bionic/tests/buffer_tests.cpp
Christopher Ferris fdfcfce7c6 Fix over read in strcpy/stpcpy/strcat.
This bug will happen when these circumstances are met:

- Destination address & 0x7 == 1, strlen of src is 11, 12, 13.
- Destination address & 0x7 == 2, strlen of src is 10, 11, 12.
- Destination address & 0x7 == 3, strlen of src is 9, 10, 11.
- Destination address & 0x7 == 4, strlen of src is 8, 9, 10.

In these cases, the dest alignment code does a ldr which reads 4 bytes,
and it will read past the end of the source. In most cases, this is
probably benign, but if this crosses into a new page it could cause a
crash.

Fix the labels in the cortex-a9 strcat.

Modify the overread test to vary the dst alignment to expost this bug.
Also, shrink the strcat/strlcat overread cases since the dst alignment
variation increases the runtime too much.

Bug: 24345899
Change-Id: Ib34a559bfcebd89861985b29cae6c1e47b5b5855
2015-09-24 14:17:36 -07:00

453 lines
12 KiB
C++

/*
* Copyright (C) 2013 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <gtest/gtest.h>
#include "buffer_tests.h"
// For the comparison buffer tests, the maximum length to test for the
// miscompare checks.
#define MISCMP_MAX_LENGTH 512
#define FENCEPOST_LENGTH 8
static int g_single_aligns[][2] = {
// Both buffers at same alignment.
{ 1, 0 },
{ 2, 0 },
{ 4, 0 },
{ 8, 0 },
{ 16, 0 },
{ 32, 0 },
{ 64, 0 },
{ 128, 0 },
// General unaligned cases.
{ 4, 1 },
{ 4, 2 },
{ 4, 3 },
{ 8, 1 },
{ 8, 2 },
{ 8, 3 },
{ 8, 4 },
{ 8, 5 },
{ 8, 6 },
{ 8, 7 },
{ 128, 1 },
{ 128, 4 },
{ 128, 8 },
{ 128, 12 },
{ 128, 16 },
};
static const size_t g_single_aligns_len = sizeof(g_single_aligns)/sizeof(int[2]);
// Set of multiple buffer alignment combinations to be used for string/memory
// testing routines.
static int g_double_aligns[][4] = {
// Both buffers at same alignment.
{ 1, 0, 1, 0 },
{ 2, 0, 2, 0 },
{ 4, 0, 4, 0 },
{ 8, 0, 8, 0 },
{ 16, 0, 16, 0 },
{ 32, 0, 32, 0 },
{ 64, 0, 64, 0 },
{ 128, 0, 128, 0 },
// Different word alignments between buffers.
{ 8, 0, 4, 0 },
{ 4, 0, 8, 0 },
{ 16, 0, 4, 0 },
{ 4, 0, 16, 0 },
// General unaligned cases.
{ 4, 0, 4, 1 },
{ 4, 0, 4, 2 },
{ 4, 0, 4, 3 },
{ 4, 1, 4, 0 },
{ 4, 1, 4, 1 },
{ 4, 1, 4, 2 },
{ 4, 1, 4, 3 },
{ 4, 2, 4, 0 },
{ 4, 2, 4, 1 },
{ 4, 2, 4, 2 },
{ 4, 2, 4, 3 },
{ 4, 3, 4, 0 },
{ 4, 3, 4, 1 },
{ 4, 3, 4, 2 },
{ 4, 3, 4, 3 },
{ 8, 0, 8, 1 },
{ 8, 0, 8, 2 },
{ 8, 0, 8, 3 },
{ 8, 0, 8, 4 },
{ 8, 0, 8, 5 },
{ 8, 0, 8, 6 },
{ 8, 0, 8, 7 },
{ 8, 1, 8, 0 },
{ 8, 1, 8, 1 },
{ 8, 1, 8, 2 },
{ 8, 1, 8, 3 },
{ 8, 1, 8, 4 },
{ 8, 1, 8, 5 },
{ 8, 1, 8, 6 },
{ 8, 1, 8, 7 },
{ 8, 2, 8, 0 },
{ 8, 2, 8, 1 },
{ 8, 2, 8, 2 },
{ 8, 2, 8, 3 },
{ 8, 2, 8, 4 },
{ 8, 2, 8, 5 },
{ 8, 2, 8, 6 },
{ 8, 2, 8, 7 },
{ 8, 3, 8, 0 },
{ 8, 3, 8, 1 },
{ 8, 3, 8, 2 },
{ 8, 3, 8, 3 },
{ 8, 3, 8, 4 },
{ 8, 3, 8, 5 },
{ 8, 3, 8, 6 },
{ 8, 3, 8, 7 },
{ 8, 4, 8, 0 },
{ 8, 4, 8, 1 },
{ 8, 4, 8, 2 },
{ 8, 4, 8, 3 },
{ 8, 4, 8, 4 },
{ 8, 4, 8, 5 },
{ 8, 4, 8, 6 },
{ 8, 4, 8, 7 },
{ 8, 5, 8, 0 },
{ 8, 5, 8, 1 },
{ 8, 5, 8, 2 },
{ 8, 5, 8, 3 },
{ 8, 5, 8, 4 },
{ 8, 5, 8, 5 },
{ 8, 5, 8, 6 },
{ 8, 5, 8, 7 },
{ 8, 6, 8, 0 },
{ 8, 6, 8, 1 },
{ 8, 6, 8, 2 },
{ 8, 6, 8, 3 },
{ 8, 6, 8, 4 },
{ 8, 6, 8, 5 },
{ 8, 6, 8, 6 },
{ 8, 6, 8, 7 },
{ 8, 7, 8, 0 },
{ 8, 7, 8, 1 },
{ 8, 7, 8, 2 },
{ 8, 7, 8, 3 },
{ 8, 7, 8, 4 },
{ 8, 7, 8, 5 },
{ 8, 7, 8, 6 },
{ 8, 7, 8, 7 },
{ 128, 1, 128, 4 },
{ 128, 1, 128, 8 },
{ 128, 1, 128, 12 },
{ 128, 1, 128, 16 },
{ 128, 4, 128, 1 },
{ 128, 8, 128, 1 },
{ 128, 12, 128, 1 },
{ 128, 16, 128, 1 },
};
static const size_t g_double_aligns_len = sizeof(g_double_aligns)/sizeof(int[4]);
static size_t SetIncrement(size_t len) {
if (len >= 4096) {
return 1024;
} else if (len >= 1024) {
return 256;
}
return 1;
}
// Return a pointer into the current buffer with the specified alignment.
static void *GetAlignedPtr(void *orig_ptr, int alignment, int or_mask) {
uint64_t ptr = reinterpret_cast<uint64_t>(orig_ptr);
if (alignment > 0) {
// When setting the alignment, set it to exactly the alignment chosen.
// The pointer returned will be guaranteed not to be aligned to anything
// more than that.
ptr += alignment - (ptr & (alignment - 1));
ptr |= alignment | or_mask;
}
return reinterpret_cast<void*>(ptr);
}
static void SetFencepost(uint8_t *buffer) {
for (int i = 0; i < FENCEPOST_LENGTH; i += 2) {
buffer[i] = 0xde;
buffer[i+1] = 0xad;
}
}
static void VerifyFencepost(uint8_t *buffer) {
for (int i = 0; i < FENCEPOST_LENGTH; i += 2) {
if (buffer[i] != 0xde || buffer[i+1] != 0xad) {
uint8_t expected_value;
if (buffer[i] == 0xde) {
i++;
expected_value = 0xad;
} else {
expected_value = 0xde;
}
ASSERT_EQ(expected_value, buffer[i]);
}
}
}
void RunSingleBufferAlignTest(
size_t max_test_size, void (*test_func)(uint8_t*, size_t),
size_t (*set_incr)(size_t)) {
if (!set_incr) {
set_incr = SetIncrement;
}
// Allocate one large buffer with lots of extra space so that we can
// guarantee that the all possible alignments will fit.
uint8_t *buf = new uint8_t[3*max_test_size];
uint8_t *buf_align;
for (size_t i = 0; i < g_single_aligns_len; i++) {
size_t incr = 1;
for (size_t len = 0; len <= max_test_size; len += incr) {
incr = set_incr(len);
buf_align = reinterpret_cast<uint8_t*>(GetAlignedPtr(
buf+FENCEPOST_LENGTH, g_single_aligns[i][0], g_single_aligns[i][1]));
SetFencepost(&buf_align[-FENCEPOST_LENGTH]);
SetFencepost(&buf_align[len]);
test_func(buf_align, len);
VerifyFencepost(&buf_align[-FENCEPOST_LENGTH]);
VerifyFencepost(&buf_align[len]);
}
}
delete[] buf;
}
void RunSrcDstBufferAlignTest(
size_t max_test_size, void (*test_func)(uint8_t*, uint8_t*, size_t),
size_t (*set_incr)(size_t)) {
if (!set_incr) {
set_incr = SetIncrement;
}
// Allocate two large buffers for all of the testing.
uint8_t* src = new uint8_t[3*max_test_size];
uint8_t* dst = new uint8_t[3*max_test_size];
uint8_t* src_align;
uint8_t* dst_align;
for (size_t i = 0; i < g_double_aligns_len; i++) {
size_t incr = 1;
for (size_t len = 0; len <= max_test_size; len += incr) {
incr = set_incr(len);
src_align =
reinterpret_cast<uint8_t*>(GetAlignedPtr(
src+FENCEPOST_LENGTH, g_double_aligns[i][0], g_double_aligns[i][1]));
dst_align =
reinterpret_cast<uint8_t*>(GetAlignedPtr(
dst+FENCEPOST_LENGTH, g_double_aligns[i][2], g_double_aligns[i][3]));
SetFencepost(&dst_align[-FENCEPOST_LENGTH]);
SetFencepost(&dst_align[len]);
test_func(src_align, dst_align, len);
VerifyFencepost(&dst_align[-FENCEPOST_LENGTH]);
VerifyFencepost(&dst_align[len]);
}
}
delete[] src;
delete[] dst;
}
void RunCmpBufferAlignTest(
size_t max_test_size, void (*test_cmp_func)(uint8_t*, uint8_t*, size_t),
void (*test_miscmp_func)(uint8_t*, uint8_t*, size_t, size_t),
size_t (*set_incr)(size_t)) {
if (!set_incr) {
set_incr = SetIncrement;
}
// Allocate two large buffers for all of the testing.
uint8_t* buf1 = new uint8_t[3*max_test_size];
uint8_t* buf2 = new uint8_t[3*max_test_size];
uint8_t* buf1_align;
uint8_t* buf2_align;
for (size_t i = 0; i < g_double_aligns_len; i++) {
size_t incr = 1;
for (size_t len = 0; len <= max_test_size; len += incr) {
incr = set_incr(len);
buf1_align =
reinterpret_cast<uint8_t*>(GetAlignedPtr(
buf1, g_double_aligns[i][0], g_double_aligns[i][1]));
buf2_align =
reinterpret_cast<uint8_t*>(GetAlignedPtr(
buf2, g_double_aligns[i][2], g_double_aligns[i][3]));
// Check by putting all zeroes after both buffers.
memset(buf1_align+len, 0, 32);
memset(buf2_align+len, 0, 32);
test_cmp_func(buf1_align, buf2_align, len);
// Check by putting different values after both buffers.
for (size_t j = 0; j < 32; j++) {
buf1_align[len+j] = j;
buf2_align[len+j] = j+1;
}
test_cmp_func(buf1_align, buf2_align, len);
if (len > 0) {
// Change the lengths of the buffers and verify that there are
// miscompares.
for (size_t len2 = len+1; len2 < len+32; len2++) {
test_miscmp_func(buf1_align, buf2_align, len, len2);
test_miscmp_func(buf1_align, buf2_align, len2, len);
}
}
}
}
delete[] buf1;
delete[] buf2;
}
void RunSingleBufferOverreadTest(void (*test_func)(uint8_t*, size_t)) {
// In order to verify that functions are not reading past the end of the
// src, create data that ends exactly at an unreadable memory boundary.
size_t pagesize = static_cast<size_t>(sysconf(_SC_PAGE_SIZE));
uint8_t* memory;
ASSERT_TRUE(posix_memalign(reinterpret_cast<void**>(&memory), pagesize,
2*pagesize) == 0);
memset(memory, 0x23, 2*pagesize);
// Make the second page unreadable and unwritable.
ASSERT_TRUE(mprotect(&memory[pagesize], pagesize, PROT_NONE) == 0);
for (size_t i = 0; i < pagesize; i++) {
uint8_t* buf = &memory[pagesize-i];
test_func(buf, i);
}
ASSERT_TRUE(mprotect(&memory[pagesize], pagesize, PROT_READ | PROT_WRITE) == 0);
free(memory);
}
void RunSrcDstBufferOverreadTest(void (*test_func)(uint8_t*, uint8_t*, size_t)) {
// In order to verify that functions are not reading past the end of the
// src, create data that ends exactly at an unreadable memory boundary.
size_t pagesize = static_cast<size_t>(sysconf(_SC_PAGE_SIZE));
uint8_t* memory;
ASSERT_TRUE(posix_memalign(reinterpret_cast<void**>(&memory), pagesize,
2*pagesize) == 0);
memset(memory, 0x23, 2*pagesize);
// Make the second page unreadable and unwritable.
ASSERT_TRUE(mprotect(&memory[pagesize], pagesize, PROT_NONE) == 0);
uint8_t* dst_buffer = new uint8_t[2*pagesize];
// Change the dst alignment as we change the source.
for (size_t i = 0; i < 16; i++) {
uint8_t* dst = &dst_buffer[i];
for (size_t j = 0; j < pagesize; j++) {
uint8_t* src = &memory[pagesize-j];
test_func(src, dst, j);
}
}
ASSERT_TRUE(mprotect(&memory[pagesize], pagesize, PROT_READ | PROT_WRITE) == 0);
free(memory);
delete[] dst_buffer;
}
void RunCmpBufferOverreadTest(
void (*test_cmp_func)(uint8_t*, uint8_t*, size_t),
void (*test_miscmp_func)(uint8_t*, uint8_t*, size_t, size_t)) {
// In order to verify that functions are not reading past the end of either
// of the bufs, create both buffers that end exactly at an unreadable memory
// boundary.
size_t pagesize = static_cast<size_t>(sysconf(_SC_PAGE_SIZE));
uint8_t* memory1;
ASSERT_TRUE(posix_memalign(reinterpret_cast<void**>(&memory1), pagesize,
2*pagesize) == 0);
memset(memory1, 0x23, 2*pagesize);
// Make the second page unreadable and unwritable.
ASSERT_TRUE(mprotect(&memory1[pagesize], pagesize, PROT_NONE) == 0);
uint8_t* memory2;
ASSERT_TRUE(posix_memalign(reinterpret_cast<void**>(&memory2), pagesize,
2*pagesize) == 0);
memset(memory2, 0x23, 2*pagesize);
// Make the second page unreadable and unwritable.
ASSERT_TRUE(mprotect(&memory2[pagesize], pagesize, PROT_NONE) == 0);
for (size_t i = 0; i < pagesize; i++) {
uint8_t* buf1 = &memory1[pagesize-i];
uint8_t* buf2 = &memory2[pagesize-i];
test_cmp_func(buf1, buf2, i);
}
// Don't cycle through pagesize, MISCMP_MAX_LENGTH bytes should be good.
size_t miscmp_len;
if (pagesize > MISCMP_MAX_LENGTH) {
miscmp_len = MISCMP_MAX_LENGTH;
} else {
miscmp_len = pagesize;
}
for (size_t i = 1; i < miscmp_len; i++) {
uint8_t* buf1 = &memory1[pagesize-i];
for (size_t j = 1; j < miscmp_len; j++) {
if (j == i)
continue;
uint8_t* buf2 = &memory2[pagesize-j];
test_miscmp_func(buf1, buf2, i, j);
}
}
ASSERT_TRUE(mprotect(&memory1[pagesize], pagesize, PROT_READ | PROT_WRITE) == 0);
ASSERT_TRUE(mprotect(&memory2[pagesize], pagesize, PROT_READ | PROT_WRITE) == 0);
free(memory1);
free(memory2);
}