Update V8 to version 4.7.57.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blob9cc92c4582d2bb7d11c23c079d82d1662262f777
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <stdint.h>
6 #include <stdio.h>
8 #include <limits>
9 #include <sstream>
10 #include <string>
12 #include "base/message_loop/message_loop.h"
13 #include "base/strings/string16.h"
14 #include "base/strings/utf_string_conversions.h"
15 #include "base/threading/platform_thread.h"
16 #include "ipc/ipc_test_base.h"
17 #include "testing/gtest/include/gtest/gtest.h"
19 // IPC messages for testing ----------------------------------------------------
21 #define IPC_MESSAGE_IMPL
22 #include "ipc/ipc_message_macros.h"
24 #define IPC_MESSAGE_START TestMsgStart
26 // Generic message class that is an int followed by a string16.
27 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
29 // Generic message class that is a string16 followed by an int.
30 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
32 // Message to create a mutex in the IPC server, using the received name.
33 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
35 // Used to generate an ID for a message that should not exist.
36 IPC_MESSAGE_CONTROL0(MsgUnhandled)
38 // -----------------------------------------------------------------------------
40 namespace {
42 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
43 // This was BUG 984408.
44 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
45 int v2 = 666;
46 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
47 EXPECT_TRUE(m.WriteInt(v1));
48 EXPECT_TRUE(m.WriteInt(v2));
50 base::PickleIterator iter(m);
51 std::string vs;
52 EXPECT_FALSE(iter.ReadString(&vs));
55 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
56 // This was BUG 984408.
57 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
58 int v2 = 777;
59 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
60 EXPECT_TRUE(m.WriteInt(v1));
61 EXPECT_TRUE(m.WriteInt(v2));
63 base::PickleIterator iter(m);
64 base::string16 vs;
65 EXPECT_FALSE(iter.ReadString16(&vs));
68 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
69 // This was BUG 1035467.
70 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
71 EXPECT_TRUE(m.WriteInt(1));
72 EXPECT_TRUE(m.WriteInt(2));
74 base::PickleIterator iter(m);
75 const char* data = NULL;
76 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
79 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
80 // A slight variation of BUG 984408. Note that the pickling of vector<char>
81 // has a specialized template which is not vulnerable to this bug. So here
82 // try to hit the non-specialized case vector<P>.
83 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
84 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
85 EXPECT_TRUE(m.WriteInt(1));
86 EXPECT_TRUE(m.WriteInt(2));
87 EXPECT_TRUE(m.WriteInt(3));
89 std::vector<double> vec;
90 base::PickleIterator iter(m);
91 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
94 #if defined(OS_ANDROID)
95 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
96 #else
97 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
98 #endif
99 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
100 // This was BUG 1006367. This is the large but positive length case. Again
101 // we try to hit the non-specialized case vector<P>.
102 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
103 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
104 EXPECT_TRUE(m.WriteInt64(1));
105 EXPECT_TRUE(m.WriteInt64(2));
107 std::vector<int64_t> vec;
108 base::PickleIterator iter(m);
109 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
112 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
113 // This was BUG 1006367. This is the large but positive with an additional
114 // integer overflow when computing the actual byte size. Again we try to hit
115 // the non-specialized case vector<P>.
116 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
117 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
118 EXPECT_TRUE(m.WriteInt64(1));
119 EXPECT_TRUE(m.WriteInt64(2));
121 std::vector<int64_t> vec;
122 base::PickleIterator iter(m);
123 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
126 class SimpleListener : public IPC::Listener {
127 public:
128 SimpleListener() : other_(NULL) {
130 void Init(IPC::Sender* s) {
131 other_ = s;
133 protected:
134 IPC::Sender* other_;
137 enum {
138 FUZZER_ROUTING_ID = 5
141 // The fuzzer server class. It runs in a child process and expects
142 // only two IPC calls; after that it exits the message loop which
143 // terminates the child process.
144 class FuzzerServerListener : public SimpleListener {
145 public:
146 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
148 bool OnMessageReceived(const IPC::Message& msg) override {
149 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
150 ++pending_messages_;
151 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
152 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
153 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
154 IPC_END_MESSAGE_MAP()
155 if (pending_messages_) {
156 // Probably a problem de-serializing the message.
157 ReplyMsgNotHandled(msg.type());
160 return true;
163 private:
164 void OnMsgClassISMessage(int value, const base::string16& text) {
165 UseData(MsgClassIS::ID, value, text);
166 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
167 Cleanup();
170 void OnMsgClassSIMessage(const base::string16& text, int value) {
171 UseData(MsgClassSI::ID, value, text);
172 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
173 Cleanup();
176 bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
177 IPC::Message* message = new IPC::Message(routing, type_id,
178 IPC::Message::PRIORITY_NORMAL);
179 message->WriteInt(reply + 1);
180 message->WriteInt(reply);
181 return other_->Send(message);
184 void Cleanup() {
185 --message_count_;
186 --pending_messages_;
187 if (0 == message_count_)
188 base::MessageLoop::current()->Quit();
191 void ReplyMsgNotHandled(uint32_t type_id) {
192 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
193 Cleanup();
196 void UseData(int caller, int value, const base::string16& text) {
197 std::ostringstream os;
198 os << "IPC fuzzer:" << caller << " [" << value << " "
199 << base::UTF16ToUTF8(text) << "]\n";
200 std::string output = os.str();
201 LOG(WARNING) << output;
204 int message_count_;
205 int pending_messages_;
208 class FuzzerClientListener : public SimpleListener {
209 public:
210 FuzzerClientListener() : last_msg_(NULL) {
213 bool OnMessageReceived(const IPC::Message& msg) override {
214 last_msg_ = new IPC::Message(msg);
215 base::MessageLoop::current()->Quit();
216 return true;
219 bool ExpectMessage(int value, uint32_t type_id) {
220 if (!MsgHandlerInternal(type_id))
221 return false;
222 int msg_value1 = 0;
223 int msg_value2 = 0;
224 base::PickleIterator iter(*last_msg_);
225 if (!iter.ReadInt(&msg_value1))
226 return false;
227 if (!iter.ReadInt(&msg_value2))
228 return false;
229 if ((msg_value2 + 1) != msg_value1)
230 return false;
231 if (msg_value2 != value)
232 return false;
234 delete last_msg_;
235 last_msg_ = NULL;
236 return true;
239 bool ExpectMsgNotHandled(uint32_t type_id) {
240 return ExpectMessage(type_id, MsgUnhandled::ID);
243 private:
244 bool MsgHandlerInternal(uint32_t type_id) {
245 base::MessageLoop::current()->Run();
246 if (NULL == last_msg_)
247 return false;
248 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
249 return false;
250 return (type_id == last_msg_->type());
253 IPC::Message* last_msg_;
256 // Runs the fuzzing server child mode. Returns when the preset number of
257 // messages have been received.
258 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient) {
259 base::MessageLoopForIO main_message_loop;
260 FuzzerServerListener listener;
261 scoped_ptr<IPC::Channel> channel(IPC::Channel::CreateClient(
262 IPCTestBase::GetChannelName("FuzzServerClient"), &listener, nullptr));
263 CHECK(channel->Connect());
264 listener.Init(channel.get());
265 base::MessageLoop::current()->Run();
266 return 0;
269 class IPCFuzzingTest : public IPCTestBase {
272 #if defined(OS_ANDROID)
273 #define MAYBE_SanityTest DISABLED_SanityTest
274 #else
275 #define MAYBE_SanityTest SanityTest
276 #endif
277 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
278 // are working properly by generating two well formed IPC calls.
279 TEST_F(IPCFuzzingTest, MAYBE_SanityTest) {
280 Init("FuzzServerClient");
282 FuzzerClientListener listener;
283 CreateChannel(&listener);
284 listener.Init(channel());
285 ASSERT_TRUE(ConnectChannel());
286 ASSERT_TRUE(StartClient());
288 IPC::Message* msg = NULL;
289 int value = 43;
290 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
291 sender()->Send(msg);
292 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
294 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
295 sender()->Send(msg);
296 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
298 EXPECT_TRUE(WaitForClientShutdown());
299 DestroyChannel();
302 #if defined(OS_ANDROID)
303 #define MAYBE_MsgBadPayloadShort DISABLED_MsgBadPayloadShort
304 #else
305 #define MAYBE_MsgBadPayloadShort MsgBadPayloadShort
306 #endif
307 // This test uses a payload that is smaller than expected. This generates an
308 // error while unpacking the IPC buffer which in debug trigger an assertion and
309 // in release is ignored (!). Right after we generate another valid IPC to make
310 // sure framing is working properly.
311 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
312 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadShort) {
313 Init("FuzzServerClient");
315 FuzzerClientListener listener;
316 CreateChannel(&listener);
317 listener.Init(channel());
318 ASSERT_TRUE(ConnectChannel());
319 ASSERT_TRUE(StartClient());
321 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
322 IPC::Message::PRIORITY_NORMAL);
323 msg->WriteInt(666);
324 sender()->Send(msg);
325 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
327 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
328 sender()->Send(msg);
329 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
331 EXPECT_TRUE(WaitForClientShutdown());
332 DestroyChannel();
334 #endif
336 #if defined(OS_ANDROID)
337 #define MAYBE_MsgBadPayloadArgs DISABLED_MsgBadPayloadArgs
338 #else
339 #define MAYBE_MsgBadPayloadArgs MsgBadPayloadArgs
340 #endif
341 // This test uses a payload that has too many arguments, but so the payload size
342 // is big enough so the unpacking routine does not generate an error as in the
343 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
344 // as by design we don't carry type information on the IPC message.
345 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadArgs) {
346 Init("FuzzServerClient");
348 FuzzerClientListener listener;
349 CreateChannel(&listener);
350 listener.Init(channel());
351 ASSERT_TRUE(ConnectChannel());
352 ASSERT_TRUE(StartClient());
354 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
355 IPC::Message::PRIORITY_NORMAL);
356 msg->WriteString16(base::ASCIIToUTF16("d"));
357 msg->WriteInt(0);
358 msg->WriteInt(0x65); // Extra argument.
360 sender()->Send(msg);
361 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
363 // Now send a well formed message to make sure the receiver wasn't
364 // thrown out of sync by the extra argument.
365 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
366 sender()->Send(msg);
367 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
369 EXPECT_TRUE(WaitForClientShutdown());
370 DestroyChannel();
373 } // namespace