Blame - base/security_unittest.cc - platform/external/libchrome

blob: 8515179be389c7f76887141efc74524a6ec36cff [file] [log] [blame]

jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	1	// Copyright (c) 2013 The Chromium Authors. All rights reserved.
				2	// Use of this source code is governed by a BSD-style license that can be
				3	// found in the LICENSE file.
				4
jln@chromium.org	c71a4da	2013-01-31 11:23:43 +0900	[diff] [blame]	5	#include <fcntl.h>
avi	a6a6a68	2015-12-27 07:15:14 +0900	[diff] [blame]	6	#include <stddef.h>
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	7	#include <stdio.h>
				8	#include <stdlib.h>
				9	#include <string.h>
jln@chromium.org	c71a4da	2013-01-31 11:23:43 +0900	[diff] [blame]	10	#include <sys/stat.h>
				11	#include <sys/types.h>
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	12
				13	#include <algorithm>
				14	#include <limits>
dcheng	cc8e4d8	2016-04-05 06:25:51 +0900	[diff] [blame]	15	#include <memory>
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	16
Scott Violet	04992cc	2018-02-22 11:08:08 +0900	[diff] [blame]	17	#include "base/allocator/buildflags.h"
brettw@chromium.org	01f3da4	2014-08-14 05:22:14 +0900	[diff] [blame]	18	#include "base/files/file_util.h"
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	19	#include "base/logging.h"
dcheng	a521e15	2016-03-26 09:16:27 +0900	[diff] [blame]	20	#include "base/memory/free_deleter.h"
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	21	#include "build/build_config.h"
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	22	#include "testing/gtest/include/gtest/gtest.h"
				23
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	24	#if defined(OS_POSIX)
				25	#include <sys/mman.h>
				26	#include <unistd.h>
				27	#endif
				28
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	29	using std::nothrow;
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	30	using std::numeric_limits;
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	31
				32	namespace {
				33
jln@chromium.org	c6d4422	2013-02-06 12:23:49 +0900	[diff] [blame]	34	// This function acts as a compiler optimization barrier. We use it to
				35	// prevent the compiler from making an expression a compile-time constant.
				36	// We also use it so that the compiler doesn't discard certain return values
				37	// as something we don't need (see the comment with calloc below).
				38	template <typename Type>
thakis	497632e	2015-04-23 11:58:29 +0900	[diff] [blame]	39	NOINLINE Type HideValueFromCompiler(volatile Type value) {
jln@chromium.org	5975586	2013-04-04 21:02:35 +0900	[diff] [blame]	40	#if defined(__GNUC__)
				41	// In a GCC compatible compiler (GCC or Clang), make this compiler barrier
				42	// more robust than merely using "volatile".
				43	__asm__ volatile ("" : "+r" (value));
				44	#endif // __GNUC__
jln@chromium.org	c6d4422	2013-02-06 12:23:49 +0900	[diff] [blame]	45	return value;
				46	}
				47
primiano	0d396ed	2017-05-27 00:48:32 +0900	[diff] [blame]	48	// TCmalloc, currently supported only by Linux/CrOS, supports malloc limits.
dmikurube@chromium.org	1df3651	2014-03-06 05:07:26 +0900	[diff] [blame]	49	// - NO_TCMALLOC (should be defined if compiled with use_allocator!="tcmalloc")
primiano	0d396ed	2017-05-27 00:48:32 +0900	[diff] [blame]	50	// - ADDRESS_SANITIZER it has its own memory allocator
				51	#if defined(OS_LINUX) && !defined(NO_TCMALLOC) && !defined(ADDRESS_SANITIZER)
wfh	f2a57fa	2015-01-13 12:11:40 +0900	[diff] [blame]	52	#define MALLOC_OVERFLOW_TEST(function) function
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	53	#else
wfh	f2a57fa	2015-01-13 12:11:40 +0900	[diff] [blame]	54	#define MALLOC_OVERFLOW_TEST(function) DISABLED_##function
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	55	#endif
				56
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	57	// There are platforms where these tests are known to fail. We would like to
				58	// be able to easily check the status on the bots, but marking tests as
				59	// FAILS_ is too clunky.
				60	void OverflowTestsSoftExpectTrue(bool overflow_detected) {
				61	if (!overflow_detected) {
				62	#if defined(OS_LINUX) \|\| defined(OS_ANDROID) \|\| defined(OS_MACOSX)
				63	// Sadly, on Linux, Android, and OSX we don't have a good story yet. Don't
				64	// fail the test, but report.
				65	printf("Platform has overflow: %s\n",
				66	!overflow_detected ? "yes." : "no.");
				67	#else
				68	// Otherwise, fail the test. (Note: EXPECT are ok in subfunctions, ASSERT
				69	// aren't).
				70	EXPECT_TRUE(overflow_detected);
				71	#endif
				72	}
				73	}
				74
thakis	3f3f37c	2017-03-01 22:05:35 +0900	[diff] [blame]	75	#if defined(OS_IOS) \|\| defined(ADDRESS_SANITIZER) \|\| \
				76	defined(THREAD_SANITIZER) \|\| defined(MEMORY_SANITIZER)
John Abd-El-Malek	ccd3dd3	2014-10-03 07:55:15 +0900	[diff] [blame]	77	#define MAYBE_NewOverflow DISABLED_NewOverflow
				78	#else
				79	#define MAYBE_NewOverflow NewOverflow
				80	#endif
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	81	// Test array[TooBig][X] and array[X][TooBig] allocations for int overflows.
				82	// IOS doesn't honor nothrow, so disable the test there.
thakis	4c9e69f	2017-02-22 02:20:41 +0900	[diff] [blame]	83	// Disabled under XSan because asan aborts when new returns nullptr,
thakis	27301ae	2017-02-15 01:21:35 +0900	[diff] [blame]	84	// https://bugs.chromium.org/p/chromium/issues/detail?id=690271#c15
John Abd-El-Malek	ccd3dd3	2014-10-03 07:55:15 +0900	[diff] [blame]	85	TEST(SecurityTest, MAYBE_NewOverflow) {
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	86	const size_t kArraySize = 4096;
				87	// We want something "dynamic" here, so that the compiler doesn't
				88	// immediately reject crazy arrays.
				89	const size_t kDynamicArraySize = HideValueFromCompiler(kArraySize);
thakis	27301ae	2017-02-15 01:21:35 +0900	[diff] [blame]	90	const size_t kMaxSizeT = std::numeric_limits<size_t>::max();
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	91	const size_t kArraySize2 = kMaxSizeT / kArraySize + 10;
				92	const size_t kDynamicArraySize2 = HideValueFromCompiler(kArraySize2);
				93	{
dcheng	cc8e4d8	2016-04-05 06:25:51 +0900	[diff] [blame]	94	std::unique_ptr<char[][kArraySize]> array_pointer(
				95	new (nothrow) char[kDynamicArraySize2][kArraySize]);
thakis	27301ae	2017-02-15 01:21:35 +0900	[diff] [blame]	96	// Prevent clang from optimizing away the whole test.
				97	char* volatile p = reinterpret_cast<char*>(array_pointer.get());
				98	OverflowTestsSoftExpectTrue(!p);
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	99	}
jln@chromium.org	5975586	2013-04-04 21:02:35 +0900	[diff] [blame]	100	// On windows, the compiler prevents static array sizes of more than
				101	// 0x7fffffff (error C2148).
Peter Kasting	618317c	2014-11-21 08:14:08 +0900	[diff] [blame]	102	#if defined(OS_WIN) && defined(ARCH_CPU_64_BITS)
				103	ALLOW_UNUSED_LOCAL(kDynamicArraySize);
				104	#else
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	105	{
dcheng	cc8e4d8	2016-04-05 06:25:51 +0900	[diff] [blame]	106	std::unique_ptr<char[][kArraySize2]> array_pointer(
				107	new (nothrow) char[kDynamicArraySize][kArraySize2]);
thakis	27301ae	2017-02-15 01:21:35 +0900	[diff] [blame]	108	// Prevent clang from optimizing away the whole test.
				109	char* volatile p = reinterpret_cast<char*>(array_pointer.get());
				110	OverflowTestsSoftExpectTrue(!p);
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	111	}
jln@chromium.org	5975586	2013-04-04 21:02:35 +0900	[diff] [blame]	112	#endif // !defined(OS_WIN) \|\| !defined(ARCH_CPU_64_BITS)
jln@chromium.org	d06052c	2013-01-26 13:41:15 +0900	[diff] [blame]	113	}
				114
estade@chromium.org	d841d6d	2014-04-16 05:58:09 +0900	[diff] [blame]	115	#if defined(OS_LINUX) && defined(__x86_64__)
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	116	// Check if ptr1 and ptr2 are separated by less than size chars.
				117	bool ArePointersToSameArea(void* ptr1, void* ptr2, size_t size) {
				118	ptrdiff_t ptr_diff = reinterpret_cast<char*>(std::max(ptr1, ptr2)) -
				119	reinterpret_cast<char*>(std::min(ptr1, ptr2));
				120	return static_cast<size_t>(ptr_diff) <= size;
				121	}
				122
jln@chromium.org	c71a4da	2013-01-31 11:23:43 +0900	[diff] [blame]	123	// Check if TCMalloc uses an underlying random memory allocator.
wfh	f2a57fa	2015-01-13 12:11:40 +0900	[diff] [blame]	124	TEST(SecurityTest, MALLOC_OVERFLOW_TEST(RandomMemoryAllocations)) {
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	125	size_t kPageSize = 4096; // We support x86_64 only.
				126	// Check that malloc() returns an address that is neither the kernel's
				127	// un-hinted mmap area, nor the current brk() area. The first malloc() may
				128	// not be at a random address because TCMalloc will first exhaust any memory
				129	// that it has allocated early on, before starting the sophisticated
				130	// allocators.
				131	void* default_mmap_heap_address =
Ivan Kotenkov	e88f346	2017-11-08 21:37:33 +0900	[diff] [blame]	132	mmap(nullptr, kPageSize, PROT_READ \| PROT_WRITE,
				133	MAP_PRIVATE \| MAP_ANONYMOUS, -1, 0);
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	134	ASSERT_NE(default_mmap_heap_address,
				135	static_cast<void*>(MAP_FAILED));
				136	ASSERT_EQ(munmap(default_mmap_heap_address, kPageSize), 0);
				137	void* brk_heap_address = sbrk(0);
				138	ASSERT_NE(brk_heap_address, reinterpret_cast<void*>(-1));
Ivan Kotenkov	e88f346	2017-11-08 21:37:33 +0900	[diff] [blame]	139	ASSERT_TRUE(brk_heap_address != nullptr);
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	140	// 1 MB should get us past what TCMalloc pre-allocated before initializing
				141	// the sophisticated allocators.
				142	size_t kAllocSize = 1<<20;
dcheng	cc8e4d8	2016-04-05 06:25:51 +0900	[diff] [blame]	143	std::unique_ptr<char, base::FreeDeleter> ptr(
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	144	static_cast<char*>(malloc(kAllocSize)));
Ivan Kotenkov	e88f346	2017-11-08 21:37:33 +0900	[diff] [blame]	145	ASSERT_TRUE(ptr != nullptr);
jln@chromium.org	a55baa6	2013-02-05 08:39:48 +0900	[diff] [blame]	146	// If two pointers are separated by less than 512MB, they are considered
				147	// to be in the same area.
				148	// Our random pointer could be anywhere within 0x3fffffffffff (46bits),
				149	// and we are checking that it's not withing 1GB (30 bits) from two
				150	// addresses (brk and mmap heap). We have roughly one chance out of
				151	// 2^15 to flake.
				152	const size_t kAreaRadius = 1<<29;
				153	bool in_default_mmap_heap = ArePointersToSameArea(
				154	ptr.get(), default_mmap_heap_address, kAreaRadius);
				155	EXPECT_FALSE(in_default_mmap_heap);
				156
				157	bool in_default_brk_heap = ArePointersToSameArea(
				158	ptr.get(), brk_heap_address, kAreaRadius);
				159	EXPECT_FALSE(in_default_brk_heap);
				160
				161	// In the implementation, we always mask our random addresses with
				162	// kRandomMask, so we use it as an additional detection mechanism.
				163	const uintptr_t kRandomMask = 0x3fffffffffffULL;
				164	bool impossible_random_address =
				165	reinterpret_cast<uintptr_t>(ptr.get()) & ~kRandomMask;
				166	EXPECT_FALSE(impossible_random_address);
jln@chromium.org	c71a4da	2013-01-31 11:23:43 +0900	[diff] [blame]	167	}
				168
estade@chromium.org	d841d6d	2014-04-16 05:58:09 +0900	[diff] [blame]	169	#endif // defined(OS_LINUX) && defined(__x86_64__)
jln@chromium.org	c71a4da	2013-01-31 11:23:43 +0900	[diff] [blame]	170
jln@chromium.org	4faaf21	2013-01-16 05:16:33 +0900	[diff] [blame]	171	} // namespace