From be7a5468d4f694ee8d052b537141f51af43ca7f2 Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella Date: Tue, 3 Oct 2023 15:09:36 -0300 Subject: [PATCH] debug: Add regression tests for BZ 30932 Checked on x86_64-linux-gnu. Reviewed-by: Siddhesh Poyarekar --- debug/Makefile | 2 + debug/tst-sprintf-fortify-rdonly.c | 82 ++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 debug/tst-sprintf-fortify-rdonly.c diff --git a/debug/Makefile b/debug/Makefile index 434e52f780..c49e5d86ec 100644 --- a/debug/Makefile +++ b/debug/Makefile @@ -178,6 +178,7 @@ CFLAGS-tst-longjmp_chk3.c += -fexceptions -fasynchronous-unwind-tables CPPFLAGS-tst-longjmp_chk3.c += $(no-fortify-source),-D_FORTIFY_SOURCE=1 CPPFLAGS-tst-realpath-chk.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2 CPPFLAGS-tst-chk-cancel.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2 +CFLAGS-tst-sprintf-fortify-rdonly.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2 # _FORTIFY_SOURCE tests. # Auto-generate tests for _FORTIFY_SOURCE for different levels, compilers and @@ -284,6 +285,7 @@ tests = \ tst-longjmp_chk \ tst-longjmp_chk2 \ tst-realpath-chk \ + tst-sprintf-fortify-rdonly \ tst-sprintf-fortify-unchecked \ # tests diff --git a/debug/tst-sprintf-fortify-rdonly.c b/debug/tst-sprintf-fortify-rdonly.c new file mode 100644 index 0000000000..78dece9102 --- /dev/null +++ b/debug/tst-sprintf-fortify-rdonly.c @@ -0,0 +1,82 @@ +/* Testcase for BZ 30932. + Copyright (C) 2023 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +jmp_buf chk_fail_buf; +bool chk_fail_ok; + +const char *str2 = "F"; +char buf2[10] = "%s"; + +static int +do_test (void) +{ + struct rlimit rl; + int max_fd = 24; + + if (getrlimit (RLIMIT_NOFILE, &rl) == -1) + FAIL_EXIT1 ("getrlimit (RLIMIT_NOFILE): %m"); + + max_fd = (rl.rlim_cur < max_fd ? rl.rlim_cur : max_fd); + rl.rlim_cur = max_fd; + + if (setrlimit (RLIMIT_NOFILE, &rl) == 1) + FAIL_EXIT1 ("setrlimit (RLIMIT_NOFILE): %m"); + + /* Exhaust the file descriptor limit with temporary files. */ + int nfiles = 0; + for (; nfiles < max_fd; nfiles++) + { + int fd = create_temp_file ("tst-sprintf-fortify-rdonly-.", NULL); + if (fd == -1) + { + if (errno != EMFILE) + FAIL_EXIT1 ("create_temp_file: %m"); + break; + } + } + TEST_VERIFY_EXIT (nfiles != 0); + + /* When the format string is writable and contains %n, + with -D_FORTIFY_SOURCE=2 it causes __chk_fail. However, if libc can not + open procfs to check if the input format string in within a writable + memory segment, the fortify version can not perform the check. */ + char buf[128]; + int n1; + int n2; + + strcpy (buf2 + 2, "%n%s%n"); + if (sprintf (buf, buf2, str2, &n1, str2, &n2) != 2 + || n1 != 1 || n2 != 2) + FAIL_EXIT1 ("sprintf failed: %s %d %d", buf, n1, n2); + + return 0; +} + +#include