1 /* Test of explicit_bzero() function.
2 Copyright (C) 2020-2024 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Written by Bruno Haible <bruno@clisp.org>, 2020. */
24 #include "signature.h"
25 SIGNATURE_CHECK (explicit_bzero
, void, (void *, size_t));
34 #define SECRET "xyzzy1729"
37 static char zero
[SECRET_SIZE
] = { 0 };
39 /* Enable this to verify that the test is effective. */
41 # define explicit_bzero(a, n) memset (a, '\0', n)
44 /* Suppress GCC 13.2.1 false alarm, as this test needs a dangling pointer. */
46 # pragma GCC diagnostic ignored "-Wdangling-pointer"
49 /* =================== Verify operation on static memory =================== */
51 static char stbuf
[SECRET_SIZE
];
56 memcpy (stbuf
, SECRET
, SECRET_SIZE
);
57 explicit_bzero (stbuf
, SECRET_SIZE
);
58 ASSERT (memcmp (zero
, stbuf
, SECRET_SIZE
) == 0);
61 /* =============== Verify operation on heap-allocated memory =============== */
63 /* Skip this part when an address sanitizer is in use, because it would report
64 a "heap use after free". */
66 # define __has_feature(a) 0
68 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
77 /* Test whether an address range is mapped in memory. */
78 # if VMA_ITERATE_SUPPORTED
82 uintptr_t range_start
;
87 vma_iterate_callback (void *data
, uintptr_t start
, uintptr_t end
,
90 struct locals
*lp
= (struct locals
*) data
;
92 /* Remove from [range_start, range_end) the part at the beginning or at the
93 end that is covered by [start, end). */
94 if (start
<= lp
->range_start
&& end
> lp
->range_start
)
95 lp
->range_start
= (end
< lp
->range_end
? end
: lp
->range_end
);
96 if (start
< lp
->range_end
&& end
>= lp
->range_end
)
97 lp
->range_end
= (start
> lp
->range_start
? start
: lp
->range_start
);
103 is_range_mapped (uintptr_t range_start
, uintptr_t range_end
)
107 l
.range_start
= range_start
;
108 l
.range_end
= range_end
;
109 vma_iterate (vma_iterate_callback
, &l
);
110 return l
.range_start
== l
.range_end
;
116 is_range_mapped (uintptr_t range_start
, uintptr_t range_end
)
126 char *heapbuf
= (char *) malloc (SECRET_SIZE
);
128 uintptr_t volatile addr
= (uintptr_t) heapbuf
;
129 memcpy (heapbuf
, SECRET
, SECRET_SIZE
);
130 explicit_bzero (heapbuf
, SECRET_SIZE
);
132 heapbuf
= (char *) addr
;
133 if (is_range_mapped (addr
, addr
+ SECRET_SIZE
))
135 /* some implementation could override freed memory by canaries so
136 compare against secret */
137 ASSERT (memcmp (heapbuf
, SECRET
, SECRET_SIZE
) != 0);
138 printf ("test_heap: address range is still mapped after free().\n");
141 printf ("test_heap: address range is unmapped after free().\n");
144 #endif /* ! address sanitizer enabled */
146 /* =============== Verify operation on stack-allocated memory =============== */
148 /* Skip this part when an address sanitizer is in use, because it would report
149 a "stack use after return". */
150 #ifndef __has_feature
151 # define __has_feature(a) 0
153 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
162 /* There are two passes:
163 1. Put a secret in memory and invoke explicit_bzero on it.
164 2. Verify that the memory has been erased.
165 Implement them in the same function, so that they access the same memory
166 range on the stack. Declare the local scalars to be volatile so they
167 are not optimized away. That way, the test verifies that the compiler
168 does not eliminate a call to explicit_bzero, even if data flow analysis
169 reveals that the stack area is dead at the end of the function. */
170 static bool _GL_ATTRIBUTE_NOINLINE
171 # if __GNUC__ + (__GNUC_MINOR__ >= 5) > 4
172 __attribute__ ((__noclone__
))
175 __attribute__ ((__noipa__
))
177 do_secret_stuff (int volatile pass
, char *volatile *volatile last_stackbuf
)
179 char stackbuf
[SECRET_SIZE
];
182 memcpy (stackbuf
, SECRET
, SECRET_SIZE
);
183 explicit_bzero (stackbuf
, SECRET_SIZE
);
184 *last_stackbuf
= stackbuf
;
189 /* Use *last_stackbuf here, because stackbuf may be allocated at a
190 different address than *last_stackbuf. This can happen
191 when the compiler splits this function into different functions,
192 one for pass == 1 and one for pass != 1. */
193 return memcmp (zero
, *last_stackbuf
, SECRET_SIZE
) != 0;
202 char *volatile last_stackbuf
;
204 for (repeat
= 2 * 1000; repeat
> 0; repeat
--)
206 /* This odd way of writing two consecutive statements
207 do_secret_stuff (1, &last_stackbuf);
208 count += do_secret_stuff (2, &last_stackbuf);
209 ensures that the two do_secret_stuff calls are performed with the same
210 stack pointer value, on m68k. */
211 if ((repeat
% 2) == 0)
212 do_secret_stuff (1, &last_stackbuf
);
214 count
+= do_secret_stuff (2, &last_stackbuf
);
216 /* If explicit_bzero works, count is near 0. (It may be > 0 if there were
217 some asynchronous signal invocations between the two calls of
219 If explicit_bzero is optimized away by the compiler, count comes out as
220 approximately 1000. */
221 printf ("test_stack: count = %d\n", count
);
225 #endif /* ! address sanitizer enabled */
227 /* ========================================================================== */
236 return test_exit_status
;