Update V8 to version 4.6.61.
[chromium-blink-merge.git] / ipc / ipc_fuzzing_tests.cc
blob5dfddbac2be3d335dc205e474c82105dc235d08c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <stdio.h>
6 #include <string>
7 #include <sstream>
9 #include "base/message_loop/message_loop.h"
10 #include "base/strings/string16.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "base/threading/platform_thread.h"
13 #include "ipc/ipc_test_base.h"
14 #include "testing/gtest/include/gtest/gtest.h"
16 // IPC messages for testing ----------------------------------------------------
18 #define IPC_MESSAGE_IMPL
19 #include "ipc/ipc_message_macros.h"
21 #define IPC_MESSAGE_START TestMsgStart
23 // Generic message class that is an int followed by a string16.
24 IPC_MESSAGE_CONTROL2(MsgClassIS, int, base::string16)
26 // Generic message class that is a string16 followed by an int.
27 IPC_MESSAGE_CONTROL2(MsgClassSI, base::string16, int)
29 // Message to create a mutex in the IPC server, using the received name.
30 IPC_MESSAGE_CONTROL2(MsgDoMutex, base::string16, int)
32 // Used to generate an ID for a message that should not exist.
33 IPC_MESSAGE_CONTROL0(MsgUnhandled)
35 // -----------------------------------------------------------------------------
37 namespace {
39 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
40 // This was BUG 984408.
41 uint32 v1 = kuint32max - 1;
42 int v2 = 666;
43 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
44 EXPECT_TRUE(m.WriteInt(v1));
45 EXPECT_TRUE(m.WriteInt(v2));
47 base::PickleIterator iter(m);
48 std::string vs;
49 EXPECT_FALSE(iter.ReadString(&vs));
52 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
53 // This was BUG 984408.
54 uint32 v1 = kuint32max - 1;
55 int v2 = 777;
56 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
57 EXPECT_TRUE(m.WriteInt(v1));
58 EXPECT_TRUE(m.WriteInt(v2));
60 base::PickleIterator iter(m);
61 base::string16 vs;
62 EXPECT_FALSE(iter.ReadString16(&vs));
65 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
66 // This was BUG 1035467.
67 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
68 EXPECT_TRUE(m.WriteInt(1));
69 EXPECT_TRUE(m.WriteInt(2));
71 base::PickleIterator iter(m);
72 const char* data = NULL;
73 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
76 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
77 // A slight variation of BUG 984408. Note that the pickling of vector<char>
78 // has a specialized template which is not vulnerable to this bug. So here
79 // try to hit the non-specialized case vector<P>.
80 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
81 EXPECT_TRUE(m.WriteInt(-1)); // This is the count of elements.
82 EXPECT_TRUE(m.WriteInt(1));
83 EXPECT_TRUE(m.WriteInt(2));
84 EXPECT_TRUE(m.WriteInt(3));
86 std::vector<double> vec;
87 base::PickleIterator iter(m);
88 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
91 #if defined(OS_ANDROID)
92 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
93 #else
94 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
95 #endif
96 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
97 // This was BUG 1006367. This is the large but positive length case. Again
98 // we try to hit the non-specialized case vector<P>.
99 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
100 EXPECT_TRUE(m.WriteInt(0x21000003)); // This is the count of elements.
101 EXPECT_TRUE(m.WriteInt64(1));
102 EXPECT_TRUE(m.WriteInt64(2));
104 std::vector<int64> vec;
105 base::PickleIterator iter(m);
106 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
109 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
110 // This was BUG 1006367. This is the large but positive with an additional
111 // integer overflow when computing the actual byte size. Again we try to hit
112 // the non-specialized case vector<P>.
113 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
114 EXPECT_TRUE(m.WriteInt(0x71000000)); // This is the count of elements.
115 EXPECT_TRUE(m.WriteInt64(1));
116 EXPECT_TRUE(m.WriteInt64(2));
118 std::vector<int64> vec;
119 base::PickleIterator iter(m);
120 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
123 class SimpleListener : public IPC::Listener {
124 public:
125 SimpleListener() : other_(NULL) {
127 void Init(IPC::Sender* s) {
128 other_ = s;
130 protected:
131 IPC::Sender* other_;
134 enum {
135 FUZZER_ROUTING_ID = 5
138 // The fuzzer server class. It runs in a child process and expects
139 // only two IPC calls; after that it exits the message loop which
140 // terminates the child process.
141 class FuzzerServerListener : public SimpleListener {
142 public:
143 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
145 bool OnMessageReceived(const IPC::Message& msg) override {
146 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
147 ++pending_messages_;
148 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
149 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
150 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
151 IPC_END_MESSAGE_MAP()
152 if (pending_messages_) {
153 // Probably a problem de-serializing the message.
154 ReplyMsgNotHandled(msg.type());
157 return true;
160 private:
161 void OnMsgClassISMessage(int value, const base::string16& text) {
162 UseData(MsgClassIS::ID, value, text);
163 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
164 Cleanup();
167 void OnMsgClassSIMessage(const base::string16& text, int value) {
168 UseData(MsgClassSI::ID, value, text);
169 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
170 Cleanup();
173 bool RoundtripAckReply(int routing, uint32 type_id, int reply) {
174 IPC::Message* message = new IPC::Message(routing, type_id,
175 IPC::Message::PRIORITY_NORMAL);
176 message->WriteInt(reply + 1);
177 message->WriteInt(reply);
178 return other_->Send(message);
181 void Cleanup() {
182 --message_count_;
183 --pending_messages_;
184 if (0 == message_count_)
185 base::MessageLoop::current()->Quit();
188 void ReplyMsgNotHandled(uint32 type_id) {
189 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
190 Cleanup();
193 void UseData(int caller, int value, const base::string16& text) {
194 std::ostringstream os;
195 os << "IPC fuzzer:" << caller << " [" << value << " "
196 << base::UTF16ToUTF8(text) << "]\n";
197 std::string output = os.str();
198 LOG(WARNING) << output;
201 int message_count_;
202 int pending_messages_;
205 class FuzzerClientListener : public SimpleListener {
206 public:
207 FuzzerClientListener() : last_msg_(NULL) {
210 bool OnMessageReceived(const IPC::Message& msg) override {
211 last_msg_ = new IPC::Message(msg);
212 base::MessageLoop::current()->Quit();
213 return true;
216 bool ExpectMessage(int value, uint32 type_id) {
217 if (!MsgHandlerInternal(type_id))
218 return false;
219 int msg_value1 = 0;
220 int msg_value2 = 0;
221 base::PickleIterator iter(*last_msg_);
222 if (!iter.ReadInt(&msg_value1))
223 return false;
224 if (!iter.ReadInt(&msg_value2))
225 return false;
226 if ((msg_value2 + 1) != msg_value1)
227 return false;
228 if (msg_value2 != value)
229 return false;
231 delete last_msg_;
232 last_msg_ = NULL;
233 return true;
236 bool ExpectMsgNotHandled(uint32 type_id) {
237 return ExpectMessage(type_id, MsgUnhandled::ID);
240 private:
241 bool MsgHandlerInternal(uint32 type_id) {
242 base::MessageLoop::current()->Run();
243 if (NULL == last_msg_)
244 return false;
245 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
246 return false;
247 return (type_id == last_msg_->type());
250 IPC::Message* last_msg_;
253 // Runs the fuzzing server child mode. Returns when the preset number of
254 // messages have been received.
255 MULTIPROCESS_IPC_TEST_CLIENT_MAIN(FuzzServerClient) {
256 base::MessageLoopForIO main_message_loop;
257 FuzzerServerListener listener;
258 scoped_ptr<IPC::Channel> channel(IPC::Channel::CreateClient(
259 IPCTestBase::GetChannelName("FuzzServerClient"), &listener, nullptr));
260 CHECK(channel->Connect());
261 listener.Init(channel.get());
262 base::MessageLoop::current()->Run();
263 return 0;
266 class IPCFuzzingTest : public IPCTestBase {
269 #if defined(OS_ANDROID)
270 #define MAYBE_SanityTest DISABLED_SanityTest
271 #else
272 #define MAYBE_SanityTest SanityTest
273 #endif
274 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
275 // are working properly by generating two well formed IPC calls.
276 TEST_F(IPCFuzzingTest, MAYBE_SanityTest) {
277 Init("FuzzServerClient");
279 FuzzerClientListener listener;
280 CreateChannel(&listener);
281 listener.Init(channel());
282 ASSERT_TRUE(ConnectChannel());
283 ASSERT_TRUE(StartClient());
285 IPC::Message* msg = NULL;
286 int value = 43;
287 msg = new MsgClassIS(value, base::ASCIIToUTF16("expect 43"));
288 sender()->Send(msg);
289 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
291 msg = new MsgClassSI(base::ASCIIToUTF16("expect 44"), ++value);
292 sender()->Send(msg);
293 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
295 EXPECT_TRUE(WaitForClientShutdown());
296 DestroyChannel();
299 #if defined(OS_ANDROID)
300 #define MAYBE_MsgBadPayloadShort DISABLED_MsgBadPayloadShort
301 #else
302 #define MAYBE_MsgBadPayloadShort MsgBadPayloadShort
303 #endif
304 // This test uses a payload that is smaller than expected. This generates an
305 // error while unpacking the IPC buffer which in debug trigger an assertion and
306 // in release is ignored (!). Right after we generate another valid IPC to make
307 // sure framing is working properly.
308 #if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
309 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadShort) {
310 Init("FuzzServerClient");
312 FuzzerClientListener listener;
313 CreateChannel(&listener);
314 listener.Init(channel());
315 ASSERT_TRUE(ConnectChannel());
316 ASSERT_TRUE(StartClient());
318 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
319 IPC::Message::PRIORITY_NORMAL);
320 msg->WriteInt(666);
321 sender()->Send(msg);
322 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
324 msg = new MsgClassSI(base::ASCIIToUTF16("expect one"), 1);
325 sender()->Send(msg);
326 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
328 EXPECT_TRUE(WaitForClientShutdown());
329 DestroyChannel();
331 #endif
333 #if defined(OS_ANDROID)
334 #define MAYBE_MsgBadPayloadArgs DISABLED_MsgBadPayloadArgs
335 #else
336 #define MAYBE_MsgBadPayloadArgs MsgBadPayloadArgs
337 #endif
338 // This test uses a payload that has too many arguments, but so the payload size
339 // is big enough so the unpacking routine does not generate an error as in the
340 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
341 // as by design we don't carry type information on the IPC message.
342 TEST_F(IPCFuzzingTest, MAYBE_MsgBadPayloadArgs) {
343 Init("FuzzServerClient");
345 FuzzerClientListener listener;
346 CreateChannel(&listener);
347 listener.Init(channel());
348 ASSERT_TRUE(ConnectChannel());
349 ASSERT_TRUE(StartClient());
351 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
352 IPC::Message::PRIORITY_NORMAL);
353 msg->WriteString16(base::ASCIIToUTF16("d"));
354 msg->WriteInt(0);
355 msg->WriteInt(0x65); // Extra argument.
357 sender()->Send(msg);
358 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
360 // Now send a well formed message to make sure the receiver wasn't
361 // thrown out of sync by the extra argument.
362 msg = new MsgClassIS(3, base::ASCIIToUTF16("expect three"));
363 sender()->Send(msg);
364 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
366 EXPECT_TRUE(WaitForClientShutdown());
367 DestroyChannel();
370 } // namespace