search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert 161499 - Add systemInfo.cpu.onUpdated event implementation.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blob4c3e9c9673f072c584ff1738c0a417cea3022157
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
8
9 #include "base/message_loop.h"
10 #include "base/process_util.h"
11 #include "base/threading/platform_thread.h"
12 #include "ipc/ipc_channel.h"
13 #include "ipc/ipc_channel_proxy.h"
14 #include "ipc/ipc_multiprocess_test.h"
15 #include "ipc/ipc_tests.h"
16 #include "testing/gtest/include/gtest/gtest.h"
17 #include "testing/multiprocess_func_list.h"
18
19 // IPC messages for testing ---------------------------------------------------
20
21 #define IPC_MESSAGE_IMPL
22 #include "ipc/ipc_message_macros.h"
23
24 #define IPC_MESSAGE_START TestMsgStart
25
26 // Generic message class that is an int followed by a wstring.
27 IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::wstring)
28
29 // Generic message class that is a wstring followed by an int.
30 IPC_MESSAGE_CONTROL2(MsgClassSI, std::wstring, int)
31
32 // Message to create a mutex in the IPC server, using the received name.
33 IPC_MESSAGE_CONTROL2(MsgDoMutex, std::wstring, int)
34
35 // Used to generate an ID for a message that should not exist.
36 IPC_MESSAGE_CONTROL0(MsgUnhandled)
37
38 // ----------------------------------------------------------------------------
39
40 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
41 //This was BUG 984408.
42 uint32 v1 = kuint32max - 1;
43 int v2 = 666;
44 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
45 EXPECT_TRUE(m.WriteInt(v1));
46 EXPECT_TRUE(m.WriteInt(v2));
47
48 PickleIterator iter(m);
49 std::string vs;
50 EXPECT_FALSE(m.ReadString(&iter, &vs));
51 }
52
53 TEST(IPCMessageIntegrity, ReadBeyondBufferWStr) {
54 //This was BUG 984408.
55 uint32 v1 = kuint32max - 1;
56 int v2 = 777;
57 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
58 EXPECT_TRUE(m.WriteInt(v1));
59 EXPECT_TRUE(m.WriteInt(v2));
60
61 PickleIterator iter(m);
62 std::wstring vs;
63 EXPECT_FALSE(m.ReadWString(&iter, &vs));
64 }
65
66 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
67 // This was BUG 1035467.
68 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
69 EXPECT_TRUE(m.WriteInt(1));
70 EXPECT_TRUE(m.WriteInt(2));
71
72 PickleIterator iter(m);
73 const char* data = NULL;
74 EXPECT_TRUE(m.ReadBytes(&iter, &data, sizeof(int)));
75 }
76
77 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
78 // A slight variation of BUG 984408. Note that the pickling of vector<char>
79 // has a specialized template which is not vulnerable to this bug. So here
80 // try to hit the non-specialized case vector<P>.
81 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
82 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
83 EXPECT_TRUE(m.WriteInt(1));
84 EXPECT_TRUE(m.WriteInt(2));
85 EXPECT_TRUE(m.WriteInt(3));
86
87 std::vector<double> vec;
88 PickleIterator iter(m);
89 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
90 }
91
92 TEST(IPCMessageIntegrity, ReadVectorTooLarge1) {
93 // This was BUG 1006367. This is the large but positive length case. Again
94 // we try to hit the non-specialized case vector<P>.
95 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
96 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
97 EXPECT_TRUE(m.WriteInt64(1));
98 EXPECT_TRUE(m.WriteInt64(2));
99
100 std::vector<int64> vec;
101 PickleIterator iter(m);
102 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
103 }
104
105 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
106 // This was BUG 1006367. This is the large but positive with an additional
107 // integer overflow when computing the actual byte size. Again we try to hit
108 // the non-specialized case vector<P>.
109 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
110 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
111 EXPECT_TRUE(m.WriteInt64(1));
112 EXPECT_TRUE(m.WriteInt64(2));
113
114 std::vector<int64> vec;
115 PickleIterator iter(m);
116 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
117 }
118
119 class SimpleListener : public IPC::Listener {
120 public:
121 SimpleListener() : other_(NULL) {
122 }
123 void Init(IPC::Sender* s) {
124 other_ = s;
125 }
126 protected:
127 IPC::Sender* other_;
128 };
129
130 enum {
131 FUZZER_ROUTING_ID = 5
132 };
133
134 // The fuzzer server class. It runs in a child process and expects
135 // only two IPC calls; after that it exits the message loop which
136 // terminates the child process.
137 class FuzzerServerListener : public SimpleListener {
138 public:
139 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
140 }
141 virtual bool OnMessageReceived(const IPC::Message& msg) {
142 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
143 ++pending_messages_;
144 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
145 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
146 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
147 IPC_END_MESSAGE_MAP()
148 if (pending_messages_) {
149 // Probably a problem de-serializing the message.
150 ReplyMsgNotHandled(msg.type());
151 }
152 }
153 return true;
154 }
155
156 private:
157 void OnMsgClassISMessage(int value, const std::wstring& text) {
158 UseData(MsgClassIS::ID, value, text);
159 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
160 Cleanup();
161 }
162
163 void OnMsgClassSIMessage(const std::wstring& text, int value) {
164 UseData(MsgClassSI::ID, value, text);
165 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
166 Cleanup();
167 }
168
169 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
170 IPC::Message* message = new IPC::Message(routing, type_id,
171 IPC::Message::PRIORITY_NORMAL);
172 message->WriteInt(reply + 1);
173 message->WriteInt(reply);
174 return other_->Send(message);
175 }
176
177 void Cleanup() {
178 --message_count_;
179 --pending_messages_;
180 if (0 == message_count_)
181 MessageLoop::current()->Quit();
182 }
183
184 void ReplyMsgNotHandled(uint32 type_id) {
185 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
186 Cleanup();
187 }
188
189 void UseData(int caller, int value, const std::wstring& text) {
190 std::wostringstream wos;
191 wos << L"IPC fuzzer:" << caller << " [" << value << L" " << text << L"]\n";
192 std::wstring output = wos.str();
193 LOG(WARNING) << output.c_str();
194 };
195
196 int message_count_;
197 int pending_messages_;
198 };
199
200 class FuzzerClientListener : public SimpleListener {
201 public:
202 FuzzerClientListener() : last_msg_(NULL) {
203 }
204
205 virtual bool OnMessageReceived(const IPC::Message& msg) {
206 last_msg_ = new IPC::Message(msg);
207 MessageLoop::current()->Quit();
208 return true;
209 }
210
211 bool ExpectMessage(int value, uint32 type_id) {
212 if (!MsgHandlerInternal(type_id))
213 return false;
214 int msg_value1 = 0;
215 int msg_value2 = 0;
216 PickleIterator iter(*last_msg_);
217 if (!last_msg_->ReadInt(&iter, &msg_value1))
218 return false;
219 if (!last_msg_->ReadInt(&iter, &msg_value2))
220 return false;
221 if ((msg_value2 + 1) != msg_value1)
222 return false;
223 if (msg_value2 != value)
224 return false;
225
226 delete last_msg_;
227 last_msg_ = NULL;
228 return true;
229 }
230
231 bool ExpectMsgNotHandled(uint32 type_id) {
232 return ExpectMessage(type_id, MsgUnhandled::ID);
233 }
234
235 private:
236 bool MsgHandlerInternal(uint32 type_id) {
237 MessageLoop::current()->Run();
238 if (NULL == last_msg_)
239 return false;
240 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
241 return false;
242 return (type_id == last_msg_->type());
243 };
244
245 IPC::Message* last_msg_;
246 };
247
248 // Runs the fuzzing server child mode. Returns when the preset number
249 // of messages have been received.
250 MULTIPROCESS_IPC_TEST_MAIN(RunFuzzServer) {
251 MessageLoopForIO main_message_loop;
252 FuzzerServerListener listener;
253 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_CLIENT, &listener);
254 CHECK(chan.Connect());
255 listener.Init(&chan);
256 MessageLoop::current()->Run();
257 return 0;
258 }
259
260 class IPCFuzzingTest : public IPCChannelTest {
261 };
262
263 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
264 // are working properly by generating two well formed IPC calls.
265 TEST_F(IPCFuzzingTest, SanityTest) {
266 FuzzerClientListener listener;
267 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
268 &listener);
269 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
270 ASSERT_TRUE(server_process);
271 base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(1));
272 ASSERT_TRUE(chan.Connect());
273 listener.Init(&chan);
274
275 IPC::Message* msg = NULL;
276 int value = 43;
277 msg = new MsgClassIS(value, L"expect 43");
278 chan.Send(msg);
279 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
280
281 msg = new MsgClassSI(L"expect 44", ++value);
282 chan.Send(msg);
283 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
284
285 EXPECT_TRUE(base::WaitForSingleProcess(
286 server_process, base::TimeDelta::FromSeconds(5)));
287 base::CloseProcessHandle(server_process);
288 }
289
290 // This test uses a payload that is smaller than expected.
291 // This generates an error while unpacking the IPC buffer which in
292 // In debug this triggers an assertion and in release it is ignored(!!). Right
293 // after we generate another valid IPC to make sure framing is working
294 // properly.
295 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
296 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
297 FuzzerClientListener listener;
298 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
299 &listener);
300 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
301 ASSERT_TRUE(server_process);
302 base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(1));
303 ASSERT_TRUE(chan.Connect());
304 listener.Init(&chan);
305
306 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
307 IPC::Message::PRIORITY_NORMAL);
308 msg->WriteInt(666);
309 chan.Send(msg);
310 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
311
312 msg = new MsgClassSI(L"expect one", 1);
313 chan.Send(msg);
314 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
315
316 EXPECT_TRUE(base::WaitForSingleProcess(
317 server_process, base::TimeDelta::FromSeconds(5)));
318 base::CloseProcessHandle(server_process);
319 }
320 #endif
321
322 // This test uses a payload that has too many arguments, but so the payload
323 // size is big enough so the unpacking routine does not generate an error as
324 // in the case of MsgBadPayloadShort test.
325 // This test does not pinpoint a flaw (per se) as by design we don't carry
326 // type information on the IPC message.
327 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
328 FuzzerClientListener listener;
329 IPC::Channel chan(kFuzzerChannel, IPC::Channel::MODE_SERVER,
330 &listener);
331 base::ProcessHandle server_process = SpawnChild(FUZZER_SERVER, &chan);
332 ASSERT_TRUE(server_process);
333 base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(1));
334 ASSERT_TRUE(chan.Connect());
335 listener.Init(&chan);
336
337 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
338 IPC::Message::PRIORITY_NORMAL);
339 msg->WriteWString(L"d");
340 msg->WriteInt(0);
341 msg->WriteInt(0x65); // Extra argument.
342
343 chan.Send(msg);
344 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
345
346 // Now send a well formed message to make sure the receiver wasn't
347 // thrown out of sync by the extra argument.
348 msg = new MsgClassIS(3, L"expect three");
349 chan.Send(msg);
350 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
351
352 EXPECT_TRUE(base::WaitForSingleProcess(
353 server_process, base::TimeDelta::FromSeconds(5)));
354 base::CloseProcessHandle(server_process);
355 }
356
357 // This class is for testing the IPC_BEGIN_MESSAGE_MAP_EX macros.
358 class ServerMacroExTest {
359 public:
360 ServerMacroExTest() : unhandled_msgs_(0) {
361 }
362
363 virtual ~ServerMacroExTest() {
364 }
365
366 virtual bool OnMessageReceived(const IPC::Message& msg) {
367 bool msg_is_ok = false;
368 IPC_BEGIN_MESSAGE_MAP_EX(ServerMacroExTest, msg, msg_is_ok)
369 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
370 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
371 IPC_MESSAGE_UNHANDLED(++unhandled_msgs_)
372 IPC_END_MESSAGE_MAP_EX()
373 return msg_is_ok;
374 }
375
376 int unhandled_msgs() const {
377 return unhandled_msgs_;
378 }
379
380 private:
381 void OnMsgClassISMessage(int value, const std::wstring& text) {
382 }
383 void OnMsgClassSIMessage(const std::wstring& text, int value) {
384 }
385
386 int unhandled_msgs_;
387
388 DISALLOW_COPY_AND_ASSIGN(ServerMacroExTest);
389 };
390
391 TEST_F(IPCFuzzingTest, MsgMapExMacro) {
392 IPC::Message* msg = NULL;
393 ServerMacroExTest server;
394
395 // Test the regular messages.
396 msg = new MsgClassIS(3, L"text3");
397 EXPECT_TRUE(server.OnMessageReceived(*msg));
398 delete msg;
399 msg = new MsgClassSI(L"text2", 2);
400 EXPECT_TRUE(server.OnMessageReceived(*msg));
401 delete msg;
402
403 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
404 // Test a bad message.
405 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
406 IPC::Message::PRIORITY_NORMAL);
407 msg->WriteInt(2);
408 EXPECT_FALSE(server.OnMessageReceived(*msg));
409 delete msg;
410
411 msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
412 IPC::Message::PRIORITY_NORMAL);
413 msg->WriteInt(0x64);
414 msg->WriteInt(0x32);
415 EXPECT_FALSE(server.OnMessageReceived(*msg));
416 delete msg;
417
418 EXPECT_EQ(0, server.unhandled_msgs());
419 #endif
420 }