1 // SPDX-License-Identifier: GPL-2.0
3 * Runtime test cases for CONFIG_FORTIFY_SOURCE. For additional memcpy()
4 * testing see FORTIFY_MEM_* tests in LKDTM (drivers/misc/lkdtm/fortify.c).
6 * For corner cases with UBSAN, try testing with:
8 * ./tools/testing/kunit/kunit.py run --arch=x86_64 \
9 * --kconfig_add CONFIG_FORTIFY_SOURCE=y \
10 * --kconfig_add CONFIG_UBSAN=y \
11 * --kconfig_add CONFIG_UBSAN_TRAP=y \
12 * --kconfig_add CONFIG_UBSAN_BOUNDS=y \
13 * --kconfig_add CONFIG_UBSAN_LOCAL_BOUNDS=y \
14 * --make_options LLVM=1 fortify
16 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18 /* We don't need to fill dmesg with the fortify WARNs during testing. */
20 # define FORTIFY_REPORT_KUNIT(x...) __fortify_report(x)
21 # define FORTIFY_WARN_KUNIT(x...) WARN_ONCE(x)
23 # define FORTIFY_REPORT_KUNIT(x...) do { } while (0)
24 # define FORTIFY_WARN_KUNIT(x...) do { } while (0)
27 /* Redefine fortify_panic() to track failures. */
28 void fortify_add_kunit_error(int write);
29 #define fortify_panic(func, write, avail, size, retfail) do { \
30 FORTIFY_REPORT_KUNIT(FORTIFY_REASON(func, write), avail, size); \
31 fortify_add_kunit_error(write); \
35 /* Redefine fortify_warn_once() to track memcpy() failures. */
36 #define fortify_warn_once(chk_func, x...) do { \
37 bool __result = chk_func; \
38 FORTIFY_WARN_KUNIT(__result, x); \
40 fortify_add_kunit_error(1); \
43 #include <kunit/device.h>
44 #include <kunit/test.h>
45 #include <kunit/test-bug.h>
46 #include <linux/device.h>
47 #include <linux/slab.h>
48 #include <linux/string.h>
49 #include <linux/vmalloc.h>
51 /* Handle being built without CONFIG_FORTIFY_SOURCE */
52 #ifndef __compiletime_strlen
53 # define __compiletime_strlen __builtin_strlen
56 static struct kunit_resource read_resource;
57 static struct kunit_resource write_resource;
58 static int fortify_read_overflows;
59 static int fortify_write_overflows;
61 static const char array_of_10[] = "this is 10";
62 static const char *ptr_of_11 = "this is 11!";
63 static char array_unknown[] = "compiler thinks I might change";
65 void fortify_add_kunit_error(int write)
67 struct kunit_resource *resource;
68 struct kunit *current_test;
70 current_test = kunit_get_current_test();
74 resource = kunit_find_named_resource(current_test,
75 write ? "fortify_write_overflows"
76 : "fortify_read_overflows");
80 (*(int *)resource->data)++;
81 kunit_put_resource(resource);
84 static void fortify_test_known_sizes(struct kunit *test)
86 KUNIT_EXPECT_EQ(test, __compiletime_strlen("88888888"), 8);
87 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_of_10), 10);
88 KUNIT_EXPECT_EQ(test, __compiletime_strlen(ptr_of_11), 11);
90 KUNIT_EXPECT_EQ(test, __compiletime_strlen(array_unknown), SIZE_MAX);
91 /* Externally defined and dynamically sized string pointer: */
92 KUNIT_EXPECT_EQ(test, __compiletime_strlen(test->name), SIZE_MAX);
95 /* This is volatile so the optimizer can't perform DCE below. */
96 static volatile int pick;
98 /* Not inline to keep optimizer from figuring out which string we want. */
99 static noinline size_t want_minus_one(int pick)
114 return __compiletime_strlen(str);
117 static void fortify_test_control_flow_split(struct kunit *test)
119 KUNIT_EXPECT_EQ(test, want_minus_one(pick), SIZE_MAX);
122 #define KUNIT_EXPECT_BOS(test, p, expected, name) \
123 KUNIT_EXPECT_EQ_MSG(test, __builtin_object_size(p, 1), \
125 "__alloc_size() not working with __bos on " name "\n")
127 #if !__has_builtin(__builtin_dynamic_object_size)
128 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
129 /* Silence "unused variable 'expected'" warning. */ \
130 KUNIT_EXPECT_EQ(test, expected, expected)
132 #define KUNIT_EXPECT_BDOS(test, p, expected, name) \
133 KUNIT_EXPECT_EQ_MSG(test, __builtin_dynamic_object_size(p, 1), \
135 "__alloc_size() not working with __bdos on " name "\n")
138 /* If the execpted size is a constant value, __bos can see it. */
139 #define check_const(_expected, alloc, free) do { \
140 size_t expected = (_expected); \
142 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
143 KUNIT_EXPECT_BOS(test, p, expected, #alloc); \
144 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
148 /* If the execpted size is NOT a constant value, __bos CANNOT see it. */
149 #define check_dynamic(_expected, alloc, free) do { \
150 size_t expected = (_expected); \
152 KUNIT_EXPECT_TRUE_MSG(test, p != NULL, #alloc " failed?!\n"); \
153 KUNIT_EXPECT_BOS(test, p, SIZE_MAX, #alloc); \
154 KUNIT_EXPECT_BDOS(test, p, expected, #alloc); \
158 /* Assortment of constant-value kinda-edge cases. */
159 #define CONST_TEST_BODY(TEST_alloc) do { \
160 /* Special-case vmalloc()-family to skip 0-sized allocs. */ \
161 if (strcmp(#TEST_alloc, "TEST_vmalloc") != 0) \
162 TEST_alloc(check_const, 0, 0); \
163 TEST_alloc(check_const, 1, 1); \
164 TEST_alloc(check_const, 128, 128); \
165 TEST_alloc(check_const, 1023, 1023); \
166 TEST_alloc(check_const, 1025, 1025); \
167 TEST_alloc(check_const, 4096, 4096); \
168 TEST_alloc(check_const, 4097, 4097); \
171 static volatile size_t zero_size;
172 static volatile size_t unknown_size = 50;
174 #if !__has_builtin(__builtin_dynamic_object_size)
175 #define DYNAMIC_TEST_BODY(TEST_alloc) \
176 kunit_skip(test, "Compiler is missing __builtin_dynamic_object_size() support\n")
178 #define DYNAMIC_TEST_BODY(TEST_alloc) do { \
179 size_t size = unknown_size; \
182 * Expected size is "size" in each test, before it is then \
183 * internally incremented in each test. Requires we disable \
186 TEST_alloc(check_dynamic, size, size++); \
187 /* Make sure incrementing actually happened. */ \
188 KUNIT_EXPECT_NE(test, size, unknown_size); \
192 #define DEFINE_ALLOC_SIZE_TEST_PAIR(allocator) \
193 static void fortify_test_alloc_size_##allocator##_const(struct kunit *test) \
195 CONST_TEST_BODY(TEST_##allocator); \
197 static void fortify_test_alloc_size_##allocator##_dynamic(struct kunit *test) \
199 DYNAMIC_TEST_BODY(TEST_##allocator); \
202 #define TEST_kmalloc(checker, expected_size, alloc_size) do { \
203 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
207 checker(expected_size, kmalloc(alloc_size, gfp), \
209 checker(expected_size, \
210 kmalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
212 checker(expected_size, kzalloc(alloc_size, gfp), \
214 checker(expected_size, \
215 kzalloc_node(alloc_size, gfp, NUMA_NO_NODE), \
217 checker(expected_size, kcalloc(1, alloc_size, gfp), \
219 checker(expected_size, kcalloc(alloc_size, 1, gfp), \
221 checker(expected_size, \
222 kcalloc_node(1, alloc_size, gfp, NUMA_NO_NODE), \
224 checker(expected_size, \
225 kcalloc_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
227 checker(expected_size, kmalloc_array(1, alloc_size, gfp), \
229 checker(expected_size, kmalloc_array(alloc_size, 1, gfp), \
231 checker(expected_size, \
232 kmalloc_array_node(1, alloc_size, gfp, NUMA_NO_NODE), \
234 checker(expected_size, \
235 kmalloc_array_node(alloc_size, 1, gfp, NUMA_NO_NODE), \
237 checker(expected_size, __kmalloc(alloc_size, gfp), \
240 orig = kmalloc(alloc_size, gfp); \
241 KUNIT_EXPECT_TRUE(test, orig != NULL); \
242 checker((expected_size) * 2, \
243 krealloc(orig, (alloc_size) * 2, gfp), \
245 orig = kmalloc(alloc_size, gfp); \
246 KUNIT_EXPECT_TRUE(test, orig != NULL); \
247 checker((expected_size) * 2, \
248 krealloc_array(orig, 1, (alloc_size) * 2, gfp), \
250 orig = kmalloc(alloc_size, gfp); \
251 KUNIT_EXPECT_TRUE(test, orig != NULL); \
252 checker((expected_size) * 2, \
253 krealloc_array(orig, (alloc_size) * 2, 1, gfp), \
257 /* Using memdup() with fixed size, so force unknown length. */ \
258 if (!__builtin_constant_p(expected_size)) \
260 checker(len, kmemdup("hello there", len, gfp), kfree(p)); \
262 DEFINE_ALLOC_SIZE_TEST_PAIR(kmalloc)
264 /* Sizes are in pages, not bytes. */
265 #define TEST_vmalloc(checker, expected_pages, alloc_pages) do { \
266 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
267 checker((expected_pages) * PAGE_SIZE, \
268 vmalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
269 checker((expected_pages) * PAGE_SIZE, \
270 vzalloc((alloc_pages) * PAGE_SIZE), vfree(p)); \
271 checker((expected_pages) * PAGE_SIZE, \
272 __vmalloc((alloc_pages) * PAGE_SIZE, gfp), vfree(p)); \
274 DEFINE_ALLOC_SIZE_TEST_PAIR(vmalloc)
276 /* Sizes are in pages (and open-coded for side-effects), not bytes. */
277 #define TEST_kvmalloc(checker, expected_pages, alloc_pages) do { \
278 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
282 checker((expected_pages) * PAGE_SIZE, \
283 kvmalloc((alloc_pages) * PAGE_SIZE, gfp), \
285 checker((expected_pages) * PAGE_SIZE, \
286 kvmalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
288 checker((expected_pages) * PAGE_SIZE, \
289 kvzalloc((alloc_pages) * PAGE_SIZE, gfp), \
291 checker((expected_pages) * PAGE_SIZE, \
292 kvzalloc_node((alloc_pages) * PAGE_SIZE, gfp, NUMA_NO_NODE), \
294 checker((expected_pages) * PAGE_SIZE, \
295 kvcalloc(1, (alloc_pages) * PAGE_SIZE, gfp), \
297 checker((expected_pages) * PAGE_SIZE, \
298 kvcalloc((alloc_pages) * PAGE_SIZE, 1, gfp), \
300 checker((expected_pages) * PAGE_SIZE, \
301 kvmalloc_array(1, (alloc_pages) * PAGE_SIZE, gfp), \
303 checker((expected_pages) * PAGE_SIZE, \
304 kvmalloc_array((alloc_pages) * PAGE_SIZE, 1, gfp), \
307 prev_size = (expected_pages) * PAGE_SIZE; \
308 orig = kvmalloc(prev_size, gfp); \
309 KUNIT_EXPECT_TRUE(test, orig != NULL); \
310 checker(((expected_pages) * PAGE_SIZE) * 2, \
311 kvrealloc(orig, prev_size, \
312 ((alloc_pages) * PAGE_SIZE) * 2, gfp), \
315 DEFINE_ALLOC_SIZE_TEST_PAIR(kvmalloc)
317 #define TEST_devm_kmalloc(checker, expected_size, alloc_size) do { \
318 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN; \
319 const char dev_name[] = "fortify-test"; \
320 struct device *dev; \
324 /* Create dummy device for devm_kmalloc()-family tests. */ \
325 dev = kunit_device_register(test, dev_name); \
326 KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev), \
327 "Cannot register test device\n"); \
329 checker(expected_size, devm_kmalloc(dev, alloc_size, gfp), \
330 devm_kfree(dev, p)); \
331 checker(expected_size, devm_kzalloc(dev, alloc_size, gfp), \
332 devm_kfree(dev, p)); \
333 checker(expected_size, \
334 devm_kmalloc_array(dev, 1, alloc_size, gfp), \
335 devm_kfree(dev, p)); \
336 checker(expected_size, \
337 devm_kmalloc_array(dev, alloc_size, 1, gfp), \
338 devm_kfree(dev, p)); \
339 checker(expected_size, \
340 devm_kcalloc(dev, 1, alloc_size, gfp), \
341 devm_kfree(dev, p)); \
342 checker(expected_size, \
343 devm_kcalloc(dev, alloc_size, 1, gfp), \
344 devm_kfree(dev, p)); \
346 orig = devm_kmalloc(dev, alloc_size, gfp); \
347 KUNIT_EXPECT_TRUE(test, orig != NULL); \
348 checker((expected_size) * 2, \
349 devm_krealloc(dev, orig, (alloc_size) * 2, gfp), \
350 devm_kfree(dev, p)); \
353 /* Using memdup() with fixed size, so force unknown length. */ \
354 if (!__builtin_constant_p(expected_size)) \
356 checker(len, devm_kmemdup(dev, "Ohai", len, gfp), \
357 devm_kfree(dev, p)); \
359 kunit_device_unregister(test, dev); \
361 DEFINE_ALLOC_SIZE_TEST_PAIR(devm_kmalloc)
363 static const char * const test_strs[] = {
366 "A longer string, just for variety",
369 #define TEST_realloc(checker) do { \
370 gfp_t gfp = GFP_KERNEL; \
374 for (i = 0; i < ARRAY_SIZE(test_strs); i++) { \
375 len = strlen(test_strs[i]); \
376 KUNIT_EXPECT_EQ(test, __builtin_constant_p(len), 0); \
377 checker(len, kmemdup_array(test_strs[i], 1, len, gfp), \
379 checker(len, kmemdup(test_strs[i], len, gfp), \
383 static void fortify_test_realloc_size(struct kunit *test)
385 TEST_realloc(check_dynamic);
389 * We can't have an array at the end of a structure or else
390 * builds without -fstrict-flex-arrays=3 will report them as
391 * being an unknown length. Additionally, add bytes before
392 * and after the string to catch over/underflows if tests
395 struct fortify_padding {
396 unsigned long bytes_before;
398 unsigned long bytes_after;
400 /* Force compiler into not being able to resolve size at compile-time. */
401 static volatile int unconst;
403 static void fortify_test_strlen(struct kunit *test)
405 struct fortify_padding pad = { };
406 int i, end = sizeof(pad.buf) - 1;
408 /* Fill 31 bytes with valid characters. */
409 for (i = 0; i < sizeof(pad.buf) - 1; i++)
410 pad.buf[i] = i + '0';
411 /* Trailing bytes are still %NUL. */
412 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
413 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
415 /* String is terminated, so strlen() is valid. */
416 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
417 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
419 /* Make string unterminated, and recount. */
421 end = sizeof(pad.buf);
422 KUNIT_EXPECT_EQ(test, strlen(pad.buf), end);
423 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
426 static void fortify_test_strnlen(struct kunit *test)
428 struct fortify_padding pad = { };
429 int i, end = sizeof(pad.buf) - 1;
431 /* Fill 31 bytes with valid characters. */
432 for (i = 0; i < sizeof(pad.buf) - 1; i++)
433 pad.buf[i] = i + '0';
434 /* Trailing bytes are still %NUL. */
435 KUNIT_EXPECT_EQ(test, pad.buf[end], '\0');
436 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
438 /* String is terminated, so strnlen() is valid. */
439 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf)), end);
440 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
441 /* A truncated strnlen() will be safe, too. */
442 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, sizeof(pad.buf) / 2),
443 sizeof(pad.buf) / 2);
444 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
446 /* Make string unterminated, and recount. */
448 end = sizeof(pad.buf);
449 /* Reading beyond with strncpy() will fail. */
450 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 1), end);
451 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
452 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end + 2), end);
453 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
455 /* Early-truncated is safe still, though. */
456 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
457 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
459 end = sizeof(pad.buf) / 2;
460 KUNIT_EXPECT_EQ(test, strnlen(pad.buf, end), end);
461 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
464 static void fortify_test_strcpy(struct kunit *test)
466 struct fortify_padding pad = { };
467 char src[sizeof(pad.buf) + 1] = { };
470 /* Fill 31 bytes with valid characters. */
471 for (i = 0; i < sizeof(src) - 2; i++)
474 /* Destination is %NUL-filled to start with. */
475 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
476 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
477 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
478 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
479 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
481 /* Legitimate strcpy() 1 less than of max size. */
482 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
484 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
485 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
486 /* Only last byte should be %NUL */
487 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
488 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
489 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
491 src[sizeof(src) - 2] = 'A';
492 /* But now we trip the overflow checking. */
493 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
495 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
496 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
497 /* Trailing %NUL -- thanks to FORTIFY. */
498 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
499 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
500 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
501 /* And we will not have gone beyond. */
502 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
504 src[sizeof(src) - 1] = 'A';
505 /* And for sure now, two bytes past. */
506 KUNIT_ASSERT_TRUE(test, strcpy(pad.buf, src)
509 * Which trips both the strlen() on the unterminated src,
510 * and the resulting copy attempt.
512 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
513 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
514 /* Trailing %NUL -- thanks to FORTIFY. */
515 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
516 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
517 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
518 /* And we will not have gone beyond. */
519 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
522 static void fortify_test_strncpy(struct kunit *test)
524 struct fortify_padding pad = { };
525 char src[] = "Copy me fully into a small buffer and I will overflow!";
527 /* Destination is %NUL-filled to start with. */
528 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
529 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
530 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
531 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
532 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
534 /* Legitimate strncpy() 1 less than of max size. */
535 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
536 sizeof(pad.buf) + unconst - 1)
538 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
539 /* Only last byte should be %NUL */
540 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
541 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
542 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
544 /* Legitimate (though unterminated) max-size strncpy. */
545 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
546 sizeof(pad.buf) + unconst)
548 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
549 /* No trailing %NUL -- thanks strncpy API. */
550 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
551 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
552 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
553 /* But we will not have gone beyond. */
554 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
556 /* Now verify that FORTIFY is working... */
557 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
558 sizeof(pad.buf) + unconst + 1)
560 /* Should catch the overflow. */
561 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
562 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
563 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
564 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
565 /* And we will not have gone beyond. */
566 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
569 KUNIT_ASSERT_TRUE(test, strncpy(pad.buf, src,
570 sizeof(pad.buf) + unconst + 2)
572 /* Should catch the overflow. */
573 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
574 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
575 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
576 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
577 /* And we will not have gone beyond. */
578 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
581 static void fortify_test_strscpy(struct kunit *test)
583 struct fortify_padding pad = { };
584 char src[] = "Copy me fully into a small buffer and I will overflow!";
586 /* Destination is %NUL-filled to start with. */
587 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
588 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
589 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
590 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
591 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
593 /* Legitimate strscpy() 1 less than of max size. */
594 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
595 sizeof(pad.buf) + unconst - 1),
597 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
598 /* Keeping space for %NUL, last two bytes should be %NUL */
599 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
600 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
601 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
603 /* Legitimate max-size strscpy. */
604 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
605 sizeof(pad.buf) + unconst),
607 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
608 /* A trailing %NUL will exist. */
609 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
610 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
611 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
613 /* Now verify that FORTIFY is working... */
614 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
615 sizeof(pad.buf) + unconst + 1),
617 /* Should catch the overflow. */
618 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
619 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
620 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
621 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
622 /* And we will not have gone beyond. */
623 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
625 /* And much further... */
626 KUNIT_ASSERT_EQ(test, strscpy(pad.buf, src,
627 sizeof(src) * 2 + unconst),
629 /* Should catch the overflow. */
630 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
631 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
632 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
633 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
634 /* And we will not have gone beyond. */
635 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
638 static void fortify_test_strcat(struct kunit *test)
640 struct fortify_padding pad = { };
641 char src[sizeof(pad.buf) / 2] = { };
646 /* Fill 15 bytes with valid characters. */
647 for (i = 0; i < sizeof(src) - 1; i++)
650 /* Destination is %NUL-filled to start with. */
651 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
652 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
653 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
654 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
655 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
657 /* Legitimate strcat() using less than half max size. */
658 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
659 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
660 /* Legitimate strcat() now 2 bytes shy of end. */
661 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, src) == pad.buf);
662 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
663 /* Last two bytes should be %NUL */
664 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
665 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
666 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
668 /* Add one more character to the end. */
669 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
670 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
671 /* Last byte should be %NUL */
672 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
673 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
674 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
676 /* And this one char will overflow. */
677 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, one) == pad.buf);
678 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
679 /* Last byte should be %NUL thanks to FORTIFY. */
680 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
681 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
682 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
683 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
685 /* And adding two will overflow more. */
686 KUNIT_ASSERT_TRUE(test, strcat(pad.buf, two) == pad.buf);
687 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
688 /* Last byte should be %NUL thanks to FORTIFY. */
689 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
690 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
691 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
692 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
695 static void fortify_test_strncat(struct kunit *test)
697 struct fortify_padding pad = { };
698 char src[sizeof(pad.buf)] = { };
701 /* Fill 31 bytes with valid characters. */
702 partial = sizeof(src) / 2 - 1;
703 for (i = 0; i < partial; i++)
706 /* Destination is %NUL-filled to start with. */
707 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
708 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
709 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
710 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
711 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
713 /* Legitimate strncat() using less than half max size. */
714 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
715 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
716 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
717 /* Legitimate strncat() now 2 bytes shy of end. */
718 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, partial) == pad.buf);
719 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
720 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
721 /* Last two bytes should be %NUL */
722 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
723 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
724 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
726 /* Add one more character to the end. */
727 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
728 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
729 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
730 /* Last byte should be %NUL */
731 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
732 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
733 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
735 /* And this one char will overflow. */
736 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
737 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
738 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
739 /* Last byte should be %NUL thanks to FORTIFY. */
740 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
741 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
742 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
743 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
745 /* And adding two will overflow more. */
746 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 2) == pad.buf);
747 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
748 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
749 /* Last byte should be %NUL thanks to FORTIFY. */
750 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
751 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
752 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
753 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
755 /* Force an unterminated destination, and overflow. */
756 pad.buf[sizeof(pad.buf) - 1] = 'A';
757 KUNIT_ASSERT_TRUE(test, strncat(pad.buf, src, 1) == pad.buf);
758 /* This will have tripped both strlen() and strcat(). */
759 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
760 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
761 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
762 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
763 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
764 /* But we should not go beyond the end. */
765 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
768 static void fortify_test_strlcat(struct kunit *test)
770 struct fortify_padding pad = { };
771 char src[sizeof(pad.buf)] = { };
773 int len = sizeof(pad.buf) + unconst;
775 /* Fill 15 bytes with valid characters. */
776 partial = sizeof(src) / 2 - 1;
777 for (i = 0; i < partial; i++)
780 /* Destination is %NUL-filled to start with. */
781 KUNIT_EXPECT_EQ(test, pad.bytes_before, 0);
782 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
783 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
784 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 3], '\0');
785 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
787 /* Legitimate strlcat() using less than half max size. */
788 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial);
789 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
790 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
791 /* Legitimate strlcat() now 2 bytes shy of end. */
792 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len), partial * 2);
793 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
794 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
795 /* Last two bytes should be %NUL */
796 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
797 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 2], '\0');
798 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
800 /* Add one more character to the end. */
801 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "Q", len), partial * 2 + 1);
802 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
803 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0);
804 /* Last byte should be %NUL */
805 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
806 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
807 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
809 /* And this one char will overflow. */
810 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "V", len * 2), len);
811 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
812 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1);
813 /* Last byte should be %NUL thanks to FORTIFY. */
814 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
815 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
816 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
817 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
819 /* And adding two will overflow more. */
820 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "QQ", len * 2), len + 1);
821 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
822 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
823 /* Last byte should be %NUL thanks to FORTIFY. */
824 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
825 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
826 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
827 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
829 /* Force an unterminated destination, and overflow. */
830 pad.buf[sizeof(pad.buf) - 1] = 'A';
831 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, "TT", len * 2), len + 2);
832 /* This will have tripped both strlen() and strlcat(). */
833 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
834 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2);
835 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 1], '\0');
836 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 2], '\0');
837 KUNIT_EXPECT_NE(test, pad.buf[sizeof(pad.buf) - 3], '\0');
838 /* But we should not go beyond the end. */
839 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
841 /* Force an unterminated source, and overflow. */
842 memset(src, 'B', sizeof(src));
843 pad.buf[sizeof(pad.buf) - 1] = '\0';
844 KUNIT_ASSERT_EQ(test, strlcat(pad.buf, src, len * 3), len - 1 + sizeof(src));
845 /* This will have tripped both strlen() and strlcat(). */
846 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
847 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 3);
848 KUNIT_EXPECT_EQ(test, pad.buf[sizeof(pad.buf) - 1], '\0');
849 /* But we should not go beyond the end. */
850 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0);
853 /* Check for 0-sized arrays... */
854 struct fortify_zero_sized {
855 unsigned long bytes_before;
857 unsigned long bytes_after;
860 #define __fortify_test(memfunc) \
861 static void fortify_test_##memfunc(struct kunit *test) \
863 struct fortify_zero_sized zero = { }; \
864 struct fortify_padding pad = { }; \
865 char srcA[sizeof(pad.buf) + 2]; \
866 char srcB[sizeof(pad.buf) + 2]; \
867 size_t len = sizeof(pad.buf) + unconst; \
869 memset(srcA, 'A', sizeof(srcA)); \
870 KUNIT_ASSERT_EQ(test, srcA[0], 'A'); \
871 memset(srcB, 'B', sizeof(srcB)); \
872 KUNIT_ASSERT_EQ(test, srcB[0], 'B'); \
874 memfunc(pad.buf, srcA, 0 + unconst); \
875 KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
876 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
877 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
878 memfunc(pad.buf + 1, srcB, 1 + unconst); \
879 KUNIT_EXPECT_EQ(test, pad.buf[0], '\0'); \
880 KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
881 KUNIT_EXPECT_EQ(test, pad.buf[2], '\0'); \
882 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
883 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
884 memfunc(pad.buf, srcA, 1 + unconst); \
885 KUNIT_EXPECT_EQ(test, pad.buf[0], 'A'); \
886 KUNIT_EXPECT_EQ(test, pad.buf[1], 'B'); \
887 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
888 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
889 memfunc(pad.buf, srcA, len - 1); \
890 KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \
891 KUNIT_EXPECT_EQ(test, pad.buf[len - 1], '\0'); \
892 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
893 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
894 memfunc(pad.buf, srcA, len); \
895 KUNIT_EXPECT_EQ(test, pad.buf[1], 'A'); \
896 KUNIT_EXPECT_EQ(test, pad.buf[len - 1], 'A'); \
897 KUNIT_EXPECT_EQ(test, pad.bytes_after, 0); \
898 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
899 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
900 memfunc(pad.buf, srcA, len + 1); \
901 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
902 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 1); \
903 memfunc(pad.buf + 1, srcB, len); \
904 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
905 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 2); \
907 /* Reset error counter. */ \
908 fortify_write_overflows = 0; \
909 /* Copy nothing into nothing: no errors. */ \
910 memfunc(zero.buf, srcB, 0 + unconst); \
911 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
912 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
913 /* We currently explicitly ignore zero-sized dests. */ \
914 memfunc(zero.buf, srcB, 1 + unconst); \
915 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0); \
916 KUNIT_EXPECT_EQ(test, fortify_write_overflows, 0); \
918 __fortify_test(memcpy)
919 __fortify_test(memmove)
921 static void fortify_test_memscan(struct kunit *test)
923 char haystack[] = "Where oh where is my memory range?";
924 char *mem = haystack + strlen("Where oh where is ");
926 size_t len = sizeof(haystack) + unconst;
928 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len),
930 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
931 /* Catch too-large range. */
932 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len + 1),
934 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
935 KUNIT_ASSERT_PTR_EQ(test, memscan(haystack, needle, len * 2),
937 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
940 static void fortify_test_memchr(struct kunit *test)
942 char haystack[] = "Where oh where is my memory range?";
943 char *mem = haystack + strlen("Where oh where is ");
945 size_t len = sizeof(haystack) + unconst;
947 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len),
949 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
950 /* Catch too-large range. */
951 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len + 1),
953 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
954 KUNIT_ASSERT_PTR_EQ(test, memchr(haystack, needle, len * 2),
956 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
959 static void fortify_test_memchr_inv(struct kunit *test)
961 char haystack[] = "Where oh where is my memory range?";
962 char *mem = haystack + 1;
964 size_t len = sizeof(haystack) + unconst;
966 /* Normal search is okay. */
967 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len),
969 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
970 /* Catch too-large range. */
971 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len + 1),
973 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
974 KUNIT_ASSERT_PTR_EQ(test, memchr_inv(haystack, needle, len * 2),
976 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
979 static void fortify_test_memcmp(struct kunit *test)
981 char one[] = "My mind is going ...";
982 char two[] = "My mind is going ... I can feel it.";
983 size_t one_len = sizeof(one) + unconst - 1;
984 size_t two_len = sizeof(two) + unconst - 1;
986 /* We match the first string (ignoring the %NUL). */
987 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len), 0);
988 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
989 /* Still in bounds, but no longer matching. */
990 KUNIT_ASSERT_LT(test, memcmp(one, two, one_len + 1), 0);
991 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
993 /* Catch too-large ranges. */
994 KUNIT_ASSERT_EQ(test, memcmp(one, two, one_len + 2), INT_MIN);
995 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
997 KUNIT_ASSERT_EQ(test, memcmp(two, one, two_len + 2), INT_MIN);
998 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
1001 static void fortify_test_kmemdup(struct kunit *test)
1003 char src[] = "I got Doom running on it!";
1005 size_t len = sizeof(src) + unconst;
1007 /* Copy is within bounds. */
1008 copy = kmemdup(src, len, GFP_KERNEL);
1009 KUNIT_EXPECT_NOT_NULL(test, copy);
1010 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
1014 copy = kmemdup(src, len - 1, GFP_KERNEL);
1015 KUNIT_EXPECT_NOT_NULL(test, copy);
1016 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
1020 copy = kmemdup(src, 1, GFP_KERNEL);
1021 KUNIT_EXPECT_NOT_NULL(test, copy);
1022 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 0);
1025 /* Out of bounds by 1 byte. */
1026 copy = kmemdup(src, len + 1, GFP_KERNEL);
1027 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
1028 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
1031 /* Way out of bounds. */
1032 copy = kmemdup(src, len * 2, GFP_KERNEL);
1033 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
1034 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
1037 /* Starting offset causing out of bounds. */
1038 copy = kmemdup(src + 1, len, GFP_KERNEL);
1039 KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
1040 KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
1044 static int fortify_test_init(struct kunit *test)
1046 if (!IS_ENABLED(CONFIG_FORTIFY_SOURCE))
1047 kunit_skip(test, "Not built with CONFIG_FORTIFY_SOURCE=y");
1049 fortify_read_overflows = 0;
1050 kunit_add_named_resource(test, NULL, NULL, &read_resource,
1051 "fortify_read_overflows",
1052 &fortify_read_overflows);
1053 fortify_write_overflows = 0;
1054 kunit_add_named_resource(test, NULL, NULL, &write_resource,
1055 "fortify_write_overflows",
1056 &fortify_write_overflows);
1060 static struct kunit_case fortify_test_cases[] = {
1061 KUNIT_CASE(fortify_test_known_sizes),
1062 KUNIT_CASE(fortify_test_control_flow_split),
1063 KUNIT_CASE(fortify_test_alloc_size_kmalloc_const),
1064 KUNIT_CASE(fortify_test_alloc_size_kmalloc_dynamic),
1065 KUNIT_CASE(fortify_test_alloc_size_vmalloc_const),
1066 KUNIT_CASE(fortify_test_alloc_size_vmalloc_dynamic),
1067 KUNIT_CASE(fortify_test_alloc_size_kvmalloc_const),
1068 KUNIT_CASE(fortify_test_alloc_size_kvmalloc_dynamic),
1069 KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_const),
1070 KUNIT_CASE(fortify_test_alloc_size_devm_kmalloc_dynamic),
1071 KUNIT_CASE(fortify_test_realloc_size),
1072 KUNIT_CASE(fortify_test_strlen),
1073 KUNIT_CASE(fortify_test_strnlen),
1074 KUNIT_CASE(fortify_test_strcpy),
1075 KUNIT_CASE(fortify_test_strncpy),
1076 KUNIT_CASE(fortify_test_strscpy),
1077 KUNIT_CASE(fortify_test_strcat),
1078 KUNIT_CASE(fortify_test_strncat),
1079 KUNIT_CASE(fortify_test_strlcat),
1080 /* skip memset: performs bounds checking on whole structs */
1081 KUNIT_CASE(fortify_test_memcpy),
1082 KUNIT_CASE(fortify_test_memmove),
1083 KUNIT_CASE(fortify_test_memscan),
1084 KUNIT_CASE(fortify_test_memchr),
1085 KUNIT_CASE(fortify_test_memchr_inv),
1086 KUNIT_CASE(fortify_test_memcmp),
1087 KUNIT_CASE(fortify_test_kmemdup),
1091 static struct kunit_suite fortify_test_suite = {
1093 .init = fortify_test_init,
1094 .test_cases = fortify_test_cases,
1097 kunit_test_suite(fortify_test_suite);
1099 MODULE_LICENSE("GPL");
projects / linux.git / blob