

Merge from internal master.

(cherry-picked from 883ef2499c2ff76605f73b1240f719ca6282e554)

Change-Id: Id9a96b549435f5d9b61dc132cf1082e0e30889f5
883ef2499c2ff76605f73b1240f719ca6282e554 11-Sep-2013 Christopher Ferris <cferris@google.com> __memcpy_chk: Fix signed cmp of unsigned values.

I accidentally did a signed comparison of the size_t values passed in
for three of the _chk functions. Changing them to unsigned compares.

Add three new tests to verify this failure is fixed.

Bug: 10691831
Change-Id: Ia831071f7dffd5972a748d888dd506c7cc7ddba3
93501d3ab81156bcef251bb817a49e9ca46a6ec1 28-Aug-2013 Nick Kralevich <nnk@google.com> FORTIFY_SOURCE: introduce __strncpy_chk2

This change detects programs reading beyond the end of "src" when
calling strncpy.

Change-Id: Ie1b42de923385d62552b22c27b2d4713ab77ee03
a6cde392765eb955cb4be5faa6ee62dcf77e8aa5 29-Jun-2013 Nick Kralevich <nnk@google.com> More FORTIFY_SOURCE functions under clang

* bzero
* umask
* strlcat

Change-Id: I65065208e0b8b37e10f6a266d5305de8fa9e59fc
5bcf39842e8c4b02ae557a2765a84e724f762469 28-Jun-2013 Nick Kralevich <nnk@google.com> Reorganize FORTIFY_SOURCE tests.

Get rid of a lot of the duplication in the various FORTIFY_SOURCE
tests. Instead, we build 4 separate static libraries, with
4 different compile time options, and link them into the final test
binary.

Change-Id: Idb0b7cccc8dd837adb037bf4ddfe8942ae138230