search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
[glibc.git] / string / test-strcmp.c
blob3c75076fb84f18eef7b26168010031bda1e6a5cb
1 /* Test and measure strcmp and wcscmp functions.
2 Copyright (C) 1999-2022 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4
5 The GNU C Library is free software; you can redistribute it and/or
6 modify it under the terms of the GNU Lesser General Public
7 License as published by the Free Software Foundation; either
8 version 2.1 of the License, or (at your option) any later version.
9
10 The GNU C Library is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Lesser General Public License for more details.
14
15 You should have received a copy of the GNU Lesser General Public
16 License along with the GNU C Library; if not, see
17 <https://www.gnu.org/licenses/>. */
18
19 #define TEST_MAIN
20 #ifdef WIDE
21 # define TEST_NAME "wcscmp"
22 #else
23 # define TEST_NAME "strcmp"
24 #endif
25 #include "test-string.h"
26 #include <support/test-driver.h>
27
28 #ifdef WIDE
29 # include <wchar.h>
30
31 # define L(str) L##str
32 # define STRCMP wcscmp
33 # define STRCPY wcscpy
34 # define STRLEN wcslen
35 # define MEMCPY wmemcpy
36 # define SIMPLE_STRCMP simple_wcscmp
37 # define STUPID_STRCMP stupid_wcscmp
38 # define CHAR wchar_t
39 # define UCHAR wchar_t
40 # define CHARBYTES 4
41 # define CHARBYTESLOG 2
42 # define CHARALIGN __alignof__ (CHAR)
43 # define MIDCHAR 0x7fffffff
44 # define LARGECHAR 0xfffffffe
45 # define CHAR__MAX WCHAR_MAX
46 # define CHAR__MIN WCHAR_MIN
47
48 /* Wcscmp uses signed semantics for comparison, not unsigned */
49 /* Avoid using substraction since possible overflow */
50
51 int
52 simple_wcscmp (const wchar_t *s1, const wchar_t *s2)
53 {
54 wchar_t c1, c2;
55 do
56 {
57 c1 = *s1++;
58 c2 = *s2++;
59 if (c2 == L'\0')
60 return c1 - c2;
61 }
62 while (c1 == c2);
63
64 return c1 < c2 ? -1 : 1;
65 }
66
67 int
68 stupid_wcscmp (const wchar_t *s1, const wchar_t *s2)
69 {
70 size_t ns1 = wcslen (s1) + 1;
71 size_t ns2 = wcslen (s2) + 1;
72 size_t n = ns1 < ns2 ? ns1 : ns2;
73 int ret = 0;
74
75 wchar_t c1, c2;
76
77 while (n--) {
78 c1 = *s1++;
79 c2 = *s2++;
80 if ((ret = c1 < c2 ? -1 : c1 == c2 ? 0 : 1) != 0)
81 break;
82 }
83 return ret;
84 }
85
86 #else
87 # include <limits.h>
88
89 # define L(str) str
90 # define STRCMP strcmp
91 # define STRCPY strcpy
92 # define STRLEN strlen
93 # define MEMCPY memcpy
94 # define SIMPLE_STRCMP simple_strcmp
95 # define STUPID_STRCMP stupid_strcmp
96 # define CHAR char
97 # define UCHAR unsigned char
98 # define CHARBYTES 1
99 # define CHARBYTESLOG 0
100 # define CHARALIGN 1
101 # define MIDCHAR 0x7f
102 # define LARGECHAR 0xfe
103 # define CHAR__MAX CHAR_MAX
104 # define CHAR__MIN CHAR_MIN
105
106 /* Strcmp uses unsigned semantics for comparison. */
107 int
108 simple_strcmp (const char *s1, const char *s2)
109 {
110 int ret;
111
112 while ((ret = *(unsigned char *) s1 - *(unsigned char*) s2++) == 0 && *s1++);
113 return ret;
114 }
115
116 int
117 stupid_strcmp (const char *s1, const char *s2)
118 {
119 size_t ns1 = strlen (s1) + 1;
120 size_t ns2 = strlen (s2) + 1;
121 size_t n = ns1 < ns2 ? ns1 : ns2;
122 int ret = 0;
123
124 while (n--)
125 if ((ret = *(unsigned char *) s1++ - *(unsigned char *) s2++) != 0)
126 break;
127 return ret;
128 }
129 #endif
130
131 typedef int (*proto_t) (const CHAR *, const CHAR *);
132
133 IMPL (STUPID_STRCMP, 1)
134 IMPL (SIMPLE_STRCMP, 1)
135 IMPL (STRCMP, 1)
136
137 static int
138 check_result (impl_t *impl,
139 const CHAR *s1, const CHAR *s2,
140 int exp_result)
141 {
142 int result = CALL (impl, s1, s2);
143 if ((exp_result == 0 && result != 0)
144 || (exp_result < 0 && result >= 0)
145 || (exp_result > 0 && result <= 0))
146 {
147 error (0, 0, "Wrong result in function %s %d %d", impl->name,
148 result, exp_result);
149 ret = 1;
150 return -1;
151 }
152
153 return 0;
154 }
155
156 static void
157 do_one_test (impl_t *impl,
158 const CHAR *s1, const CHAR *s2,
159 int exp_result)
160 {
161 if (check_result (impl, s1, s2, exp_result) < 0)
162 return;
163 }
164
165 static void
166 do_test (size_t align1, size_t align2, size_t len, int max_char,
167 int exp_result)
168 {
169 size_t i;
170
171 CHAR *s1, *s2;
172
173 if (len == 0)
174 return;
175
176 align1 &= 63;
177 if (align1 + (len + 1) * CHARBYTES >= page_size)
178 return;
179
180 align2 &= 63;
181 if (align2 + (len + 1) * CHARBYTES >= page_size)
182 return;
183
184 /* Put them close to the end of page. */
185 i = align1 + CHARBYTES * (len + 2);
186 s1 = (CHAR *) (buf1 + ((page_size - i) / 16 * 16) + align1);
187 i = align2 + CHARBYTES * (len + 2);
188 s2 = (CHAR *) (buf2 + ((page_size - i) / 16 * 16) + align2);
189
190 for (i = 0; i < len; i++)
191 s1[i] = s2[i] = 1 + (23 << ((CHARBYTES - 1) * 8)) * i % max_char;
192
193 s1[len] = s2[len] = 0;
194 s1[len + 1] = 23;
195 s2[len + 1] = 24 + exp_result;
196 s2[len - 1] -= exp_result;
197
198 FOR_EACH_IMPL (impl, 0)
199 do_one_test (impl, s1, s2, exp_result);
200 }
201
202 static void
203 do_random_tests (void)
204 {
205 UCHAR *p1 = (UCHAR *) (buf1 + page_size - 512 * CHARBYTES);
206 UCHAR *p2 = (UCHAR *) (buf2 + page_size - 512 * CHARBYTES);
207
208 for (size_t n = 0; n < ITERATIONS; n++)
209 {
210 /* for wcscmp case align1 and align2 mean here alignment
211 in wchar_t symbols, it equal 4*k alignment in bytes, we
212 don't check other alignments like for example
213 p1 = (wchar_t *)(buf1 + 1)
214 because it's wrong using of wchar_t type. */
215 size_t align1 = random () & 31;
216 size_t align2;
217 if (random () & 1)
218 align2 = random () & 31;
219 else
220 align2 = align1 + (random () & 24);
221 size_t pos = random () & 511;
222 size_t j = align1 > align2 ? align1 : align2;
223 if (pos + j >= 511)
224 pos = 510 - j - (random () & 7);
225 size_t len1 = random () & 511;
226 if (pos >= len1 && (random () & 1))
227 len1 = pos + (random () & 7);
228 if (len1 + j >= 512)
229 len1 = 511 - j - (random () & 7);
230 size_t len2;
231 if (pos >= len1)
232 len2 = len1;
233 else
234 len2 = len1 + (len1 != 511 - j ? random () % (511 - j - len1) : 0);
235 j = (pos > len2 ? pos : len2) + align1 + 64;
236 if (j > 512)
237 j = 512;
238 for (size_t i = 0; i < j; ++i)
239 {
240 p1[i] = random () & 255;
241 if (i < len1 + align1 && !p1[i])
242 {
243 p1[i] = random () & 255;
244 if (!p1[i])
245 p1[i] = 1 + (random () & 127);
246 }
247 }
248 for (size_t i = 0; i < j; ++i)
249 {
250 p2[i] = random () & 255;
251 if (i < len2 + align2 && !p2[i])
252 {
253 p2[i] = random () & 255;
254 if (!p2[i])
255 p2[i] = 1 + (random () & 127);
256 }
257 }
258
259 int result = 0;
260 MEMCPY (p2 + align2, p1 + align1, pos);
261 if (pos < len1)
262 {
263 if (p2[align2 + pos] == p1[align1 + pos])
264 {
265 p2[align2 + pos] = random () & 255;
266 if (p2[align2 + pos] == p1[align1 + pos])
267 p2[align2 + pos] = p1[align1 + pos] + 3 + (random () & 127);
268 }
269
270 if (p1[align1 + pos] < p2[align2 + pos])
271 result = -1;
272 else
273 result = 1;
274 }
275 p1[len1 + align1] = 0;
276 p2[len2 + align2] = 0;
277
278 FOR_EACH_IMPL (impl, 1)
279 {
280 int r = CALL (impl, (CHAR *) (p1 + align1), (CHAR *) (p2 + align2));
281 /* Test whether on 64-bit architectures where ABI requires
282 callee to promote has the promotion been done. */
283 asm ("" : "=g" (r) : "0" (r));
284 if ((r == 0 && result)
285 || (r < 0 && result >= 0)
286 || (r > 0 && result <= 0))
287 {
288 error (0, 0, "Iteration %zd - wrong result in function %s (align in bytes: %zd, align in bytes: %zd, len1: %zd, len2: %zd, pos: %zd) %d != %d, p1 %p p2 %p",
289 n, impl->name, (size_t) (p1 + align1) & 63, (size_t) (p1 + align2) & 63, len1, len2, pos, r, result, p1, p2);
290 ret = 1;
291 }
292 }
293 }
294 }
295
296 static void
297 check (void)
298 {
299 CHAR *s1 = (CHAR *) (buf1 + 0xb2c);
300 CHAR *s2 = (CHAR *) (buf1 + 0xfd8);
301
302 STRCPY(s1, L("abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrs"));
303 STRCPY(s2, L("abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijkLMNOPQRSTUV"));
304
305 /* Check correct working for negatives values */
306
307 s1[0] = 1;
308 s2[0] = 1;
309 s1[1] = 1;
310 s2[1] = 1;
311 s1[2] = -1;
312 s2[2] = 3;
313 s1[3] = 0;
314 s2[3] = -1;
315
316 /* Check possible overflow bug, actual more for wcscmp */
317
318 s1[7] = CHAR__MIN;
319 s2[7] = CHAR__MAX;
320
321 size_t l1 = STRLEN (s1);
322 size_t l2 = STRLEN (s2);
323
324 for (size_t i1 = 0; i1 < l1; i1++)
325 for (size_t i2 = 0; i2 < l2; i2++)
326 {
327 int exp_result = SIMPLE_STRCMP (s1 + i1, s2 + i2);
328 FOR_EACH_IMPL (impl, 0)
329 check_result (impl, s1 + i1, s2 + i2, exp_result);
330 }
331
332 /* Test cases where there are multiple zero bytes after the first. */
333
334 for (size_t i = 0; i < 16 + 1; i++)
335 {
336 s1[i] = 0x00;
337 s2[i] = 0x00;
338 }
339
340 for (size_t i = 0; i < 16; i++)
341 {
342 int exp_result;
343
344 for (int val = 0x01; val < 0x100; val++)
345 {
346 for (size_t j = 0; j < i; j++)
347 {
348 s1[j] = val;
349 s2[j] = val;
350 }
351
352 s2[i] = val;
353
354 exp_result = SIMPLE_STRCMP (s1, s2);
355 FOR_EACH_IMPL (impl, 0)
356 check_result (impl, s1, s2, exp_result);
357 }
358 }
359 }
360
361 static void
362 check2 (void)
363 {
364 /* To trigger bug 25933, we need a size that is equal to the vector
365 length times 4. In the case of AVX2 for Intel, we need 32 * 4. We
366 make this test generic and run it for all architectures as additional
367 boundary testing for such related algorithms. */
368 size_t size = 32 * 4;
369 CHAR *s1 = (CHAR *) (buf1 + (BUF1PAGES - 1) * page_size);
370 CHAR *s2 = (CHAR *) (buf2 + (BUF1PAGES - 1) * page_size);
371 int exp_result;
372
373 memset (s1, 'a', page_size);
374 memset (s2, 'a', page_size);
375 s1[(page_size / CHARBYTES) - 1] = (CHAR) 0;
376 s2[(page_size / CHARBYTES) - 1] = (CHAR) 0;
377
378 /* Iterate over a size that is just below where we expect the bug to
379 trigger up to the size we expect will trigger the bug e.g. [99-128].
380 Likewise iterate the start of two strings between 30 and 31 bytes
381 away from the boundary to simulate alignment changes. */
382 for (size_t s = 99; s <= size; s++)
383 for (size_t s1a = 30; s1a < 32; s1a++)
384 for (size_t s2a = 30; s2a < 32; s2a++)
385 {
386 CHAR *s1p = s1 + (page_size / CHARBYTES - s) - s1a;
387 CHAR *s2p = s2 + (page_size / CHARBYTES - s) - s2a;
388 exp_result = SIMPLE_STRCMP (s1p, s2p);
389 FOR_EACH_IMPL (impl, 0)
390 check_result (impl, s1p, s2p, exp_result);
391 }
392 }
393
394 static void
395 check3 (void)
396 {
397 size_t size = 0xd000 + 0x4000;
398 CHAR *s1, *s2;
399 CHAR *buffer1 = mmap (NULL, size, PROT_READ | PROT_WRITE,
400 MAP_PRIVATE | MAP_ANON, -1, 0);
401 CHAR *buffer2 = mmap (NULL, size, PROT_READ | PROT_WRITE,
402 MAP_PRIVATE | MAP_ANON, -1, 0);
403 if (buffer1 == MAP_FAILED || buffer1 == MAP_FAILED)
404 error (EXIT_UNSUPPORTED, errno, "mmap failed");
405
406 s1 = (CHAR *) (buffer1 + 0x8f8 / sizeof (CHAR));
407 s2 = (CHAR *) (buffer2 + 0xcff3 / sizeof (CHAR));
408
409 STRCPY(s1, L("/export/redhat/rpms/BUILD/java-1.8.0-openjdk-1.8.0.312.b07-2.fc35.x86_64/openjdk/langtools/src/share/classes/com/sun/tools/doclets/internal/toolkit/util/PathDocFileFactory.java"));
410 STRCPY(s2, L("/export/redhat/rpms/BUILD/java-1.8.0-openjdk-1.8.0.312.b07-2.fc35.x86_64/openjdk/langtools/src/share/classes/com/sun/tools/doclets/internal/toolkit/taglets/ThrowsTaglet.java"));
411
412 int exp_result = SIMPLE_STRCMP (s1, s2);
413 FOR_EACH_IMPL (impl, 0)
414 check_result (impl, s1, s2, exp_result);
415
416 munmap ((void *) buffer1, size);
417 munmap ((void *) buffer2, size);
418 }
419
420 int
421 test_main (void)
422 {
423 size_t i;
424
425 test_init ();
426 check();
427 check2 ();
428 check3 ();
429
430 printf ("%23s", "");
431 FOR_EACH_IMPL (impl, 0)
432 printf ("\t%s", impl->name);
433 putchar ('\n');
434
435 for (i = 1; i < 32; ++i)
436 {
437 do_test (CHARBYTES * i, CHARBYTES * i, i, MIDCHAR, 0);
438 do_test (CHARBYTES * i, CHARBYTES * i, i, MIDCHAR, 1);
439 do_test (CHARBYTES * i, CHARBYTES * i, i, MIDCHAR, -1);
440 }
441
442 for (i = 1; i < 10 + CHARBYTESLOG; ++i)
443 {
444 do_test (0, 0, 2 << i, MIDCHAR, 0);
445 do_test (0, 0, 2 << i, LARGECHAR, 0);
446 do_test (0, 0, 2 << i, MIDCHAR, 1);
447 do_test (0, 0, 2 << i, LARGECHAR, 1);
448 do_test (0, 0, 2 << i, MIDCHAR, -1);
449 do_test (0, 0, 2 << i, LARGECHAR, -1);
450 do_test (0, CHARBYTES * i, 2 << i, MIDCHAR, 1);
451 do_test (CHARBYTES * i, CHARBYTES * (i + 1), 2 << i, LARGECHAR, 1);
452 }
453
454 for (i = 1; i < 8; ++i)
455 {
456 do_test (CHARBYTES * i, 2 * CHARBYTES * i, 8 << i, MIDCHAR, 0);
457 do_test (2 * CHARBYTES * i, CHARBYTES * i, 8 << i, LARGECHAR, 0);
458 do_test (CHARBYTES * i, 2 * CHARBYTES * i, 8 << i, MIDCHAR, 1);
459 do_test (2 * CHARBYTES * i, CHARBYTES * i, 8 << i, LARGECHAR, 1);
460 do_test (CHARBYTES * i, 2 * CHARBYTES * i, 8 << i, MIDCHAR, -1);
461 do_test (2 * CHARBYTES * i, CHARBYTES * i, 8 << i, LARGECHAR, -1);
462 }
463
464 do_random_tests ();
465 return ret;
466 }
467
468 #include <support/test-driver.c>
sources.redhat.com git mirror of glibc CVS