1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdint.h>
6 #include <stdio.h>
7
8 #include <limits>
9 #include <memory>
10 #include <sstream>
11 #include <string>
12
13 #include "base/run_loop.h"
14 #include "base/strings/string16.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/threading/platform_thread.h"
17 #include "build/build_config.h"
18 #include "ipc/ipc_test_base.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20
21 // IPC messages for testing ----------------------------------------------------
22
23 #define IPC_MESSAGE_IMPL
24 #include "ipc/ipc_message_macros.h"
25
26 #define IPC_MESSAGE_START TestMsgStart
27
28 // Generic message class that is an int followed by a string16.
29 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
30
31 // Generic message class that is a string16 followed by an int.
32 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
33
34 // Message to create a mutex in the IPC server, using the received name.
35 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
36
37 // Used to generate an ID for a message that should not exist.
38 IPC_MESSAGE_CONTROL0(MsgUnhandled)
39
40 // -----------------------------------------------------------------------------
41
42 namespace {
43
TEST(IPCMessageIntegrity,ReadBeyondBufferStr)44 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
45 // This was BUG 984408.
46 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
47 int v2 = 666;
48 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
49 m.WriteInt(v1);
50 m.WriteInt(v2);
51
52 base::PickleIterator iter(m);
53 std::string vs;
54 EXPECT_FALSE(iter.ReadString(&vs));
55 }
56
TEST(IPCMessageIntegrity,ReadBeyondBufferStr16)57 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
58 // This was BUG 984408.
59 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
60 int v2 = 777;
61 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
62 m.WriteInt(v1);
63 m.WriteInt(v2);
64
65 base::PickleIterator iter(m);
66 base::string16 vs;
67 EXPECT_FALSE(iter.ReadString16(&vs));
68 }
69
TEST(IPCMessageIntegrity,ReadBytesBadIterator)70 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
71 // This was BUG 1035467.
72 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
73 m.WriteInt(1);
74 m.WriteInt(2);
75
76 base::PickleIterator iter(m);
77 const char* data = NULL;
78 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
79 }
80
TEST(IPCMessageIntegrity,ReadVectorNegativeSize)81 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
82 // A slight variation of BUG 984408. Note that the pickling of vector<char>
83 // has a specialized template which is not vulnerable to this bug. So here
84 // try to hit the non-specialized case vector<P>.
85 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
86 m.WriteInt(-1); // This is the count of elements.
87 m.WriteInt(1);
88 m.WriteInt(2);
89 m.WriteInt(3);
90
91 std::vector<double> vec;
92 base::PickleIterator iter(m);
93 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
94 }
95
96 #if defined(OS_ANDROID)
97 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
98 #else
99 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
100 #endif
TEST(IPCMessageIntegrity,MAYBE_ReadVectorTooLarge1)101 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
102 // This was BUG 1006367. This is the large but positive length case. Again
103 // we try to hit the non-specialized case vector<P>.
104 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
105 m.WriteInt(0x21000003); // This is the count of elements.
106 m.WriteInt64(1);
107 m.WriteInt64(2);
108
109 std::vector<int64_t> vec;
110 base::PickleIterator iter(m);
111 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
112 }
113
TEST(IPCMessageIntegrity,ReadVectorTooLarge2)114 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
115 // This was BUG 1006367. This is the large but positive with an additional
116 // integer overflow when computing the actual byte size. Again we try to hit
117 // the non-specialized case vector<P>.
118 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
119 m.WriteInt(0x71000000); // This is the count of elements.
120 m.WriteInt64(1);
121 m.WriteInt64(2);
122
123 std::vector<int64_t> vec;
124 base::PickleIterator iter(m);
125 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
126 }
127
128 // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
129 // See http://crbug.com/741866 for details.
TEST(IPCMessageIntegrity,DISABLED_ReadVectorTooLarge3)130 TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
131 base::Pickle pickle;
132 IPC::WriteParam(&pickle, 256 * 1024 * 1024);
133 IPC::WriteParam(&pickle, 0);
134 IPC::WriteParam(&pickle, 1);
135 IPC::WriteParam(&pickle, 2);
136
137 base::PickleIterator iter(pickle);
138 std::vector<int> vec;
139 EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
140 }
141
142 class SimpleListener : public IPC::Listener {
143 public:
SimpleListener()144 SimpleListener() : other_(NULL) {
145 }
Init(IPC::Sender * s)146 void Init(IPC::Sender* s) {
147 other_ = s;
148 }
149 protected:
150 IPC::Sender* other_;
151 };
152
153 enum {
154 FUZZER_ROUTING_ID = 5
155 };
156
157 // The fuzzer server class. It runs in a child process and expects
158 // only two IPC calls; after that it exits the message loop which
159 // terminates the child process.
160 class FuzzerServerListener : public SimpleListener {
161 public:
FuzzerServerListener()162 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
163 }
OnMessageReceived(const IPC::Message & msg)164 bool OnMessageReceived(const IPC::Message& msg) override {
165 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
166 ++pending_messages_;
167 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
168 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
169 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
170 IPC_END_MESSAGE_MAP()
171 if (pending_messages_) {
172 // Probably a problem de-serializing the message.
173 ReplyMsgNotHandled(msg.type());
174 }
175 }
176 return true;
177 }
178
179 private:
OnMsgClassISMessage(int value,const base::string16 & text)180 void OnMsgClassISMessage(int value, const base::string16& text) {
181 UseData(MsgClassIS::ID, value, text);
182 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
183 Cleanup();
184 }
185
OnMsgClassSIMessage(const base::string16 & text,int value)186 void OnMsgClassSIMessage(const base::string16& text, int value) {
187 UseData(MsgClassSI::ID, value, text);
188 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
189 Cleanup();
190 }
191
RoundtripAckReply(int routing,uint32_t type_id,int reply)192 bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
193 IPC::Message* message = new IPC::Message(routing, type_id,
194 IPC::Message::PRIORITY_NORMAL);
195 message->WriteInt(reply + 1);
196 message->WriteInt(reply);
197 return other_->Send(message);
198 }
199
Cleanup()200 void Cleanup() {
201 --message_count_;
202 --pending_messages_;
203 if (0 == message_count_)
204 base::RunLoop::QuitCurrentWhenIdleDeprecated();
205 }
206
ReplyMsgNotHandled(uint32_t type_id)207 void ReplyMsgNotHandled(uint32_t type_id) {
208 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
209 Cleanup();
210 }
211
UseData(int caller,int value,const base::string16 & text)212 void UseData(int caller, int value, const base::string16& text) {
213 std::ostringstream os;
214 os << "IPC fuzzer:" << caller << " [" << value << " "
215 << base::UTF16ToUTF8(text) << "]\n";
216 std::string output = os.str();
217 LOG(WARNING) << output;
218 }
219
220 int message_count_;
221 int pending_messages_;
222 };
223
224 class FuzzerClientListener : public SimpleListener {
225 public:
FuzzerClientListener()226 FuzzerClientListener() : last_msg_(NULL) {
227 }
228
OnMessageReceived(const IPC::Message & msg)229 bool OnMessageReceived(const IPC::Message& msg) override {
230 last_msg_ = new IPC::Message(msg);
231 base::RunLoop::QuitCurrentWhenIdleDeprecated();
232 return true;
233 }
234
ExpectMessage(int value,uint32_t type_id)235 bool ExpectMessage(int value, uint32_t type_id) {
236 if (!MsgHandlerInternal(type_id))
237 return false;
238 int msg_value1 = 0;
239 int msg_value2 = 0;
240 base::PickleIterator iter(*last_msg_);
241 if (!iter.ReadInt(&msg_value1))
242 return false;
243 if (!iter.ReadInt(&msg_value2))
244 return false;
245 if ((msg_value2 + 1) != msg_value1)
246 return false;
247 if (msg_value2 != value)
248 return false;
249
250 delete last_msg_;
251 last_msg_ = NULL;
252 return true;
253 }
254
ExpectMsgNotHandled(uint32_t type_id)255 bool ExpectMsgNotHandled(uint32_t type_id) {
256 return ExpectMessage(type_id, MsgUnhandled::ID);
257 }
258
259 private:
MsgHandlerInternal(uint32_t type_id)260 bool MsgHandlerInternal(uint32_t type_id) {
261 base::RunLoop().Run();
262 if (NULL == last_msg_)
263 return false;
264 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
265 return false;
266 return (type_id == last_msg_->type());
267 }
268
269 IPC::Message* last_msg_;
270 };
271
272 // Runs the fuzzing server child mode. Returns when the preset number of
273 // messages have been received.
DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient)274 DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient) {
275 FuzzerServerListener listener;
276 Connect(&listener);
277 listener.Init(channel());
278 base::RunLoop().Run();
279 Close();
280 }
281
282 using IPCFuzzingTest = IPCChannelMojoTestBase;
283
284 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
285 // are working properly by generating two well formed IPC calls.
TEST_F(IPCFuzzingTest,SanityTest)286 TEST_F(IPCFuzzingTest, SanityTest) {
287 Init("FuzzServerClient");
288
289 FuzzerClientListener listener;
290 CreateChannel(&listener);
291 listener.Init(channel());
292 ASSERT_TRUE(ConnectChannel());
293
294 IPC::Message* msg = NULL;
295 int value = 43;
296 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
297 sender()->Send(msg);
298 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
299
300 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
301 sender()->Send(msg);
302 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
303
304 EXPECT_TRUE(WaitForClientShutdown());
305 DestroyChannel();
306 }
307
308 // This test uses a payload that is smaller than expected. This generates an
309 // error while unpacking the IPC buffer. Right after we generate another valid
310 // IPC to make sure framing is working properly.
TEST_F(IPCFuzzingTest,MsgBadPayloadShort)311 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
312 Init("FuzzServerClient");
313
314 FuzzerClientListener listener;
315 CreateChannel(&listener);
316 listener.Init(channel());
317 ASSERT_TRUE(ConnectChannel());
318
319 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
320 IPC::Message::PRIORITY_NORMAL);
321 msg->WriteInt(666);
322 sender()->Send(msg);
323 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
324
325 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
326 sender()->Send(msg);
327 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
328
329 EXPECT_TRUE(WaitForClientShutdown());
330 DestroyChannel();
331 }
332
333 // This test uses a payload that has too many arguments, but so the payload size
334 // is big enough so the unpacking routine does not generate an error as in the
335 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
336 // as by design we don't carry type information on the IPC message.
TEST_F(IPCFuzzingTest,MsgBadPayloadArgs)337 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
338 Init("FuzzServerClient");
339
340 FuzzerClientListener listener;
341 CreateChannel(&listener);
342 listener.Init(channel());
343 ASSERT_TRUE(ConnectChannel());
344
345 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
346 IPC::Message::PRIORITY_NORMAL);
347 msg->WriteString16(base::ASCIIToUTF16("d"));
348 msg->WriteInt(0);
349 msg->WriteInt(0x65); // Extra argument.
350
351 sender()->Send(msg);
352 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
353
354 // Now send a well formed message to make sure the receiver wasn't
355 // thrown out of sync by the extra argument.
356 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
357 sender()->Send(msg);
358 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
359
360 EXPECT_TRUE(WaitForClientShutdown());
361 DestroyChannel();
362 }
363
364 } // namespace
365