1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdint.h>
6 #include <stdio.h>
7
8 #include <limits>
9 #include <memory>
10 #include <sstream>
11 #include <string>
12
13 #include "base/memory/raw_ptr.h"
14 #include "base/run_loop.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/threading/platform_thread.h"
17 #include "build/build_config.h"
18 #include "ipc/ipc_test_base.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20
21 // IPC messages for testing ----------------------------------------------------
22
23 #define IPC_MESSAGE_IMPL
24 #include "ipc/ipc_message_macros.h"
25 #include "ipc/ipc_message_start.h"
26
27 #define IPC_MESSAGE_START TestMsgStart
28
29 // Generic message class that is an int followed by a string16.
30 IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::u16string)
31
32 // Generic message class that is a string16 followed by an int.
33 IPC_MESSAGE_CONTROL2(MsgClassSI, std::u16string, int)
34
35 // Message to create a mutex in the IPC server, using the received name.
36 IPC_MESSAGE_CONTROL2(MsgDoMutex, std::u16string, int)
37
38 // Used to generate an ID for a message that should not exist.
39 IPC_MESSAGE_CONTROL0(MsgUnhandled)
40
41 // -----------------------------------------------------------------------------
42
43 namespace {
44
TEST(IPCMessageIntegrity,ReadBeyondBufferStr)45 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
46 // This was BUG 984408.
47 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
48 int v2 = 666;
49 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
50 m.WriteInt(v1);
51 m.WriteInt(v2);
52
53 base::PickleIterator iter(m);
54 std::string vs;
55 EXPECT_FALSE(iter.ReadString(&vs));
56 }
57
TEST(IPCMessageIntegrity,ReadBeyondBufferStr16)58 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
59 // This was BUG 984408.
60 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
61 int v2 = 777;
62 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
63 m.WriteInt(v1);
64 m.WriteInt(v2);
65
66 base::PickleIterator iter(m);
67 std::u16string vs;
68 EXPECT_FALSE(iter.ReadString16(&vs));
69 }
70
TEST(IPCMessageIntegrity,ReadBytesBadIterator)71 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
72 // This was BUG 1035467.
73 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
74 m.WriteInt(1);
75 m.WriteInt(2);
76
77 base::PickleIterator iter(m);
78 const char* data = nullptr;
79 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
80 }
81
TEST(IPCMessageIntegrity,ReadVectorNegativeSize)82 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
83 // A slight variation of BUG 984408. Note that the pickling of vector<char>
84 // has a specialized template which is not vulnerable to this bug. So here
85 // try to hit the non-specialized case vector<P>.
86 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
87 m.WriteInt(-1); // This is the count of elements.
88 m.WriteInt(1);
89 m.WriteInt(2);
90 m.WriteInt(3);
91
92 std::vector<double> vec;
93 base::PickleIterator iter(m);
94 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
95 }
96
97 #if BUILDFLAG(IS_ANDROID)
98 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
99 #else
100 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
101 #endif
TEST(IPCMessageIntegrity,MAYBE_ReadVectorTooLarge1)102 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
103 // This was BUG 1006367. This is the large but positive length case. Again
104 // we try to hit the non-specialized case vector<P>.
105 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
106 m.WriteInt(0x21000003); // This is the count of elements.
107 m.WriteInt64(1);
108 m.WriteInt64(2);
109
110 std::vector<int64_t> vec;
111 base::PickleIterator iter(m);
112 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
113 }
114
TEST(IPCMessageIntegrity,ReadVectorTooLarge2)115 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
116 // This was BUG 1006367. This is the large but positive with an additional
117 // integer overflow when computing the actual byte size. Again we try to hit
118 // the non-specialized case vector<P>.
119 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
120 m.WriteInt(0x71000000); // This is the count of elements.
121 m.WriteInt64(1);
122 m.WriteInt64(2);
123
124 std::vector<int64_t> vec;
125 base::PickleIterator iter(m);
126 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
127 }
128
129 // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
130 // See http://crbug.com/741866 for details.
TEST(IPCMessageIntegrity,DISABLED_ReadVectorTooLarge3)131 TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
132 base::Pickle pickle;
133 IPC::WriteParam(&pickle, 256 * 1024 * 1024);
134 IPC::WriteParam(&pickle, 0);
135 IPC::WriteParam(&pickle, 1);
136 IPC::WriteParam(&pickle, 2);
137
138 base::PickleIterator iter(pickle);
139 std::vector<int> vec;
140 EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
141 }
142
143 class SimpleListener : public IPC::Listener {
144 public:
SimpleListener()145 SimpleListener() : other_(nullptr) {}
Init(IPC::Sender * s)146 void Init(IPC::Sender* s) {
147 other_ = s;
148 }
149 protected:
150 raw_ptr<IPC::Sender, DanglingUntriaged> other_;
151 };
152
153 enum {
154 FUZZER_ROUTING_ID = 5
155 };
156
157 // The fuzzer server class. It runs in a child process and expects
158 // only two IPC calls; after that it exits the message loop which
159 // terminates the child process.
160 class FuzzerServerListener : public SimpleListener {
161 public:
FuzzerServerListener()162 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
163 }
OnMessageReceived(const IPC::Message & msg)164 bool OnMessageReceived(const IPC::Message& msg) override {
165 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
166 ++pending_messages_;
167 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
168 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
169 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
170 IPC_END_MESSAGE_MAP()
171 if (pending_messages_) {
172 // Probably a problem de-serializing the message.
173 ReplyMsgNotHandled(msg.type());
174 }
175 }
176 return true;
177 }
178
179 private:
OnMsgClassISMessage(int value,const std::u16string & text)180 void OnMsgClassISMessage(int value, const std::u16string& text) {
181 UseData(MsgClassIS::ID, value, text);
182 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
183 Cleanup();
184 }
185
OnMsgClassSIMessage(const std::u16string & text,int value)186 void OnMsgClassSIMessage(const std::u16string& text, int value) {
187 UseData(MsgClassSI::ID, value, text);
188 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
189 Cleanup();
190 }
191
RoundtripAckReply(int routing,uint32_t type_id,int reply)192 bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
193 IPC::Message* message = new IPC::Message(routing, type_id,
194 IPC::Message::PRIORITY_NORMAL);
195 message->WriteInt(reply + 1);
196 message->WriteInt(reply);
197 return other_->Send(message);
198 }
199
Cleanup()200 void Cleanup() {
201 --message_count_;
202 --pending_messages_;
203 if (0 == message_count_)
204 base::RunLoop::QuitCurrentWhenIdleDeprecated();
205 }
206
ReplyMsgNotHandled(uint32_t type_id)207 void ReplyMsgNotHandled(uint32_t type_id) {
208 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
209 Cleanup();
210 }
211
UseData(int caller,int value,const std::u16string & text)212 void UseData(int caller, int value, const std::u16string& text) {
213 std::ostringstream os;
214 os << "IPC fuzzer:" << caller << " [" << value << " "
215 << base::UTF16ToUTF8(text) << "]\n";
216 std::string output = os.str();
217 LOG(WARNING) << output;
218 }
219
220 int message_count_;
221 int pending_messages_;
222 };
223
224 class FuzzerClientListener : public SimpleListener {
225 public:
226 FuzzerClientListener() = default;
227
OnMessageReceived(const IPC::Message & msg)228 bool OnMessageReceived(const IPC::Message& msg) override {
229 last_msg_ = std::make_unique<IPC::Message>(msg);
230 base::RunLoop::QuitCurrentWhenIdleDeprecated();
231 return true;
232 }
233
ExpectMessage(int value,uint32_t type_id)234 bool ExpectMessage(int value, uint32_t type_id) {
235 if (!MsgHandlerInternal(type_id))
236 return false;
237 int msg_value1 = 0;
238 int msg_value2 = 0;
239 base::PickleIterator iter(*last_msg_);
240 if (!iter.ReadInt(&msg_value1))
241 return false;
242 if (!iter.ReadInt(&msg_value2))
243 return false;
244 if ((msg_value2 + 1) != msg_value1)
245 return false;
246 if (msg_value2 != value)
247 return false;
248 last_msg_.reset();
249 return true;
250 }
251
ExpectMsgNotHandled(uint32_t type_id)252 bool ExpectMsgNotHandled(uint32_t type_id) {
253 return ExpectMessage(type_id, MsgUnhandled::ID);
254 }
255
256 private:
MsgHandlerInternal(uint32_t type_id)257 bool MsgHandlerInternal(uint32_t type_id) {
258 base::RunLoop().Run();
259 if (!last_msg_)
260 return false;
261 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
262 return false;
263 return (type_id == last_msg_->type());
264 }
265
266 std::unique_ptr<IPC::Message> last_msg_;
267 };
268
269 // Runs the fuzzing server child mode. Returns when the preset number of
270 // messages have been received.
DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient)271 DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient) {
272 FuzzerServerListener listener;
273 Connect(&listener);
274 listener.Init(channel());
275 base::RunLoop().Run();
276 Close();
277 }
278
279 using IPCFuzzingTest = IPCChannelMojoTestBase;
280
281 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
282 // are working properly by generating two well formed IPC calls.
TEST_F(IPCFuzzingTest,SanityTest)283 TEST_F(IPCFuzzingTest, SanityTest) {
284 Init("FuzzServerClient");
285
286 FuzzerClientListener listener;
287 CreateChannel(&listener);
288 listener.Init(channel());
289 ASSERT_TRUE(ConnectChannel());
290
291 IPC::Message* msg = nullptr;
292 int value = 43;
293 msg = new MsgClassIS(value, u"expect 43");
294 sender()->Send(msg);
295 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
296
297 msg = new MsgClassSI(u"expect 44", ++value);
298 sender()->Send(msg);
299 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
300
301 EXPECT_TRUE(WaitForClientShutdown());
302 DestroyChannel();
303 }
304
305 // This test uses a payload that is smaller than expected. This generates an
306 // error while unpacking the IPC buffer. Right after we generate another valid
307 // IPC to make sure framing is working properly.
TEST_F(IPCFuzzingTest,MsgBadPayloadShort)308 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
309 Init("FuzzServerClient");
310
311 FuzzerClientListener listener;
312 CreateChannel(&listener);
313 listener.Init(channel());
314 ASSERT_TRUE(ConnectChannel());
315
316 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
317 IPC::Message::PRIORITY_NORMAL);
318 msg->WriteInt(666);
319 sender()->Send(msg);
320 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
321
322 msg = new MsgClassSI(u"expect one", 1);
323 sender()->Send(msg);
324 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
325
326 EXPECT_TRUE(WaitForClientShutdown());
327 DestroyChannel();
328 }
329
330 // This test uses a payload that has too many arguments, but so the payload size
331 // is big enough so the unpacking routine does not generate an error as in the
332 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
333 // as by design we don't carry type information on the IPC message.
TEST_F(IPCFuzzingTest,MsgBadPayloadArgs)334 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
335 Init("FuzzServerClient");
336
337 FuzzerClientListener listener;
338 CreateChannel(&listener);
339 listener.Init(channel());
340 ASSERT_TRUE(ConnectChannel());
341
342 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
343 IPC::Message::PRIORITY_NORMAL);
344 msg->WriteString16(u"d");
345 msg->WriteInt(0);
346 msg->WriteInt(0x65); // Extra argument.
347
348 sender()->Send(msg);
349 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
350
351 // Now send a well formed message to make sure the receiver wasn't
352 // thrown out of sync by the extra argument.
353 msg = new MsgClassIS(3, u"expect three");
354 sender()->Send(msg);
355 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
356
357 EXPECT_TRUE(WaitForClientShutdown());
358 DestroyChannel();
359 }
360
361 } // namespace
362