tests/test-explicit_bzero.c

   1 /* Test of explicit_bzero() function.
   2    Copyright (C) 2020-2024 Free Software Foundation, Inc.
   3
   4    This program is free software: you can redistribute it and/or modify
   5    it under the terms of the GNU General Public License as published by
   6    the Free Software Foundation, either version 3 of the License, or
   7    (at your option) any later version.
   8
   9    This program is distributed in the hope that it will be useful,
  10    but WITHOUT ANY WARRANTY; without even the implied warranty of
  11    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12    GNU General Public License for more details.
  13
  14    You should have received a copy of the GNU General Public License
  15    along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
  16
  17 /* Written by Bruno Haible <bruno@clisp.org>, 2020.  */
  18
  19 #include <config.h>
  20
  21 /* Specification.  */
  22 #include <string.h>
  23
  24 #include "signature.h"
  25 SIGNATURE_CHECK (explicit_bzero, void, (void *, size_t));
  26
  27 #include <stdio.h>
  28 #include <stdint.h>
  29 #include <stdlib.h>
  30
  31 #include "vma-iter.h"
  32 #include "macros.h"
  33
  34 #define SECRET "xyzzy1729"
  35 #define SECRET_SIZE 9
  36
  37 static char zero[SECRET_SIZE] = { 0 };
  38
  39 /* Enable this to verify that the test is effective.  */
  40 #if 0
  41 # define explicit_bzero(a, n)  memset (a, '\0', n)
  42 #endif
  43
  44 /* Suppress GCC 13.2.1 false alarm, as this test needs a dangling pointer.  */
  45 #if 12 <= __GNUC__
  46 # pragma GCC diagnostic ignored "-Wdangling-pointer"
  47 #endif
  48
  49 /* =================== Verify operation on static memory =================== */
  50
  51 static char stbuf[SECRET_SIZE];
  52
  53 static void
  54 test_static (void)
  55 {
  56   memcpy (stbuf, SECRET, SECRET_SIZE);
  57   explicit_bzero (stbuf, SECRET_SIZE);
  58   ASSERT (memcmp (zero, stbuf, SECRET_SIZE) == 0);
  59 }
  60
  61 /* =============== Verify operation on heap-allocated memory =============== */
  62
  63 /* Skip this part when an address sanitizer is in use, because it would report
  64    a "heap use after free".  */
  65 #ifndef __has_feature
  66 # define __has_feature(a) 0
  67 #endif
  68 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
  69
  70 static void
  71 test_heap (void)
  72 {
  73 }
  74
  75 #else
  76
  77 /* Test whether an address range is mapped in memory.  */
  78 # if VMA_ITERATE_SUPPORTED
  79
  80 struct locals
  81 {
  82   uintptr_t range_start;
  83   uintptr_t range_end;
  84 };
  85
  86 static int
  87 vma_iterate_callback (void *data, uintptr_t start, uintptr_t end,
  88                       unsigned int flags)
  89 {
  90   struct locals *lp = (struct locals *) data;
  91
  92   /* Remove from [range_start, range_end) the part at the beginning or at the
  93      end that is covered by [start, end).  */
  94   if (start <= lp->range_start && end > lp->range_start)
  95     lp->range_start = (end < lp->range_end ? end : lp->range_end);
  96   if (start < lp->range_end && end >= lp->range_end)
  97     lp->range_end = (start > lp->range_start ? start : lp->range_start);
  98
  99   return 0;
 100 }
 101
 102 static bool
 103 is_range_mapped (uintptr_t range_start, uintptr_t range_end)
 104 {
 105   struct locals l;
 106
 107   l.range_start = range_start;
 108   l.range_end = range_end;
 109   vma_iterate (vma_iterate_callback, &l);
 110   return l.range_start == l.range_end;
 111 }
 112
 113 # else
 114
 115 static bool
 116 is_range_mapped (uintptr_t range_start, uintptr_t range_end)
 117 {
 118   return true;
 119 }
 120
 121 # endif
 122
 123 static void
 124 test_heap (void)
 125 {
 126   char *heapbuf = (char *) malloc (SECRET_SIZE);
 127   ASSERT (heapbuf);
 128   uintptr_t volatile addr = (uintptr_t) heapbuf;
 129   memcpy (heapbuf, SECRET, SECRET_SIZE);
 130   explicit_bzero (heapbuf, SECRET_SIZE);
 131   free (heapbuf);
 132   heapbuf = (char *) addr;
 133   if (is_range_mapped (addr, addr + SECRET_SIZE))
 134     {
 135       /* some implementation could override freed memory by canaries so
 136          compare against secret */
 137       ASSERT (memcmp (heapbuf, SECRET, SECRET_SIZE) != 0);
 138       printf ("test_heap: address range is still mapped after free().\n");
 139     }
 140   else
 141     printf ("test_heap: address range is unmapped after free().\n");
 142 }
 143
 144 #endif /* ! address sanitizer enabled */
 145
 146 /* =============== Verify operation on stack-allocated memory =============== */
 147
 148 /* Skip this part when an address sanitizer is in use, because it would report
 149    a "stack use after return".  */
 150 #ifndef __has_feature
 151 # define __has_feature(a) 0
 152 #endif
 153 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
 154
 155 static void
 156 test_stack (void)
 157 {
 158 }
 159
 160 #else
 161
 162 /* There are two passes:
 163      1. Put a secret in memory and invoke explicit_bzero on it.
 164      2. Verify that the memory has been erased.
 165    Implement them in the same function, so that they access the same memory
 166    range on the stack.  Declare the local scalars to be volatile so they
 167    are not optimized away.  That way, the test verifies that the compiler
 168    does not eliminate a call to explicit_bzero, even if data flow analysis
 169    reveals that the stack area is dead at the end of the function.  */
 170 static bool _GL_ATTRIBUTE_NOINLINE
 171 # if __GNUC__ + (__GNUC_MINOR__ >= 5) > 4
 172 __attribute__ ((__noclone__))
 173 # endif
 174 # if __GNUC__ >= 8
 175 __attribute__ ((__noipa__))
 176 # endif
 177 do_secret_stuff (int volatile pass, char *volatile *volatile last_stackbuf)
 178 {
 179   char stackbuf[SECRET_SIZE];
 180   if (pass == 1)
 181     {
 182       memcpy (stackbuf, SECRET, SECRET_SIZE);
 183       explicit_bzero (stackbuf, SECRET_SIZE);
 184       *last_stackbuf = stackbuf;
 185       return false;
 186     }
 187   else /* pass == 2 */
 188     {
 189       /* Use *last_stackbuf here, because stackbuf may be allocated at a
 190          different address than *last_stackbuf.  This can happen
 191          when the compiler splits this function into different functions,
 192          one for pass == 1 and one for pass != 1.  */
 193       return memcmp (zero, *last_stackbuf, SECRET_SIZE) != 0;
 194     }
 195 }
 196
 197 static void
 198 test_stack (void)
 199 {
 200   int count = 0;
 201   int repeat;
 202   char *volatile last_stackbuf;
 203
 204   for (repeat = 2 * 1000; repeat > 0; repeat--)
 205     {
 206       /* This odd way of writing two consecutive statements
 207            do_secret_stuff (1, &last_stackbuf);
 208            count += do_secret_stuff (2, &last_stackbuf);
 209          ensures that the two do_secret_stuff calls are performed with the same
 210          stack pointer value, on m68k.  */
 211       if ((repeat % 2) == 0)
 212         do_secret_stuff (1, &last_stackbuf);
 213       else
 214         count += do_secret_stuff (2, &last_stackbuf);
 215     }
 216   /* If explicit_bzero works, count is near 0.  (It may be > 0 if there were
 217      some asynchronous signal invocations between the two calls of
 218      do_secret_stuff.)
 219      If explicit_bzero is optimized away by the compiler, count comes out as
 220      approximately 1000.  */
 221   printf ("test_stack: count = %d\n", count);
 222   ASSERT (count < 50);
 223 }
 224
 225 #endif /* ! address sanitizer enabled */
 226
 227 /* ========================================================================== */
 228
 229 int
 230 main ()
 231 {
 232   test_static ();
 233   test_heap ();
 234   test_stack ();
 235
 236   return test_exit_status;
 237 }