From patchwork Wed Jan 14 18:31:08 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mahesh J Salgaonkar <mahesh@linux.vnet.ibm.com>
X-Patchwork-Id: 429059
Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id CB5711401DA
	for <incoming@patchwork.ozlabs.org>;
	Thu, 15 Jan 2015 05:31:35 +1100 (AEDT)
Received: from ozlabs.org (ozlabs.org [103.22.144.67])
	by lists.ozlabs.org (Postfix) with ESMTP id 942571A061F
	for <incoming@patchwork.ozlabs.org>;
	Thu, 15 Jan 2015 05:31:35 +1100 (AEDT)
X-Original-To: skiboot@lists.ozlabs.org
Delivered-To: skiboot@lists.ozlabs.org
Received: from e23smtp09.au.ibm.com (e23smtp09.au.ibm.com [202.81.31.142])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id C823A1A05E0
	for <skiboot@lists.ozlabs.org>; Thu, 15 Jan 2015 05:31:33 +1100 (AEDT)
Received: from /spool/local
	by e23smtp09.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <skiboot@lists.ozlabs.org> from <mahesh@linux.vnet.ibm.com>;
	Thu, 15 Jan 2015 04:31:30 +1000
Received: from d23dlp01.au.ibm.com (202.81.31.203)
	by e23smtp09.au.ibm.com (202.81.31.206) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Thu, 15 Jan 2015 04:31:29 +1000
Received: from d23relay06.au.ibm.com (d23relay06.au.ibm.com [9.185.63.219])
	by d23dlp01.au.ibm.com (Postfix) with ESMTP id 4F1B92CE8040
	for <skiboot@lists.ozlabs.org>; Thu, 15 Jan 2015 05:31:29 +1100 (EST)
Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139])
	by d23relay06.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
	t0EIVThV47579292
	for <skiboot@lists.ozlabs.org>; Thu, 15 Jan 2015 05:31:29 +1100
Received: from d23av04.au.ibm.com (localhost [127.0.0.1])
	by d23av04.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	t0EIVS7A026604
	for <skiboot@lists.ozlabs.org>; Thu, 15 Jan 2015 05:31:28 +1100
Received: from [192.168.0.3] ([9.79.188.160])
	by d23av04.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id
	t0EIVFkv026408; Thu, 15 Jan 2015 05:31:26 +1100
From: Mahesh J Salgaonkar <mahesh@linux.vnet.ibm.com>
To: Stewart Smith <stewart@linux.vnet.ibm.com>,
	skiboot list <skiboot@lists.ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date: Thu, 15 Jan 2015 00:01:08 +0530
Message-ID: <20150114183044.30998.83312.stgit@mars>
User-Agent: StGit/0.17-dirty
MIME-Version: 1.0
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15011418-0033-0000-0000-000000EC2F4F
Cc: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Subject: [Skiboot] [PATCH v2 1/2] opal: Add unit test for buffer overrun in
	prlog/printf
X-BeenThere: skiboot@lists.ozlabs.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Mailing list for skiboot development <skiboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/skiboot/>
List-Post: <mailto:skiboot@lists.ozlabs.org>
List-Help: <mailto:skiboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/skiboot>,
	<mailto:skiboot-request@lists.ozlabs.org?subject=subscribe>
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
	<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

From: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>

Add unit test for buffer overrun in prlog/printf.

Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Acked-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
---
 core/test/Makefile.check                |    1 
 core/test/run-console-log-buf-overrun.c |  113 +++++++++++++++++++++++++++++++
 2 files changed, 114 insertions(+)
 create mode 100644 core/test/run-console-log-buf-overrun.c

diff --git a/core/test/Makefile.check b/core/test/Makefile.check
index 03a6a8d..457b61c 100644
--- a/core/test/Makefile.check
+++ b/core/test/Makefile.check
@@ -2,6 +2,7 @@
 CORE_TEST := core/test/run-device core/test/run-mem_region core/test/run-malloc core/test/run-malloc-speed core/test/run-mem_region_init core/test/run-mem_region_release_unused core/test/run-mem_region_release_unused_noalloc core/test/run-trace core/test/run-msg core/test/run-pel core/test/run-pool core/test/run-timer
 
 CORE_TEST_NOSTUB := core/test/run-console-log
+CORE_TEST_NOSTUB += core/test/run-console-log-buf-overrun
 
 LCOV_EXCLUDE += $(CORE_TEST:%=%.c) core/test/stubs.c
 LCOV_EXCLUDE += $(CORE_TEST_NOSTUB:%=%.c) /usr/include/*
diff --git a/core/test/run-console-log-buf-overrun.c b/core/test/run-console-log-buf-overrun.c
new file mode 100644
index 0000000..eda99e2
--- /dev/null
+++ b/core/test/run-console-log-buf-overrun.c
@@ -0,0 +1,113 @@
+/* Copyright 2014-2015 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <compiler.h>
+
+#define __TEST__
+
+#define CHECK_BUF_ASSERT(buf, str)			\
+	assert(memcmp(buf, str, strlen(str)) == 0)
+
+#define CHECK_ASSERT(str)				\
+	CHECK_BUF_ASSERT(console_buffer, str)
+
+int huge_tb;
+
+static inline unsigned long mftb(void)
+{
+	/*
+	 * return huge value for TB that overrun tmp[16] buffer defined
+	 * in print_itoa().
+	 */
+	if (huge_tb)
+		return 1223372515963611388;
+	else
+		return 42;
+}
+
+#include "../console-log.c"
+#include "../../libc/stdio/snprintf.c"
+#include "../../libc/stdio/vsnprintf.c"
+
+char console_buffer[4096];
+struct debug_descriptor debug_descriptor;
+
+bool flushed_to_drivers;
+
+ssize_t console_write(bool flush_to_drivers, const void *buf, size_t count)
+{
+	flushed_to_drivers = flush_to_drivers;
+	memcpy(console_buffer, buf, count);
+	return count;
+}
+
+int main(void)
+{
+	unsigned long value = 0xffffffffffffffff;
+	char *ptr = console_buffer;
+
+	debug_descriptor.console_log_levels = 0x75;
+
+	/* Test for huge TB value. */
+	huge_tb = 1;
+
+	prlog(PR_EMERG, "Hello World");
+	CHECK_ASSERT("[1223372515963611388,0] Hello World");
+
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	/* Test for normal TB with huge unsigned long value */
+	huge_tb = 0;
+
+	prlog(PR_EMERG, "Hello World %lu", value);
+	CHECK_ASSERT("[42,0] Hello World 18446744073709551615");
+
+	printf("Hello World %lu", value);
+	CHECK_ASSERT("[42,5] Hello World 18446744073709551615");
+
+	/*
+	 * Test string of size > 320
+	 *
+	 * core/console-log.c:vprlog() uses buffer[320] to print message
+	 * Try printing more than 320 bytes to test stack corruption.
+	 * You would see Segmentation fault on stack corruption.
+	 */
+	prlog(PR_EMERG, "%330s", "Hello World");
+
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	/*
+	 * Test boundary condition.
+	 *
+	 * Print string of exact size 320. We should see string truncated
+	 * with console_buffer[319] == '\0'.
+	 */
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	prlog(PR_EMERG, "%313s", "Hello World");
+	assert(console_buffer[319] == 0);
+
+	/* compare truncated string */
+	ptr += 320 - strlen("Hello World");
+	CHECK_BUF_ASSERT(ptr, "Hello Worl");
+
+	return 0;
+}