1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #ifndef __clang__
18 #error "Non-clang isn't supported"
19 #endif
20
21 //
22 // Clang compile-time and run-time tests for Bionic's FORTIFY.
23 //
24
25 // This file is compiled in two configurations to give us reasonable coverage of clang's
26 // FORTIFY implementation:
27 //
28 // 1. For compile-time checks, we use clang's diagnostic consumer
29 // (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
30 // to check diagnostics (e.g. the expected-* comments everywhere).
31 //
32 // 2. For run-time checks, we build and run as regular gtests.
33
34 // Note that these tests do things like leaking memory. That's WAI.
35
36 //
37 // Configuration for the compile-time checks. (These comments have side effects!)
38 //
39 // Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
40 // for this test case, and their line numbers may change over time.
41 // expected-note@* 0+{{from 'diagnose_if'}}
42 //
43 // Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
44 // expected-note@* 0+{{candidate function}}
45 //
46 // And finally, all explicitly-unavailable-here complaints from headers are
47 // uninteresting
48 // expected-note@* 0+{{has been explicitly marked unavailable here}}
49 //
50 // Note that some of these diagnostics come from clang itself, while others come from
51 // `diagnose_if`s sprinkled throughout Bionic.
52
53 #ifndef _FORTIFY_SOURCE
54 #error "_FORTIFY_SOURCE must be defined"
55 #endif
56
57 #include <sys/cdefs.h>
58
59 // This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
60 #ifndef __BIONIC__
61 // expected-no-diagnostics
62 #else
63
64 // As alluded to above, we're going to be doing some obviously very broken things in this file.
65 // FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
66 // let's wipe out any build-time errors.
67 #ifndef COMPILATION_TESTS
68 #undef __clang_error_if
69 #define __clang_error_if(...)
70 #undef __clang_warning_if
71 #define __clang_warning_if(...)
72 #pragma clang diagnostic ignored "-Wfortify-source"
73
74 // SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
75 // blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
76 #define SOMETIMES_CONST volatile
77 #else
78 #define SOMETIMES_CONST const
79 #endif
80
81 #include <err.h>
82 #include <fcntl.h>
83 #include <limits.h>
84 #include <poll.h>
85 #include <signal.h>
86 #include <stdio.h>
87 #include <stdlib.h>
88 #include <string.h>
89 #include <sys/socket.h>
90 #include <sys/stat.h>
91 #include <sys/wait.h>
92 #include <syslog.h>
93 #include <unistd.h>
94 #include <wchar.h>
95
96 #ifndef COMPILATION_TESTS
97 #include <android-base/silent_death_test.h>
98 #include <gtest/gtest.h>
99
100 #define CONCAT2(x, y) x##y
101 #define CONCAT(x, y) CONCAT2(x, y)
102 #define FORTIFY_TEST_NAME CONCAT(CONCAT(clang_fortify_test_, _FORTIFY_SOURCE), _DeathTest)
103
104 using FORTIFY_TEST_NAME = SilentDeathTest;
105
106 template <typename Fn>
ExitAfter(Fn && f)107 __attribute__((noreturn)) static void ExitAfter(Fn&& f) {
108 f();
109 // No need to tear things down; our parent process should handle that.
110 _exit(0);
111 }
112
113 // In any case (including failing tests), we always want to die after this.
114 #define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
115
116 // EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
117 // doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
118 // the *_STRUCT variants below.)
119 #define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
120 #define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
121 // Expecting death, but only if we're doing a "strict" struct-checking mode.
122 #if _FORTIFY_SOURCE > 1
123 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
124 #else
125 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
126 #endif
127
128 #define FORTIFY_TEST(test_name) TEST_F(FORTIFY_TEST_NAME, test_name)
129
130 #else // defined(COMPILATION_TESTS)
131
132 #define EXPECT_NO_DEATH(expr) expr
133 #define EXPECT_FORTIFY_DEATH(expr) expr
134 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
135 #define FORTIFY_TEST(test_name) void test_name()
136 #endif
137
138 const static int kBogusFD = -1;
139
FORTIFY_TEST(string)140 FORTIFY_TEST(string) {
141 char small_buffer[8] = {};
142
143 {
144 char large_buffer[sizeof(small_buffer) + 1] = {};
145 // expected-error@+1{{will always overflow}}
146 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
147 // expected-error@+1{{will always overflow}}
148 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
149 // FIXME(gbiv): look into removing mempcpy's diagnose_if bits once the b/149839606 roll sticks.
150 // expected-error@+2{{will always overflow}}
151 // expected-error@+1{{size bigger than buffer}}
152 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
153 // expected-error@+1{{will always overflow}}
154 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
155 // expected-warning@+1{{arguments got flipped?}}
156 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
157 // expected-error@+1{{size bigger than buffer}}
158 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
159 // expected-error@+1{{size bigger than buffer}}
160 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
161 }
162
163 {
164 const char large_string[] = "Hello!!!";
165 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
166
167 #if __clang_major__ > 13
168 // expected-error@+3{{will always overflow}}
169 #endif
170 // expected-error@+1{{string bigger than buffer}}
171 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
172 // expected-error@+1{{string bigger than buffer}}
173 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
174 // expected-error@+1{{size argument is too large}}
175 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
176 // expected-error@+1{{size argument is too large}}
177 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
178 // expected-error@+1{{string bigger than buffer}}
179 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
180 // expected-error@+1{{size argument is too large}}
181 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
182 // expected-error@+1{{size bigger than buffer}}
183 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
184 // expected-error@+1{{size bigger than buffer}}
185 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
186 }
187
188 {
189 struct {
190 char tiny_buffer[4];
191 char tiny_buffer2[4];
192 } split = {};
193
194 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
195 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
196 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
197 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
198 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
199
200 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
201 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
202
203 const char small_string[] = "Hi!!";
204 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
205
206 #if _FORTIFY_SOURCE > 1
207 #if __clang_major__ > 13
208 // expected-error@+4{{will always overflow}}
209 #endif
210 // expected-error@+2{{string bigger than buffer}}
211 #endif
212 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
213
214 #if _FORTIFY_SOURCE > 1
215 // expected-error@+2{{string bigger than buffer}}
216 #endif
217 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
218
219 #if _FORTIFY_SOURCE > 1
220 // expected-error@+2{{size argument is too large}}
221 #endif
222 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
223
224 #if _FORTIFY_SOURCE > 1
225 // expected-error@+2{{size argument is too large}}
226 #endif
227 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
228
229 #if _FORTIFY_SOURCE > 1
230 // expected-error@+2{{string bigger than buffer}}
231 #endif
232 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
233
234 #if _FORTIFY_SOURCE > 1
235 // expected-error@+2{{size argument is too large}}
236 #endif
237 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
238
239 #if _FORTIFY_SOURCE > 1
240 // expected-error@+2{{size bigger than buffer}}
241 #endif
242 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
243
244 #if _FORTIFY_SOURCE > 1
245 // expected-error@+2{{size bigger than buffer}}
246 #endif
247 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
248 }
249 }
250
FORTIFY_TEST(fcntl)251 FORTIFY_TEST(fcntl) {
252 const char target[] = "/dev/null";
253 int dirfd = 0;
254
255 // These all emit hard errors without diagnose_if, so running them is a bit
256 // more involved.
257 #ifdef COMPILATION_TESTS
258 // expected-error@+1{{too many arguments}}
259 open("/", 0, 0, 0);
260 // expected-error@+1{{too many arguments}}
261 open64("/", 0, 0, 0);
262 // expected-error@+1{{too many arguments}}
263 openat(0, "/", 0, 0, 0);
264 // expected-error@+1{{too many arguments}}
265 openat64(0, "/", 0, 0, 0);
266 #endif
267
268 // expected-error@+1{{missing mode}}
269 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
270 // expected-error@+1{{missing mode}}
271 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
272 // expected-error@+1{{missing mode}}
273 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
274 // expected-error@+1{{missing mode}}
275 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
276 // expected-error@+1{{missing mode}}
277 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
278 // expected-error@+1{{missing mode}}
279 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
280 // expected-error@+1{{missing mode}}
281 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
282 // expected-error@+1{{missing mode}}
283 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
284
285 // expected-warning@+1{{superfluous mode bits}}
286 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
287 // expected-warning@+1{{superfluous mode bits}}
288 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
289 // expected-warning@+1{{superfluous mode bits}}
290 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
291 // expected-warning@+1{{superfluous mode bits}}
292 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
293 }
294
295 // Since these emit hard errors, it's sort of hard to run them...
296 #ifdef COMPILATION_TESTS
297 namespace compilation_tests {
298 template <typename T>
declval()299 static T declval() {
300 __builtin_unreachable();
301 }
302
testFormatStrings()303 static void testFormatStrings() {
304 const auto unsigned_value = declval<unsigned long long>();
305 const auto* unknown_string = declval<const char*>();
306 const auto va = *declval<va_list*>();
307
308 {
309 auto some_fd = declval<int>();
310 // expected-warning@+1{{format specifies type 'int'}}
311 dprintf(some_fd, "%d", unsigned_value);
312 // expected-warning@+1{{format string is not a string literal}}
313 dprintf(some_fd, unknown_string, unsigned_value);
314 // expected-warning@+1{{format string is not a string literal}}
315 vdprintf(1, unknown_string, va);
316 }
317
318 {
319 auto* retval = declval<char*>();
320 #if 0
321 // expected-error@+2{{ignoring return value}}
322 #endif
323 // expected-warning@+1{{format specifies type 'int'}}
324 asprintf(&retval, "%d", unsigned_value);
325 #if 0
326 // expected-error@+2{{ignoring return value}}
327 #endif
328 // expected-warning@+1{{format string is not a string literal}}
329 asprintf(&retval, unknown_string, unsigned_value);
330 #if 0
331 // expected-error@+2{{ignoring return value}}
332 #endif
333 // expected-warning@+1{{format string is not a string literal}}
334 vasprintf(&retval, unknown_string, va);
335 }
336
337 // expected-warning@+1{{format specifies type 'int'}}
338 syslog(0, "%d", unsigned_value);
339 // expected-warning@+1{{format string is not a string literal}}
340 syslog(0, unknown_string, unsigned_value);
341 // expected-warning@+1{{format string is not a string literal}}
342 vsyslog(0, unknown_string, va);
343
344 {
345 auto* file = declval<FILE*>();
346 // expected-warning@+1{{format specifies type 'int'}}
347 fprintf(file, "%d", unsigned_value);
348 // expected-warning@+1{{format string is not a string literal}}
349 fprintf(file, unknown_string, unsigned_value);
350 // expected-warning@+1{{format string is not a string literal}}
351 vfprintf(file, unknown_string, va);
352 }
353
354 // expected-warning@+1{{format specifies type 'int'}}
355 printf("%d", unsigned_value);
356 // expected-warning@+1{{format string is not a string literal}}
357 printf(unknown_string, unsigned_value);
358 // expected-warning@+1{{format string is not a string literal}}
359 vprintf(unknown_string, va);
360
361 {
362 char buf[128];
363 // expected-warning@+1{{format specifies type 'int'}}
364 sprintf(buf, "%d", unsigned_value);
365 // expected-warning@+1{{format string is not a string literal}}
366 sprintf(buf, unknown_string, unsigned_value);
367 // expected-warning@+1{{format string is not a string literal}}
368 sprintf(buf, unknown_string, va);
369
370 // expected-warning@+1{{format specifies type 'int'}}
371 snprintf(buf, sizeof(buf), "%d", unsigned_value);
372 // expected-warning@+1{{format string is not a string literal}}
373 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
374 // expected-warning@+1{{format string is not a string literal}}
375 vsnprintf(buf, sizeof(buf), unknown_string, va);
376 }
377
378 // FIXME: below are general format string cases where clang should probably try to warn.
379 {
380 char buf[4];
381 sprintf(buf, "%s", "1234");
382 sprintf(buf, "1%s4", "23");
383 sprintf(buf, "%d", 1234);
384
385 // Similar thoughts for strncpy, etc.
386 }
387 }
388
testStdlib()389 static void testStdlib() {
390 char path_buffer[PATH_MAX - 1];
391 // expected-warning@+2{{ignoring return value of function}}
392 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
393 realpath("/", path_buffer);
394 // expected-warning@+1{{ignoring return value of function}}
395 realpath("/", nullptr);
396
397 // expected-warning@+2{{ignoring return value of function}}
398 // expected-error@+1{{flipped arguments?}}
399 realpath(nullptr, path_buffer);
400
401 // expected-warning@+2{{ignoring return value of function}}
402 // expected-error@+1{{flipped arguments?}}
403 realpath(nullptr, nullptr);
404 }
405 } // namespace compilation_tests
406 #endif
407
FORTIFY_TEST(poll)408 FORTIFY_TEST(poll) {
409 int pipe_fds[2];
410 if (pipe(pipe_fds)) err(1, "pipe failed");
411
412 // after this, pipe_fds[0] should always report RDHUP
413 if (close(pipe_fds[1])) err(1, "close failed");
414
415 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
416 {
417 struct pollfd few_fds[] = { poll_fd, poll_fd };
418 // expected-error@+1{{fd_count is larger than the given buffer}}
419 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
420 // expected-error@+1{{fd_count is larger than the given buffer}}
421 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
422 // expected-error@+1{{fd_count is larger than the given buffer}}
423 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
424 }
425
426 {
427 struct {
428 struct pollfd few[2];
429 struct pollfd extra[1];
430 } fds = { { poll_fd, poll_fd }, { poll_fd } };
431 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
432
433 #if _FORTIFY_SOURCE > 1
434 // expected-error@+2{{fd_count is larger than the given buffer}}
435 #endif
436 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
437
438 struct timespec timeout = {};
439 #if _FORTIFY_SOURCE > 1
440 // expected-error@+2{{fd_count is larger than the given buffer}}
441 #endif
442 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
443
444 #if _FORTIFY_SOURCE > 1
445 // expected-error@+2{{fd_count is larger than the given buffer}}
446 #endif
447 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
448 }
449 }
450
FORTIFY_TEST(socket)451 FORTIFY_TEST(socket) {
452 {
453 char small_buffer[8];
454 // expected-error@+1{{size bigger than buffer}}
455 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
456 // expected-error@+1{{size bigger than buffer}}
457 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
458
459 // expected-error@+1{{size bigger than buffer}}
460 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
461 // expected-error@+1{{size bigger than buffer}}
462 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
463 }
464
465 {
466 struct {
467 char tiny_buffer[4];
468 char tiny_buffer2;
469 } split = {};
470
471 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
472 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
473 }
474 }
475
FORTIFY_TEST(sys_stat)476 FORTIFY_TEST(sys_stat) {
477 // expected-error@+1{{'umask' called with invalid mode}}
478 EXPECT_FORTIFY_DEATH(umask(01777));
479 }
480
FORTIFY_TEST(stdio)481 FORTIFY_TEST(stdio) {
482 char small_buffer[8] = {};
483 {
484 // expected-error@+1{{size argument is too large}}
485 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
486
487 va_list va;
488 // expected-error@+2{{size argument is too large}}
489 // expected-warning@+1{{format string is empty}}
490 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
491
492 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
493
494 // expected-error@+1{{format string will always overflow}}
495 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
496 }
497
498 // expected-error@+1{{size should not be negative}}
499 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
500 // expected-error@+1{{size is larger than the destination buffer}}
501 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
502
503 // expected-error@+1{{size * count overflows}}
504 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
505 // expected-error@+1{{size * count is too large for the given buffer}}
506 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
507
508 // expected-error@+1{{size * count overflows}}
509 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
510 // expected-error@+1{{size * count is too large for the given buffer}}
511 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
512 }
513
FORTIFY_TEST(unistd)514 FORTIFY_TEST(unistd) {
515 char small_buffer[8];
516
517 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
518 #if 0
519 // expected-error@+2{{ignoring return value of function}}
520 #endif
521 // expected-error@+1{{bytes overflows the given object}}
522 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
523 #if 0
524 // expected-error@+2{{ignoring return value of function}}
525 #endif
526 // expected-error@+1{{bytes overflows the given object}}
527 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
528 #if 0
529 // expected-error@+2{{ignoring return value of function}}
530 #endif
531 // expected-error@+1{{bytes overflows the given object}}
532 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
533 #if 0
534 // expected-error@+2{{ignoring return value of function}}
535 #endif
536 // expected-error@+1{{bytes overflows the given object}}
537 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
538 #if 0
539 // expected-error@+2{{ignoring return value of function}}
540 #endif
541 // expected-error@+1{{bytes overflows the given object}}
542 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
543 #if 0
544 // expected-error@+2{{ignoring return value of function}}
545 #endif
546 // expected-error@+1{{bytes overflows the given object}}
547 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
548 #if 0
549 // expected-error@+2{{ignoring return value of function}}
550 #endif
551 // expected-error@+1{{bytes overflows the given object}}
552 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
553 #if 0
554 // expected-error@+2{{ignoring return value of function}}
555 #endif
556 // expected-error@+1{{bytes overflows the given object}}
557 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
558
559 // getcwd allocates and returns a buffer if you pass null to getcwd
560 EXPECT_NO_DEATH(getcwd(nullptr, 0));
561 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
562
563 struct {
564 char tiny_buffer[4];
565 char tiny_buffer2[4];
566 } split;
567
568 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
569 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
570 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
571 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
572 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
573 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
574
575 #if _FORTIFY_SOURCE > 1
576 // expected-error@+2{{bytes overflows the given object}}
577 #endif
578 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
579 #if _FORTIFY_SOURCE > 1
580 // expected-error@+2{{bytes overflows the given object}}
581 #endif
582 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
583
584 {
585 char* volatile unknown = small_buffer;
586 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
587 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
588 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
589 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
590 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
591 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
592 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
593 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
594 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
595 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
596 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
597 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
598 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
599 }
600 }
601
602 #endif // defined(__BIONIC__)
603