1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #ifndef __clang__
18 #error "Non-clang isn't supported"
19 #endif
20
21 //
22 // Clang compile-time and run-time tests for Bionic's FORTIFY.
23 //
24
25 // This file is compiled in two configurations to give us reasonable coverage of clang's
26 // FORTIFY implementation:
27 //
28 // 1. For compile-time checks, we use clang's diagnostic consumer
29 // (https://clang.llvm.org/doxygen/classclang_1_1VerifyDiagnosticConsumer.html#details)
30 // to check diagnostics (e.g. the expected-* comments everywhere).
31 //
32 // 2. For run-time checks, we build and run as regular gtests.
33
34 // Note that these tests do things like leaking memory. That's WAI.
35
36 //
37 // Configuration for the compile-time checks. (These comments have side effects!)
38 //
39 // Silence all "from 'diagnose_if'" `note`s from anywhere, including headers; they're uninteresting
40 // for this test case, and their line numbers may change over time.
41 // expected-note@* 0+{{from 'diagnose_if'}}
42 //
43 // Similarly, there are a few overload tricks we have to emit errors. Ignore any notes from those.
44 // expected-note@* 0+{{candidate function}}
45 //
46 // And finally, all explicitly-unavailable-here complaints from headers are
47 // uninteresting
48 // expected-note@* 0+{{has been explicitly marked unavailable here}}
49 //
50 // Note that some of these diagnostics come from clang itself, while others come from
51 // `diagnose_if`s sprinkled throughout Bionic.
52
53 #ifndef _FORTIFY_SOURCE
54 #error "_FORTIFY_SOURCE must be defined"
55 #endif
56
57 #include <sys/cdefs.h>
58
59 // This is a test specifically of bionic's FORTIFY machinery. Other stdlibs need not apply.
60 #ifndef __BIONIC__
61 // expected-no-diagnostics
62 #else
63
64 // As alluded to above, we're going to be doing some obviously very broken things in this file.
65 // FORTIFY helpfully flags a lot of it at compile-time, but we want it to *actually* crash, too. So
66 // let's wipe out any build-time errors.
67 #ifndef COMPILATION_TESTS
68 #undef __clang_error_if
69 #define __clang_error_if(...)
70 #undef __clang_warning_if
71 #define __clang_warning_if(...)
72 #pragma clang diagnostic ignored "-Wfortify-source"
73
74 // SOMETIMES_CONST allows clang to emit eager diagnostics when we're doing compilation tests, but
75 // blocks them otherwise. This is needed for diagnostics emitted with __enable_if.
76 #define SOMETIMES_CONST volatile
77 #else
78 #define SOMETIMES_CONST const
79 #endif
80
81 #include <err.h>
82 #include <fcntl.h>
83 #include <limits.h>
84 #include <poll.h>
85 #include <signal.h>
86 #include <stdio.h>
87 #include <stdlib.h>
88 #include <string.h>
89 #include <sys/socket.h>
90 #include <sys/stat.h>
91 #include <sys/wait.h>
92 #include <syslog.h>
93 #include <unistd.h>
94 #include <wchar.h>
95
96 #ifndef COMPILATION_TESTS
97 #include <android-base/silent_death_test.h>
98 #include <gtest/gtest.h>
99
100 #define CONCAT2(x, y) x##y
101 #define CONCAT(x, y) CONCAT2(x, y)
102 #define FORTIFY_TEST_NAME CONCAT(CONCAT(clang_fortify_test_, _FORTIFY_SOURCE), _DeathTest)
103
104 using FORTIFY_TEST_NAME = SilentDeathTest;
105
106 template <typename Fn>
ExitAfter(Fn && f)107 __attribute__((noreturn)) static void ExitAfter(Fn&& f) {
108 f();
109 // No need to tear things down; our parent process should handle that.
110 _exit(0);
111 }
112
113 // In any case (including failing tests), we always want to die after this.
114 #define DIE_WITH(expr, cond, regex) EXPECT_EXIT(ExitAfter([&] { (expr); }), cond, regex)
115
116 // EXPECT_NO_DEATH forks so that the test remains alive on a bug, and so that the environment
117 // doesn't get modified on no bug. (Environment modification is especially tricky to deal with given
118 // the *_STRUCT variants below.)
119 #define EXPECT_NO_DEATH(expr) DIE_WITH(expr, testing::ExitedWithCode(0), "")
120 #define EXPECT_FORTIFY_DEATH(expr) DIE_WITH(expr, testing::KilledBySignal(SIGABRT), "FORTIFY")
121 // Expecting death, but only if we're doing a "strict" struct-checking mode.
122 #if _FORTIFY_SOURCE > 1
123 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
124 #else
125 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_NO_DEATH
126 #endif
127
128 #define FORTIFY_TEST(test_name) TEST_F(FORTIFY_TEST_NAME, test_name)
129
130 #else // defined(COMPILATION_TESTS)
131
132 #define EXPECT_NO_DEATH(expr) expr
133 #define EXPECT_FORTIFY_DEATH(expr) expr
134 #define EXPECT_FORTIFY_DEATH_STRUCT EXPECT_FORTIFY_DEATH
135 #define FORTIFY_TEST(test_name) void test_name()
136 #endif
137
138 const static int kBogusFD = -1;
139
FORTIFY_TEST(string)140 FORTIFY_TEST(string) {
141 char small_buffer[8] = {};
142
143 {
144 char large_buffer[sizeof(small_buffer) + 1] = {};
145 // expected-error@+1{{will always overflow}}
146 EXPECT_FORTIFY_DEATH(memcpy(small_buffer, large_buffer, sizeof(large_buffer)));
147 // expected-error@+1{{will always overflow}}
148 EXPECT_FORTIFY_DEATH(memmove(small_buffer, large_buffer, sizeof(large_buffer)));
149 // FIXME(gbiv): look into removing mempcpy's diagnose_if bits once the b/149839606 roll sticks.
150 // expected-error@+2{{will always overflow}}
151 // expected-error@+1{{size bigger than buffer}}
152 EXPECT_FORTIFY_DEATH(mempcpy(small_buffer, large_buffer, sizeof(large_buffer)));
153 // expected-error@+1{{will always overflow}}
154 EXPECT_FORTIFY_DEATH(memset(small_buffer, 0, sizeof(large_buffer)));
155 // expected-warning@+1{{arguments got flipped?}}
156 EXPECT_NO_DEATH(memset(small_buffer, sizeof(small_buffer), 0));
157 // expected-error@+1{{size bigger than buffer}}
158 EXPECT_FORTIFY_DEATH(bcopy(large_buffer, small_buffer, sizeof(large_buffer)));
159 // expected-error@+1{{size bigger than buffer}}
160 EXPECT_FORTIFY_DEATH(bzero(small_buffer, sizeof(large_buffer)));
161 }
162
163 {
164 const char large_string[] = "Hello!!!";
165 static_assert(sizeof(large_string) > sizeof(small_buffer), "");
166
167 #if __clang_major__ > 13
168 // expected-error@+3{{will always overflow}}
169 #endif
170 // expected-error@+1{{string bigger than buffer}}
171 EXPECT_FORTIFY_DEATH(strcpy(small_buffer, large_string));
172 // expected-error@+1{{string bigger than buffer}}
173 EXPECT_FORTIFY_DEATH(stpcpy(small_buffer, large_string));
174 // expected-error@+1{{size argument is too large}}
175 EXPECT_FORTIFY_DEATH(strncpy(small_buffer, large_string, sizeof(large_string)));
176 // expected-error@+1{{size argument is too large}}
177 EXPECT_FORTIFY_DEATH(stpncpy(small_buffer, large_string, sizeof(large_string)));
178 // expected-error@+1{{string bigger than buffer}}
179 EXPECT_FORTIFY_DEATH(strcat(small_buffer, large_string));
180 // expected-error@+1{{size argument is too large}}
181 EXPECT_FORTIFY_DEATH(strncat(small_buffer, large_string, sizeof(large_string)));
182 // expected-error@+1{{size bigger than buffer}}
183 EXPECT_FORTIFY_DEATH(strlcpy(small_buffer, large_string, sizeof(large_string)));
184 // expected-error@+1{{size bigger than buffer}}
185 EXPECT_FORTIFY_DEATH(strlcat(small_buffer, large_string, sizeof(large_string)));
186 }
187
188 {
189 struct {
190 char tiny_buffer[4];
191 char tiny_buffer2[4];
192 } split = {};
193
194 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
195 EXPECT_NO_DEATH(memcpy(split.tiny_buffer, &split, sizeof(split)));
196 EXPECT_NO_DEATH(memmove(split.tiny_buffer, &split, sizeof(split)));
197 EXPECT_NO_DEATH(mempcpy(split.tiny_buffer, &split, sizeof(split)));
198 EXPECT_NO_DEATH(memset(split.tiny_buffer, 0, sizeof(split)));
199
200 EXPECT_NO_DEATH(bcopy(&split, split.tiny_buffer, sizeof(split)));
201 EXPECT_NO_DEATH(bzero(split.tiny_buffer, sizeof(split)));
202
203 const char small_string[] = "Hi!!";
204 static_assert(sizeof(small_string) > sizeof(split.tiny_buffer), "");
205
206 #if _FORTIFY_SOURCE > 1
207 #if __clang_major__ > 13
208 // expected-error@+4{{will always overflow}}
209 #endif
210 // expected-error@+2{{string bigger than buffer}}
211 #endif
212 EXPECT_FORTIFY_DEATH_STRUCT(strcpy(split.tiny_buffer, small_string));
213
214 #if _FORTIFY_SOURCE > 1
215 // expected-error@+2{{string bigger than buffer}}
216 #endif
217 EXPECT_FORTIFY_DEATH_STRUCT(stpcpy(split.tiny_buffer, small_string));
218
219 #if _FORTIFY_SOURCE > 1
220 // expected-error@+2{{size argument is too large}}
221 #endif
222 EXPECT_FORTIFY_DEATH_STRUCT(strncpy(split.tiny_buffer, small_string, sizeof(small_string)));
223
224 #if _FORTIFY_SOURCE > 1
225 // expected-error@+2{{size argument is too large}}
226 #endif
227 EXPECT_FORTIFY_DEATH_STRUCT(stpncpy(split.tiny_buffer, small_string, sizeof(small_string)));
228
229 #if _FORTIFY_SOURCE > 1
230 // expected-error@+2{{string bigger than buffer}}
231 #endif
232 EXPECT_FORTIFY_DEATH_STRUCT(strcat(split.tiny_buffer, small_string));
233
234 #if _FORTIFY_SOURCE > 1
235 // expected-error@+2{{size argument is too large}}
236 #endif
237 EXPECT_FORTIFY_DEATH_STRUCT(strncat(split.tiny_buffer, small_string, sizeof(small_string)));
238
239 #if _FORTIFY_SOURCE > 1
240 // expected-error@+2{{size bigger than buffer}}
241 #endif
242 EXPECT_FORTIFY_DEATH_STRUCT(strlcat(split.tiny_buffer, small_string, sizeof(small_string)));
243
244 #if _FORTIFY_SOURCE > 1
245 // expected-error@+2{{size bigger than buffer}}
246 #endif
247 EXPECT_FORTIFY_DEATH_STRUCT(strlcpy(split.tiny_buffer, small_string, sizeof(small_string)));
248 }
249 }
250
FORTIFY_TEST(fcntl)251 FORTIFY_TEST(fcntl) {
252 const char target[] = "/dev/null";
253 int dirfd = 0;
254
255 // These all emit hard errors without diagnose_if, so running them is a bit
256 // more involved.
257 #ifdef COMPILATION_TESTS
258 // expected-error@+1{{too many arguments}}
259 open("/", 0, 0, 0);
260 // expected-error@+1{{too many arguments}}
261 open64("/", 0, 0, 0);
262 // expected-error@+1{{too many arguments}}
263 openat(0, "/", 0, 0, 0);
264 // expected-error@+1{{too many arguments}}
265 openat64(0, "/", 0, 0, 0);
266 #endif
267
268 // expected-error@+1{{missing mode}}
269 EXPECT_FORTIFY_DEATH(open(target, O_CREAT));
270 // expected-error@+1{{missing mode}}
271 EXPECT_FORTIFY_DEATH(open(target, O_TMPFILE));
272 // expected-error@+1{{missing mode}}
273 EXPECT_FORTIFY_DEATH(open64(target, O_CREAT));
274 // expected-error@+1{{missing mode}}
275 EXPECT_FORTIFY_DEATH(open64(target, O_TMPFILE));
276 // expected-error@+1{{missing mode}}
277 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_CREAT));
278 // expected-error@+1{{missing mode}}
279 EXPECT_FORTIFY_DEATH(openat(dirfd, target, O_TMPFILE));
280 // expected-error@+1{{missing mode}}
281 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_CREAT));
282 // expected-error@+1{{missing mode}}
283 EXPECT_FORTIFY_DEATH(openat64(dirfd, target, O_TMPFILE));
284
285 // expected-warning@+1{{superfluous mode bits}}
286 EXPECT_NO_DEATH(open(target, O_RDONLY, 0777));
287 // expected-warning@+1{{superfluous mode bits}}
288 EXPECT_NO_DEATH(open64(target, O_RDONLY, 0777));
289 // expected-warning@+1{{superfluous mode bits}}
290 EXPECT_NO_DEATH(openat(dirfd, target, O_RDONLY, 0777));
291 // expected-warning@+1{{superfluous mode bits}}
292 EXPECT_NO_DEATH(openat64(dirfd, target, O_RDONLY, 0777));
293 }
294
295 // Since these emit hard errors, it's sort of hard to run them...
296 #ifdef COMPILATION_TESTS
297 namespace compilation_tests {
298 template <typename T>
declval()299 static T declval() {
300 __builtin_unreachable();
301 }
302
testFormatStrings()303 static void testFormatStrings() {
304 const auto unsigned_value = declval<unsigned long long>();
305 const auto* unknown_string = declval<const char*>();
306 const auto va = *declval<va_list*>();
307
308 {
309 auto some_fd = declval<int>();
310 // expected-warning@+1{{format specifies type 'int'}}
311 dprintf(some_fd, "%d", unsigned_value);
312 // expected-warning@+1{{format string is not a string literal}}
313 dprintf(some_fd, unknown_string, unsigned_value);
314 // expected-warning@+1{{format string is not a string literal}}
315 vdprintf(1, unknown_string, va);
316 }
317
318 {
319 auto* retval = declval<char*>();
320 #if 0
321 // expected-error@+2{{ignoring return value}}
322 #endif
323 // expected-warning@+1{{format specifies type 'int'}}
324 asprintf(&retval, "%d", unsigned_value);
325 #if 0
326 // expected-error@+2{{ignoring return value}}
327 #endif
328 // expected-warning@+1{{format string is not a string literal}}
329 asprintf(&retval, unknown_string, unsigned_value);
330 #if 0
331 // expected-error@+2{{ignoring return value}}
332 #endif
333 // expected-warning@+1{{format string is not a string literal}}
334 vasprintf(&retval, unknown_string, va);
335 }
336
337 // expected-warning@+1{{format specifies type 'int'}}
338 syslog(0, "%d", unsigned_value);
339 // expected-warning@+1{{format string is not a string literal}}
340 syslog(0, unknown_string, unsigned_value);
341 // expected-warning@+1{{format string is not a string literal}}
342 vsyslog(0, unknown_string, va);
343
344 {
345 auto* file = declval<FILE*>();
346 // expected-warning@+1{{format specifies type 'int'}}
347 fprintf(file, "%d", unsigned_value);
348 // expected-warning@+1{{format string is not a string literal}}
349 fprintf(file, unknown_string, unsigned_value);
350 // expected-warning@+1{{format string is not a string literal}}
351 vfprintf(file, unknown_string, va);
352 }
353
354 // expected-warning@+1{{format specifies type 'int'}}
355 printf("%d", unsigned_value);
356 // expected-warning@+1{{format string is not a string literal}}
357 printf(unknown_string, unsigned_value);
358 // expected-warning@+1{{format string is not a string literal}}
359 vprintf(unknown_string, va);
360
361 {
362 char buf[128];
363 // expected-warning@+1{{format specifies type 'int'}}
364 sprintf(buf, "%d", unsigned_value);
365 // expected-warning@+1{{format string is not a string literal}}
366 sprintf(buf, unknown_string, unsigned_value);
367 // expected-warning@+1{{format string is not a string literal}}
368 sprintf(buf, unknown_string, va);
369
370 // expected-warning@+1{{format specifies type 'int'}}
371 snprintf(buf, sizeof(buf), "%d", unsigned_value);
372 // expected-warning@+1{{format string is not a string literal}}
373 snprintf(buf, sizeof(buf), unknown_string, unsigned_value);
374 // expected-warning@+1{{format string is not a string literal}}
375 vsnprintf(buf, sizeof(buf), unknown_string, va);
376 }
377
378 // FIXME: below are general format string cases where clang should probably try to warn.
379 {
380 char buf[4];
381 sprintf(buf, "%s", "1234");
382 sprintf(buf, "1%s4", "23");
383 sprintf(buf, "%d", 1234);
384
385 // Similar thoughts for strncpy, etc.
386 }
387 }
388
testStdlib()389 static void testStdlib() {
390 #pragma clang diagnostic push
391 #pragma clang diagnostic ignored "-Wnonnull"
392 char path_buffer[PATH_MAX - 1];
393 // expected-warning@+2{{ignoring return value of function}}
394 // expected-error@+1{{must be NULL or a pointer to a buffer with >= PATH_MAX bytes}}
395 realpath("/", path_buffer);
396 // expected-warning@+1{{ignoring return value of function}}
397 realpath("/", nullptr);
398
399 // expected-warning@+2{{ignoring return value of function}}
400 // expected-error@+1{{flipped arguments?}}
401 realpath(nullptr, path_buffer);
402
403 // expected-warning@+2{{ignoring return value of function}}
404 // expected-error@+1{{flipped arguments?}}
405 realpath(nullptr, nullptr);
406 #pragma clang diagnostic pop
407 }
408 } // namespace compilation_tests
409 #endif
410
FORTIFY_TEST(poll)411 FORTIFY_TEST(poll) {
412 int pipe_fds[2];
413 if (pipe(pipe_fds)) err(1, "pipe failed");
414
415 // after this, pipe_fds[0] should always report RDHUP
416 if (close(pipe_fds[1])) err(1, "close failed");
417
418 struct pollfd poll_fd = { pipe_fds[0], POLLRDHUP, 0 };
419 {
420 struct pollfd few_fds[] = { poll_fd, poll_fd };
421 // expected-error@+1{{fd_count is larger than the given buffer}}
422 EXPECT_FORTIFY_DEATH(poll(few_fds, 3, 0));
423 // expected-error@+1{{fd_count is larger than the given buffer}}
424 EXPECT_FORTIFY_DEATH(ppoll(few_fds, 3, 0, 0));
425 // expected-error@+1{{fd_count is larger than the given buffer}}
426 EXPECT_FORTIFY_DEATH(ppoll64(few_fds, 3, 0, nullptr));
427 }
428
429 {
430 struct {
431 struct pollfd few[2];
432 struct pollfd extra[1];
433 } fds = { { poll_fd, poll_fd }, { poll_fd } };
434 static_assert(sizeof(fds) >= sizeof(struct pollfd) * 3, "");
435
436 #if _FORTIFY_SOURCE > 1
437 // expected-error@+2{{fd_count is larger than the given buffer}}
438 #endif
439 EXPECT_FORTIFY_DEATH_STRUCT(poll(fds.few, 3, 0));
440
441 struct timespec timeout = {};
442 #if _FORTIFY_SOURCE > 1
443 // expected-error@+2{{fd_count is larger than the given buffer}}
444 #endif
445 EXPECT_FORTIFY_DEATH_STRUCT(ppoll(fds.few, 3, &timeout, 0));
446
447 #if _FORTIFY_SOURCE > 1
448 // expected-error@+2{{fd_count is larger than the given buffer}}
449 #endif
450 EXPECT_FORTIFY_DEATH_STRUCT(ppoll64(fds.few, 3, 0, nullptr));
451 }
452 }
453
FORTIFY_TEST(socket)454 FORTIFY_TEST(socket) {
455 {
456 char small_buffer[8];
457 // expected-error@+1{{size bigger than buffer}}
458 EXPECT_FORTIFY_DEATH(recv(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
459 // expected-error@+1{{size bigger than buffer}}
460 EXPECT_FORTIFY_DEATH(recvfrom(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
461
462 // expected-error@+1{{size bigger than buffer}}
463 EXPECT_FORTIFY_DEATH(send(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
464 // expected-error@+1{{size bigger than buffer}}
465 EXPECT_FORTIFY_DEATH(sendto(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0, 0, 0));
466 }
467
468 {
469 struct {
470 char tiny_buffer[4];
471 char tiny_buffer2;
472 } split = {};
473
474 EXPECT_NO_DEATH(recv(kBogusFD, split.tiny_buffer, sizeof(split), 0));
475 EXPECT_NO_DEATH(recvfrom(kBogusFD, split.tiny_buffer, sizeof(split), 0, 0, 0));
476 }
477 }
478
FORTIFY_TEST(sys_stat)479 FORTIFY_TEST(sys_stat) {
480 // expected-error@+1{{'umask' called with invalid mode}}
481 EXPECT_FORTIFY_DEATH(umask(01777));
482 }
483
FORTIFY_TEST(stdio)484 FORTIFY_TEST(stdio) {
485 char small_buffer[8] = {};
486 {
487 // expected-error@+1{{size argument is too large}}
488 EXPECT_FORTIFY_DEATH(snprintf(small_buffer, sizeof(small_buffer) + 1, ""));
489
490 va_list va;
491 // expected-error@+2{{size argument is too large}}
492 // expected-warning@+1{{format string is empty}}
493 EXPECT_FORTIFY_DEATH(vsnprintf(small_buffer, sizeof(small_buffer) + 1, "", va));
494
495 const char *SOMETIMES_CONST format_string = "aaaaaaaaa";
496
497 // expected-error@+1{{format string will always overflow}}
498 EXPECT_FORTIFY_DEATH(sprintf(small_buffer, format_string));
499 }
500
501 // expected-error@+1{{size should not be negative}}
502 EXPECT_FORTIFY_DEATH(fgets(small_buffer, -1, stdin));
503 // expected-error@+1{{size is larger than the destination buffer}}
504 EXPECT_FORTIFY_DEATH(fgets(small_buffer, sizeof(small_buffer) + 1, stdin));
505
506 // expected-error@+1{{size * count overflows}}
507 EXPECT_NO_DEATH(fread(small_buffer, 2, (size_t)-1, stdin));
508 // expected-error@+1{{size * count is too large for the given buffer}}
509 EXPECT_FORTIFY_DEATH(fread(small_buffer, 1, sizeof(small_buffer) + 1, stdin));
510
511 // expected-error@+1{{size * count overflows}}
512 EXPECT_NO_DEATH(fwrite(small_buffer, 2, (size_t)-1, stdout));
513 // expected-error@+1{{size * count is too large for the given buffer}}
514 EXPECT_FORTIFY_DEATH(fwrite(small_buffer, 1, sizeof(small_buffer) + 1, stdout));
515 }
516
FORTIFY_TEST(unistd)517 FORTIFY_TEST(unistd) {
518 char small_buffer[8];
519
520 // Return value warnings are (sort of) a part of FORTIFY, so we don't ignore them.
521 #if 0
522 // expected-error@+2{{ignoring return value of function}}
523 #endif
524 // expected-error@+1{{bytes overflows the given object}}
525 EXPECT_FORTIFY_DEATH(read(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
526 #if 0
527 // expected-error@+2{{ignoring return value of function}}
528 #endif
529 // expected-error@+1{{bytes overflows the given object}}
530 EXPECT_FORTIFY_DEATH(pread(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
531 #if 0
532 // expected-error@+2{{ignoring return value of function}}
533 #endif
534 // expected-error@+1{{bytes overflows the given object}}
535 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
536 #if 0
537 // expected-error@+2{{ignoring return value of function}}
538 #endif
539 // expected-error@+1{{bytes overflows the given object}}
540 EXPECT_FORTIFY_DEATH(write(kBogusFD, small_buffer, sizeof(small_buffer) + 1));
541 #if 0
542 // expected-error@+2{{ignoring return value of function}}
543 #endif
544 // expected-error@+1{{bytes overflows the given object}}
545 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
546 #if 0
547 // expected-error@+2{{ignoring return value of function}}
548 #endif
549 // expected-error@+1{{bytes overflows the given object}}
550 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, small_buffer, sizeof(small_buffer) + 1, 0));
551 #if 0
552 // expected-error@+2{{ignoring return value of function}}
553 #endif
554 // expected-error@+1{{bytes overflows the given object}}
555 EXPECT_FORTIFY_DEATH(readlink("/", small_buffer, sizeof(small_buffer) + 1));
556 #if 0
557 // expected-error@+2{{ignoring return value of function}}
558 #endif
559 // expected-error@+1{{bytes overflows the given object}}
560 EXPECT_FORTIFY_DEATH(getcwd(small_buffer, sizeof(small_buffer) + 1));
561
562 // getcwd allocates and returns a buffer if you pass null to getcwd
563 EXPECT_NO_DEATH(getcwd(nullptr, 0));
564 EXPECT_NO_DEATH(getcwd(nullptr, 4096));
565
566 struct {
567 char tiny_buffer[4];
568 char tiny_buffer2[4];
569 } split;
570
571 EXPECT_NO_DEATH(read(kBogusFD, split.tiny_buffer, sizeof(split)));
572 EXPECT_NO_DEATH(pread(kBogusFD, split.tiny_buffer, sizeof(split), 0));
573 EXPECT_NO_DEATH(pread64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
574 EXPECT_NO_DEATH(write(kBogusFD, split.tiny_buffer, sizeof(split)));
575 EXPECT_NO_DEATH(pwrite(kBogusFD, split.tiny_buffer, sizeof(split), 0));
576 EXPECT_NO_DEATH(pwrite64(kBogusFD, split.tiny_buffer, sizeof(split), 0));
577
578 #if _FORTIFY_SOURCE > 1
579 // expected-error@+2{{bytes overflows the given object}}
580 #endif
581 EXPECT_FORTIFY_DEATH_STRUCT(readlink("/", split.tiny_buffer, sizeof(split)));
582 #if _FORTIFY_SOURCE > 1
583 // expected-error@+2{{bytes overflows the given object}}
584 #endif
585 EXPECT_FORTIFY_DEATH_STRUCT(getcwd(split.tiny_buffer, sizeof(split)));
586
587 {
588 char* volatile unknown = small_buffer;
589 const size_t count = static_cast<size_t>(SSIZE_MAX) + 1;
590 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
591 EXPECT_FORTIFY_DEATH(read(kBogusFD, unknown, count));
592 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
593 EXPECT_FORTIFY_DEATH(pread(kBogusFD, unknown, count, 0));
594 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
595 EXPECT_FORTIFY_DEATH(pread64(kBogusFD, unknown, count, 0));
596 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
597 EXPECT_FORTIFY_DEATH(write(kBogusFD, unknown, count));
598 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
599 EXPECT_FORTIFY_DEATH(pwrite(kBogusFD, unknown, count, 0));
600 // expected-error@+1{{'count' must be <= SSIZE_MAX}}
601 EXPECT_FORTIFY_DEATH(pwrite64(kBogusFD, unknown, count, 0));
602 }
603 }
604
605 #endif // defined(__BIONIC__)
606