From nobody Sat Jul 13 05:23:08 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WLcLP0clLz5Pvd0; Sat, 13 Jul 2024 05:23:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WLcLN64lfz4nxq; Sat, 13 Jul 2024 05:23:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720848188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kWaiyBKUhcZhd6dfNydtUePc4MhuQXNKjtuzOMzTHn8=; b=OkmNF5Lmae2RIMm0i64NXfXb+IF1q0Df3vA8+prARjqS41Z4Yehz9M2gS4PO6W1gN9+Pak IF3d7u84Kov6qtUj4/nr6+/vtJNO96VYgdQlvVzjOcGBowWFrYu7ZtlB/L+aVa4WIWCRP0 1x+cJOBH3/eiGUgucbAxNk59Xs/JZ/rrEio+8nDHG+WAom5uHXz7Bv6LwTE1yIEnHKwLl8 OXkqATx6HyK55/Y1XfucH76ZNiynS9QKbwb9Hw/MS/4OWXRip0m6Osj4rBXnIZSr0RU59s bu0UoRV43KhZ9claKzYRn5b+YnYp19gfdSHaXVTyuk36fJTsesMZDXayStkFAA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1720848188; a=rsa-sha256; cv=none; b=JI+DaBM5p0Rs9+g7F2DsnF6PXPC8VTEcAGEK22l4v7hNRREG0jjtzMAHOPRf22QCfZ9run 7yCuh3PsfJOlNiMdVMrsHrt7SruwrnjO0LWxC52j5skddFY5N94rBTj9S8BMg4NNg9AxaY 78/XWwHe11vTeBWZZ7qOFrr2938yF87s5aJUmKTv0Wk5+Uc0pa27MaAyY2MniBZ/EHGwf+ mrfp8lFTnEQ5LFOFOH9/Cxb0FGNRs6WM2pvmAuWHStHpI+OE3Icf33WGZ1qqrY5d3Iw/RM v1YgoTGKKJf0Jhc9eHj6q2ZNyY6POOci+imqN5uAwP3z3PguZLw3IiZjEWQRWw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1720848188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kWaiyBKUhcZhd6dfNydtUePc4MhuQXNKjtuzOMzTHn8=; b=xMbIDW4PNl8E37SFLxXNdtHkawtjmO+DK1td2/GJ2m5RkgLxEP+slG8WNulq9u55WtekUH V+w0cqY6qLOVpPtil9UpUL4Hd1YWg7/xB+j0XojLzG9ipDIXNVgUJ5J9pDzCk2uZrdOoG8 U/4OP6BWcqDE7wCxWoDfS9bhop90uAB7ALukhUd70b01Bqvju2snIEira5oue1cMnJaqjb 2UpoaLDd9RzYyUO7Ktdi8bZyMUNl5FMwbM9e4AY5S/jCHG1orNiIuRBwlE4jWkqvjVfxoK MqAdN07pHvwu3WhGIz3qyLQfOcwqqu6k/JqET48uUmMTozaY1s2LhTkI/AFv/w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WLcLN5hVwzDn4; Sat, 13 Jul 2024 05:23:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 46D5N8ms032825; Sat, 13 Jul 2024 05:23:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 46D5N8ix032822; Sat, 13 Jul 2024 05:23:08 GMT (envelope-from git) Date: Sat, 13 Jul 2024 05:23:08 GMT Message-Id: <202407130523.46D5N8ix032822@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 1f155d48f878 - main - include: ssp: fortify List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1f155d48f878495d31592c59cab82f975c210ad8 Auto-Submitted: auto-generated The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=1f155d48f878495d31592c59cab82f975c210ad8 commit 1f155d48f878495d31592c59cab82f975c210ad8 Author: Kyle Evans AuthorDate: 2024-07-13 05:16:12 +0000 Commit: Kyle Evans CommitDate: 2024-07-13 05:16:26 +0000 include: ssp: fortify The entire recv*() implementation set is ripe for opportunities to validate, so do what we can with what we have. Reviewed by: markj Sponsored by: Klara, Inc. Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D45686 --- include/ssp/Makefile | 4 +- include/ssp/socket.h | 119 ++ lib/libc/sys/recv.c | 3 +- lib/libc/sys/recvfrom.c | 3 +- lib/libc/sys/recvmsg.c | 3 +- lib/libc/tests/secure/Makefile | 1 + lib/libc/tests/secure/fortify_poll_test.c | 45 + lib/libc/tests/secure/fortify_random_test.c | 45 + lib/libc/tests/secure/fortify_select_test.c | 45 + lib/libc/tests/secure/fortify_socket_test.c | 1817 ++++++++++++++++++++++ lib/libc/tests/secure/fortify_stdio_test.c | 45 + lib/libc/tests/secure/fortify_stdlib_test.c | 45 + lib/libc/tests/secure/fortify_string_test.c | 45 + lib/libc/tests/secure/fortify_strings_test.c | 45 + lib/libc/tests/secure/fortify_uio_test.c | 45 + lib/libc/tests/secure/fortify_unistd_test.c | 45 + lib/libc/tests/secure/fortify_wchar_test.c | 45 + lib/libc/tests/secure/generate-fortify-tests.lua | 239 +++ lib/libsys/recvmmsg.c | 5 +- sys/sys/socket.h | 4 + 20 files changed, 2641 insertions(+), 7 deletions(-) diff --git a/include/ssp/Makefile b/include/ssp/Makefile index e6c5a1e6c15e..ff622aeecfe9 100644 --- a/include/ssp/Makefile +++ b/include/ssp/Makefile @@ -1,5 +1,5 @@ -INCS= poll.h random.h ssp.h stdio.h stdlib.h string.h strings.h uio.h unistd.h -INCS+= wchar.h +INCS= poll.h random.h socket.h ssp.h stdio.h stdlib.h string.h strings.h +INCS+= uio.h unistd.h wchar.h INCSDIR= ${INCLUDEDIR}/ssp .include diff --git a/include/ssp/socket.h b/include/ssp/socket.h new file mode 100644 index 000000000000..6c0051ad72dc --- /dev/null +++ b/include/ssp/socket.h @@ -0,0 +1,119 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2024, Klara, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _SSP_SOCKET_H_ +#define _SSP_SOCKET_H_ + +#include + +#if __SSP_FORTIFY_LEVEL > 0 + +#include + +__BEGIN_DECLS + +__ssp_inline void +__ssp_check_msghdr(struct msghdr *hdr) +{ + if (__ssp_bos(hdr->msg_name) < hdr->msg_namelen) + __chk_fail(); + + __ssp_check_iovec(hdr->msg_iov, hdr->msg_iovlen); + + if (__ssp_bos(hdr->msg_control) < hdr->msg_controllen) + __chk_fail(); +} + +__ssp_redirect_raw_impl(int, getpeername, getpeername, + (int fdes, struct sockaddr *__restrict name, socklen_t *__restrict namelen)) +{ + size_t namesz = __ssp_bos(name); + + if (namesz != (size_t)-1 && namesz < *namelen) + __chk_fail(); + + return (__ssp_real(getpeername)(fdes, name, namelen)); +} + +__ssp_redirect_raw_impl(int, getsockname, getsockname, + (int fdes, struct sockaddr *__restrict name, + socklen_t *__restrict namelen)) +{ + size_t namesz = __ssp_bos(name); + + if (namesz != (size_t)-1 && namesz < *namelen) + __chk_fail(); + + return (__ssp_real(getsockname)(fdes, name, namelen)); +} + +__ssp_redirect(ssize_t, recv, (int __sock, void *__buf, size_t __len, + int __flags), (__sock, __buf, __len, __flags)); + +__ssp_redirect_raw_impl(ssize_t, recvfrom, recvfrom, + (int s, void *buf, size_t len, int flags, + struct sockaddr *__restrict from, + socklen_t *__restrict fromlen)) +{ + if (__ssp_bos(buf) < len) + __chk_fail(); + if (from != NULL && __ssp_bos(from) < *fromlen) + __chk_fail(); + + return (__ssp_real(recvfrom)(s, buf, len, flags, from, fromlen)); +} + +__ssp_redirect_raw_impl(ssize_t, recvmsg, recvmsg, + (int s, struct msghdr *hdr, int flags)) +{ + __ssp_check_msghdr(hdr); + return (__ssp_real(recvmsg)(s, hdr, flags)); +} + +#if __BSD_VISIBLE +struct timespec; + +__ssp_redirect_raw_impl(ssize_t, recvmmsg, recvmmsg, + (int s, struct mmsghdr *__restrict hdrvec, size_t vlen, int flags, + const struct timespec *__restrict timeout)) +{ + const size_t vecsz = __ssp_bos(hdrvec); + + if (vecsz != (size_t)-1 && vecsz / sizeof(*hdrvec) < vlen) + __chk_fail(); + + for (size_t i = 0; i < vlen; i++) { + __ssp_check_msghdr(&hdrvec[i].msg_hdr); + } + + return (__ssp_real(recvmmsg)(s, hdrvec, vlen, flags, timeout)); +} +#endif + +__END_DECLS + +#endif /* __SSP_FORTIFY_LEVEL > 0 */ +#endif /* _SSP_SOCKET_H_ */ diff --git a/lib/libc/sys/recv.c b/lib/libc/sys/recv.c index 9afb1dee0654..2bccfbee4eed 100644 --- a/lib/libc/sys/recv.c +++ b/lib/libc/sys/recv.c @@ -31,12 +31,13 @@ #include #include +#include #include "libc_private.h" #include ssize_t -recv(int s, void *buf, size_t len, int flags) +__ssp_real(recv)(int s, void *buf, size_t len, int flags) { /* * POSIX says recv() shall be a cancellation point, so call the diff --git a/lib/libc/sys/recvfrom.c b/lib/libc/sys/recvfrom.c index 04738d06a71c..6247b315d078 100644 --- a/lib/libc/sys/recvfrom.c +++ b/lib/libc/sys/recvfrom.c @@ -32,13 +32,14 @@ #include #include #include +#include #include "libc_private.h" __weak_reference(__sys_recvfrom, __recvfrom); #pragma weak recvfrom ssize_t -recvfrom(int s, void *buf, size_t len, int flags, +__ssp_real(recvfrom)(int s, void *buf, size_t len, int flags, struct sockaddr * __restrict from, socklen_t * __restrict fromlen) { return (INTERPOS_SYS(recvfrom, s, buf, len, flags, from, fromlen)); diff --git a/lib/libc/sys/recvmsg.c b/lib/libc/sys/recvmsg.c index c7e34b9beeb4..334049d6cfad 100644 --- a/lib/libc/sys/recvmsg.c +++ b/lib/libc/sys/recvmsg.c @@ -32,13 +32,14 @@ #include #include #include +#include #include "libc_private.h" __weak_reference(__sys_recvmsg, __recvmsg); #pragma weak recvmsg ssize_t -recvmsg(int s, struct msghdr *msg, int flags) +__ssp_real(recvmsg)(int s, struct msghdr *msg, int flags) { return (INTERPOS_SYS(recvmsg, s, msg, flags)); } diff --git a/lib/libc/tests/secure/Makefile b/lib/libc/tests/secure/Makefile index 996536beac91..ccf89afb1ad5 100644 --- a/lib/libc/tests/secure/Makefile +++ b/lib/libc/tests/secure/Makefile @@ -5,6 +5,7 @@ TESTSDIR:= ${TESTSBASE}/${RELDIR:C/libc\/tests/libc/} # sys/ headers FORTIFY_TCATS+= random FORTIFY_TCATS+= select +FORTIFY_TCATS+= socket FORTIFY_TCATS+= uio # non-sys/ headers diff --git a/lib/libc/tests/secure/fortify_poll_test.c b/lib/libc/tests/secure/fortify_poll_test.c index 47648fe54b47..dce0b0bb65ea 100644 --- a/lib/libc/tests/secure/fortify_poll_test.c +++ b/lib/libc/tests/secure/fortify_poll_test.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -66,6 +67,50 @@ new_symlink(size_t __len) return (linkname); } +/* + * For our purposes, first descriptor will be the reader; we'll send both + * raw data and a control message over it so that the result can be used for + * any of our recv*() tests. + */ +static void __unused +new_socket(int sock[2]) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; + static char sockbuf[256]; + ssize_t rv; + size_t total = 0; + struct msghdr hdr = { 0 }; + struct cmsghdr *cmsg; + int error, fd; + + error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); + ATF_REQUIRE(error == 0); + + while (total != sizeof(sockbuf)) { + rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); + + ATF_REQUIRE_MSG(rv > 0, + "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", + rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); + ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), + "%zd exceeds total %zu", rv, sizeof(sockbuf)); + total += rv; + } + + hdr.msg_control = ctrl; + hdr.msg_controllen = sizeof(ctrl); + + cmsg = CMSG_FIRSTHDR(&hdr); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); + fd = STDIN_FILENO; + memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); + + error = sendmsg(sock[1], &hdr, 0); + ATF_REQUIRE(error != -1); +} + /* * Constructs a tmpfile that we can use for testing read(2) and friends. */ diff --git a/lib/libc/tests/secure/fortify_random_test.c b/lib/libc/tests/secure/fortify_random_test.c index 64c32c6c6a8f..7763607dd2ed 100644 --- a/lib/libc/tests/secure/fortify_random_test.c +++ b/lib/libc/tests/secure/fortify_random_test.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -66,6 +67,50 @@ new_symlink(size_t __len) return (linkname); } +/* + * For our purposes, first descriptor will be the reader; we'll send both + * raw data and a control message over it so that the result can be used for + * any of our recv*() tests. + */ +static void __unused +new_socket(int sock[2]) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; + static char sockbuf[256]; + ssize_t rv; + size_t total = 0; + struct msghdr hdr = { 0 }; + struct cmsghdr *cmsg; + int error, fd; + + error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); + ATF_REQUIRE(error == 0); + + while (total != sizeof(sockbuf)) { + rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); + + ATF_REQUIRE_MSG(rv > 0, + "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", + rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); + ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), + "%zd exceeds total %zu", rv, sizeof(sockbuf)); + total += rv; + } + + hdr.msg_control = ctrl; + hdr.msg_controllen = sizeof(ctrl); + + cmsg = CMSG_FIRSTHDR(&hdr); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); + fd = STDIN_FILENO; + memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); + + error = sendmsg(sock[1], &hdr, 0); + ATF_REQUIRE(error != -1); +} + /* * Constructs a tmpfile that we can use for testing read(2) and friends. */ diff --git a/lib/libc/tests/secure/fortify_select_test.c b/lib/libc/tests/secure/fortify_select_test.c index ccd3f97004fc..dfafac7e4d6d 100644 --- a/lib/libc/tests/secure/fortify_select_test.c +++ b/lib/libc/tests/secure/fortify_select_test.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include #include @@ -66,6 +67,50 @@ new_symlink(size_t __len) return (linkname); } +/* + * For our purposes, first descriptor will be the reader; we'll send both + * raw data and a control message over it so that the result can be used for + * any of our recv*() tests. + */ +static void __unused +new_socket(int sock[2]) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; + static char sockbuf[256]; + ssize_t rv; + size_t total = 0; + struct msghdr hdr = { 0 }; + struct cmsghdr *cmsg; + int error, fd; + + error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); + ATF_REQUIRE(error == 0); + + while (total != sizeof(sockbuf)) { + rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); + + ATF_REQUIRE_MSG(rv > 0, + "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", + rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); + ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), + "%zd exceeds total %zu", rv, sizeof(sockbuf)); + total += rv; + } + + hdr.msg_control = ctrl; + hdr.msg_controllen = sizeof(ctrl); + + cmsg = CMSG_FIRSTHDR(&hdr); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); + fd = STDIN_FILENO; + memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); + + error = sendmsg(sock[1], &hdr, 0); + ATF_REQUIRE(error != -1); +} + /* * Constructs a tmpfile that we can use for testing read(2) and friends. */ diff --git a/lib/libc/tests/secure/fortify_socket_test.c b/lib/libc/tests/secure/fortify_socket_test.c new file mode 100644 index 000000000000..a2125d60fc2d --- /dev/null +++ b/lib/libc/tests/secure/fortify_socket_test.c @@ -0,0 +1,1817 @@ +/* @generated by `generate-fortify-tests.lua "socket"` */ + +#define _FORTIFY_SOURCE 2 +#define TMPFILE_SIZE (1024 * 32) + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static FILE * __unused +new_fp(size_t __len) +{ + static char fpbuf[LINE_MAX]; + FILE *fp; + + ATF_REQUIRE(__len <= sizeof(fpbuf)); + + memset(fpbuf, 'A', sizeof(fpbuf) - 1); + fpbuf[sizeof(fpbuf) - 1] = '\0'; + + fp = fmemopen(fpbuf, sizeof(fpbuf), "rb"); + ATF_REQUIRE(fp != NULL); + + return (fp); +} + +/* + * Create a new symlink to use for readlink(2) style tests, we'll just use a + * random target name to have something interesting to look at. + */ +static const char * __unused +new_symlink(size_t __len) +{ + static const char linkname[] = "link"; + char target[MAXNAMLEN]; + int error; + + ATF_REQUIRE(__len <= sizeof(target)); + + arc4random_buf(target, sizeof(target)); + + error = unlink(linkname); + ATF_REQUIRE(error == 0 || errno == ENOENT); + + error = symlink(target, linkname); + ATF_REQUIRE(error == 0); + + return (linkname); +} + +/* + * For our purposes, first descriptor will be the reader; we'll send both + * raw data and a control message over it so that the result can be used for + * any of our recv*() tests. + */ +static void __unused +new_socket(int sock[2]) +{ + unsigned char ctrl[CMSG_SPACE(sizeof(int))] = { 0 }; + static char sockbuf[256]; + ssize_t rv; + size_t total = 0; + struct msghdr hdr = { 0 }; + struct cmsghdr *cmsg; + int error, fd; + + error = socketpair(AF_UNIX, SOCK_STREAM, 0, sock); + ATF_REQUIRE(error == 0); + + while (total != sizeof(sockbuf)) { + rv = send(sock[1], &sockbuf[total], sizeof(sockbuf) - total, 0); + + ATF_REQUIRE_MSG(rv > 0, + "expected bytes sent, got %zd with %zu left (size %zu, total %zu)", + rv, sizeof(sockbuf) - total, sizeof(sockbuf), total); + ATF_REQUIRE_MSG(total + (size_t)rv <= sizeof(sockbuf), + "%zd exceeds total %zu", rv, sizeof(sockbuf)); + total += rv; + } + + hdr.msg_control = ctrl; + hdr.msg_controllen = sizeof(ctrl); + + cmsg = CMSG_FIRSTHDR(&hdr); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + cmsg->cmsg_len = CMSG_LEN(sizeof(fd)); + fd = STDIN_FILENO; + memcpy(CMSG_DATA(cmsg), &fd, sizeof(fd)); + + error = sendmsg(sock[1], &hdr, 0); + ATF_REQUIRE(error != -1); +} + +/* + * Constructs a tmpfile that we can use for testing read(2) and friends. + */ +static int __unused +new_tmpfile(void) +{ + char buf[1024]; + ssize_t rv; + size_t written; + int fd; + + fd = open("tmpfile", O_RDWR | O_CREAT | O_TRUNC, 0644); + ATF_REQUIRE(fd >= 0); + + written = 0; + while (written < TMPFILE_SIZE) { + rv = write(fd, buf, sizeof(buf)); + ATF_REQUIRE(rv > 0); + + written += rv; + } + + ATF_REQUIRE_EQ(0, lseek(fd, 0, SEEK_SET)); + return (fd); +} + +static void +disable_coredumps(void) +{ + struct rlimit rl = { 0 }; + + if (setrlimit(RLIMIT_CORE, &rl) == -1) + _exit(EX_OSERR); +} + +/* + * Replaces stdin with a file that we can actually read from, for tests where + * we want a FILE * or fd that we can get data from. + */ +static void __unused +replace_stdin(void) +{ + int fd; + + fd = new_tmpfile(); + + (void)dup2(fd, STDIN_FILENO); + if (fd != STDIN_FILENO) + close(fd); +} + +ATF_TC_WITHOUT_HEAD(getpeername_before_end); +ATF_TC_BODY(getpeername_before_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + struct sockaddr __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = sizeof(struct sockaddr) - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + new_socket(sock); + socklen = __len; + + getpeername(sock[0], &__stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getpeername_end); +ATF_TC_BODY(getpeername_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + struct sockaddr __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = sizeof(struct sockaddr); + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + new_socket(sock); + socklen = __len; + + getpeername(sock[0], &__stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getpeername_heap_before_end); +ATF_TC_BODY(getpeername_heap_before_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr) - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getpeername(sock[0], __stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getpeername_heap_end); +ATF_TC_BODY(getpeername_heap_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr); + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getpeername(sock[0], __stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getpeername_heap_after_end); +ATF_TC_BODY(getpeername_heap_after_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr) + 1; + const size_t __idx __unused = __len - 1; + pid_t __child; + int __status; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __child = fork(); + ATF_REQUIRE(__child >= 0); + if (__child > 0) + goto monitor; + + /* Child */ + disable_coredumps(); + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getpeername(sock[0], __stack.__buf, &socklen); + _exit(EX_SOFTWARE); /* Should have aborted. */ + +monitor: + while (waitpid(__child, &__status, 0) != __child) { + ATF_REQUIRE_EQ(EINTR, errno); + } + + if (!WIFSIGNALED(__status)) { + switch (WEXITSTATUS(__status)) { + case EX_SOFTWARE: + atf_tc_fail("FORTIFY_SOURCE failed to abort"); + break; + case EX_OSERR: + atf_tc_fail("setrlimit(2) failed"); + break; + default: + atf_tc_fail("child exited with status %d", + WEXITSTATUS(__status)); + } + } else { + ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); + } +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getsockname_before_end); +ATF_TC_BODY(getsockname_before_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + struct sockaddr __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = sizeof(struct sockaddr) - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + new_socket(sock); + socklen = __len; + + getsockname(sock[0], &__stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getsockname_end); +ATF_TC_BODY(getsockname_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + struct sockaddr __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = sizeof(struct sockaddr); + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + new_socket(sock); + socklen = __len; + + getsockname(sock[0], &__stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getsockname_heap_before_end); +ATF_TC_BODY(getsockname_heap_before_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr) - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getsockname(sock[0], __stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getsockname_heap_end); +ATF_TC_BODY(getsockname_heap_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr); + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getsockname(sock[0], __stack.__buf, &socklen); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(getsockname_heap_after_end); +ATF_TC_BODY(getsockname_heap_after_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + struct sockaddr * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (1); + const size_t __len = sizeof(struct sockaddr) + 1; + const size_t __idx __unused = __len - 1; + pid_t __child; + int __status; + int sock[2] = { -1, -1 }; + socklen_t socklen; + __child = fork(); + ATF_REQUIRE(__child >= 0); + if (__child > 0) + goto monitor; + + /* Child */ + disable_coredumps(); + __stack.__buf = malloc(__bufsz); + new_socket(sock); + socklen = __len; + + getsockname(sock[0], __stack.__buf, &socklen); + _exit(EX_SOFTWARE); /* Should have aborted. */ + +monitor: + while (waitpid(__child, &__status, 0) != __child) { + ATF_REQUIRE_EQ(EINTR, errno); + } + + if (!WIFSIGNALED(__status)) { + switch (WEXITSTATUS(__status)) { + case EX_SOFTWARE: + atf_tc_fail("FORTIFY_SOURCE failed to abort"); + break; + case EX_OSERR: + atf_tc_fail("setrlimit(2) failed"); + break; + default: + atf_tc_fail("child exited with status %d", + WEXITSTATUS(__status)); + } + } else { + ATF_REQUIRE_EQ(SIGABRT, WTERMSIG(__status)); + } +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(recv_before_end); +ATF_TC_BODY(recv_before_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + unsigned char __buf[42]; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = 42 - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + + new_socket(sock); + + recv(sock[0], __stack.__buf, __len, 0); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(recv_end); +ATF_TC_BODY(recv_end, tc) +{ +#define BUF &__stack.__buf + struct { + uint8_t padding_l; + unsigned char __buf[42]; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(__stack.__buf); + const size_t __len = 42; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + + new_socket(sock); + + recv(sock[0], __stack.__buf, __len, 0); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(recv_heap_before_end); +ATF_TC_BODY(recv_heap_before_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + unsigned char * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); + const size_t __len = 42 - 1; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + + __stack.__buf = malloc(__bufsz); + new_socket(sock); + + recv(sock[0], __stack.__buf, __len, 0); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(recv_heap_end); +ATF_TC_BODY(recv_heap_end, tc) +{ +#define BUF __stack.__buf + struct { + uint8_t padding_l; + unsigned char * __buf; + uint8_t padding_r; + } __stack; + const size_t __bufsz __unused = sizeof(*__stack.__buf) * (42); + const size_t __len = 42; + const size_t __idx __unused = __len - 1; + int sock[2] = { -1, -1 }; + + __stack.__buf = malloc(__bufsz); + new_socket(sock); + + recv(sock[0], __stack.__buf, __len, 0); +#undef BUF + +} + +ATF_TC_WITHOUT_HEAD(recv_heap_after_end); +ATF_TC_BODY(recv_heap_after_end, tc) +{ +#define BUF __stack.__buf *** 2021 LINES SKIPPED ***