1 /* Test memset_explicit.
2 Copyright 2020-2024 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <https://www.gnu.org/licenses/>. */
17 /* Written by Bruno Haible <bruno@clisp.org>, 2020. */
18 /* Adapted for memset_explicit by Paul Eggert <eggert@cs.ucla.edu>, 2022. */
25 #include "signature.h"
26 SIGNATURE_CHECK (memset_explicit
, void *, (void *, int, size_t));
36 #define SECRET "xyzzy1729"
39 static char zero
[SECRET_SIZE
] = { 0 };
41 /* Enable this to verify that the test is effective. */
43 # define memset_explicit(a, c, n) memset (a, c, n)
46 /* Suppress GCC 13.2.1 false alarm, as this test needs a dangling pointer. */
48 # pragma GCC diagnostic ignored "-Wdangling-pointer"
51 /* =================== Verify operation on static memory =================== */
53 static char stbuf
[SECRET_SIZE
];
58 memcpy (stbuf
, SECRET
, SECRET_SIZE
);
59 memset_explicit (stbuf
, 0, SECRET_SIZE
);
60 ASSERT (memcmp (zero
, stbuf
, SECRET_SIZE
) == 0);
61 for (int i
= 1; i
<= UCHAR_MAX
; i
++)
63 char checkbuf
[SECRET_SIZE
];
64 memset (checkbuf
, i
, SECRET_SIZE
);
65 memcpy (stbuf
, SECRET
, SECRET_SIZE
);
66 memset_explicit (stbuf
, i
, SECRET_SIZE
);
67 ASSERT (memcmp (checkbuf
, stbuf
, SECRET_SIZE
) == 0);
71 /* =============== Verify operation on heap-allocated memory =============== */
73 /* Skip this part when an address sanitizer is in use, because it would report
74 a "heap use after free". */
76 # define __has_feature(a) 0
78 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
87 /* Test whether an address range is mapped in memory. */
88 # if VMA_ITERATE_SUPPORTED
92 uintptr_t range_start
;
97 vma_iterate_callback (void *data
, uintptr_t start
, uintptr_t end
,
100 struct locals
*lp
= (struct locals
*) data
;
102 /* Remove from [range_start, range_end) the part at the beginning or at the
103 end that is covered by [start, end). */
104 if (start
<= lp
->range_start
&& end
> lp
->range_start
)
105 lp
->range_start
= (end
< lp
->range_end
? end
: lp
->range_end
);
106 if (start
< lp
->range_end
&& end
>= lp
->range_end
)
107 lp
->range_end
= (start
> lp
->range_start
? start
: lp
->range_start
);
113 is_range_mapped (uintptr_t range_start
, uintptr_t range_end
)
117 l
.range_start
= range_start
;
118 l
.range_end
= range_end
;
119 vma_iterate (vma_iterate_callback
, &l
);
120 return l
.range_start
== l
.range_end
;
126 is_range_mapped (uintptr_t range_start
, uintptr_t range_end
)
136 char *heapbuf
= (char *) malloc (SECRET_SIZE
);
138 uintptr_t volatile addr
= (uintptr_t) heapbuf
;
139 memcpy (heapbuf
, SECRET
, SECRET_SIZE
);
140 memset_explicit (heapbuf
, 0, SECRET_SIZE
);
142 heapbuf
= (char *) addr
;
143 if (is_range_mapped (addr
, addr
+ SECRET_SIZE
))
145 /* some implementation could override freed memory by canaries so
146 compare against secret */
147 ASSERT (memcmp (heapbuf
, SECRET
, SECRET_SIZE
) != 0);
148 printf ("test_heap: address range is still mapped after free().\n");
151 printf ("test_heap: address range is unmapped after free().\n");
154 #endif /* ! address sanitizer enabled */
156 /* =============== Verify operation on stack-allocated memory =============== */
158 /* Skip this part when an address sanitizer is in use, because it would report
159 a "stack use after return". */
160 #ifndef __has_feature
161 # define __has_feature(a) 0
163 #if defined __SANITIZE_ADDRESS__ || __has_feature (address_sanitizer)
172 /* There are two passes:
173 1. Put a secret in memory and invoke memset_explicit on it.
174 2. Verify that the memory has been erased.
175 Implement them in the same function, so that they access the same memory
176 range on the stack. Declare the local scalars to be volatile so they
177 are not optimized away. That way, the test verifies that the compiler
178 does not eliminate a call to memset_explicit, even if data flow analysis
179 reveals that the stack area is dead at the end of the function. */
180 static bool _GL_ATTRIBUTE_NOINLINE
181 # if __GNUC__ + (__GNUC_MINOR__ >= 5) > 4
182 __attribute__ ((__noclone__
))
185 __attribute__ ((__noipa__
))
187 do_secret_stuff (int volatile pass
, char *volatile *volatile last_stackbuf
)
189 char stackbuf
[SECRET_SIZE
];
192 memcpy (stackbuf
, SECRET
, SECRET_SIZE
);
193 memset_explicit (stackbuf
, 0, SECRET_SIZE
);
194 *last_stackbuf
= stackbuf
;
199 /* Use *last_stackbuf here, because stackbuf may be allocated at a
200 different address than *last_stackbuf. This can happen
201 when the compiler splits this function into different functions,
202 one for pass == 1 and one for pass != 1. */
203 return memcmp (zero
, *last_stackbuf
, SECRET_SIZE
) != 0;
212 char *volatile last_stackbuf
;
214 for (repeat
= 2 * 1000; repeat
> 0; repeat
--)
216 /* This odd way of writing two consecutive statements
217 do_secret_stuff (1, &last_stackbuf);
218 count += do_secret_stuff (2, &last_stackbuf);
219 ensures that the two do_secret_stuff calls are performed with the same
220 stack pointer value, on m68k. */
221 if ((repeat
% 2) == 0)
222 do_secret_stuff (1, &last_stackbuf
);
224 count
+= do_secret_stuff (2, &last_stackbuf
);
226 /* If memset_explicit works, count is near 0. (It may be > 0 if there were
227 some asynchronous signal invocations between the two calls of
229 If memset_explicit is optimized away by the compiler, count comes out as
230 approximately 1000. */
231 printf ("test_stack: count = %d\n", count
);
235 #endif /* ! address sanitizer enabled */
237 /* ========================================================================== */
246 return test_exit_status
;