1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdint.h>
6 #include <stdio.h>
7
8 #include <limits>
9 #include <memory>
10 #include <sstream>
11 #include <string>
12
13 #include "base/memory/raw_ptr.h"
14 #include "base/run_loop.h"
15 #include "base/strings/utf_string_conversions.h"
16 #include "base/threading/platform_thread.h"
17 #include "build/build_config.h"
18 #include "ipc/ipc_test_base.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20
21 // IPC messages for testing ----------------------------------------------------
22
23 #define IPC_MESSAGE_IMPL
24 #include "ipc/ipc_message_macros.h"
25 #include "ipc/ipc_message_start.h"
26
27 #define IPC_MESSAGE_START TestMsgStart
28
29 // Generic message class that is an int followed by a string16.
30 IPC_MESSAGE_CONTROL2(MsgClassIS, int, std::u16string)
31
32 // Generic message class that is a string16 followed by an int.
33 IPC_MESSAGE_CONTROL2(MsgClassSI, std::u16string, int)
34
35 // Message to create a mutex in the IPC server, using the received name.
36 IPC_MESSAGE_CONTROL2(MsgDoMutex, std::u16string, int)
37
38 // Used to generate an ID for a message that should not exist.
39 IPC_MESSAGE_CONTROL0(MsgUnhandled)
40
41 // -----------------------------------------------------------------------------
42
43 namespace {
44
TEST(IPCMessageIntegrity,ReadBeyondBufferStr)45 TEST(IPCMessageIntegrity, ReadBeyondBufferStr) {
46 // This was BUG 984408.
47 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
48 int v2 = 666;
49 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
50 m.WriteInt(v1);
51 m.WriteInt(v2);
52
53 base::PickleIterator iter(m);
54 std::string vs;
55 EXPECT_FALSE(iter.ReadString(&vs));
56 }
57
TEST(IPCMessageIntegrity,ReadBeyondBufferStr16)58 TEST(IPCMessageIntegrity, ReadBeyondBufferStr16) {
59 // This was BUG 984408.
60 uint32_t v1 = std::numeric_limits<uint32_t>::max() - 1;
61 int v2 = 777;
62 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
63 m.WriteInt(v1);
64 m.WriteInt(v2);
65
66 base::PickleIterator iter(m);
67 std::u16string vs;
68 EXPECT_FALSE(iter.ReadString16(&vs));
69 }
70
TEST(IPCMessageIntegrity,ReadBytesBadIterator)71 TEST(IPCMessageIntegrity, ReadBytesBadIterator) {
72 // This was BUG 1035467.
73 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
74 m.WriteInt(1);
75 m.WriteInt(2);
76
77 base::PickleIterator iter(m);
78 const char* data = nullptr;
79 EXPECT_TRUE(iter.ReadBytes(&data, sizeof(int)));
80 }
81
TEST(IPCMessageIntegrity,ReadVectorNegativeSize)82 TEST(IPCMessageIntegrity, ReadVectorNegativeSize) {
83 // A slight variation of BUG 984408. Note that the pickling of vector<char>
84 // has a specialized template which is not vulnerable to this bug. So here
85 // try to hit the non-specialized case vector<P>.
86 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
87 m.WriteInt(-1); // This is the count of elements.
88 m.WriteInt(1);
89 m.WriteInt(2);
90 m.WriteInt(3);
91
92 std::vector<double> vec;
93 base::PickleIterator iter(m);
94 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
95 }
96
97 #if BUILDFLAG(IS_ANDROID)
98 #define MAYBE_ReadVectorTooLarge1 DISABLED_ReadVectorTooLarge1
99 #else
100 #define MAYBE_ReadVectorTooLarge1 ReadVectorTooLarge1
101 #endif
TEST(IPCMessageIntegrity,MAYBE_ReadVectorTooLarge1)102 TEST(IPCMessageIntegrity, MAYBE_ReadVectorTooLarge1) {
103 // This was BUG 1006367. This is the large but positive length case. Again
104 // we try to hit the non-specialized case vector<P>.
105 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
106 m.WriteInt(0x21000003); // This is the count of elements.
107 m.WriteInt64(1);
108 m.WriteInt64(2);
109
110 std::vector<int64_t> vec;
111 base::PickleIterator iter(m);
112 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
113 }
114
TEST(IPCMessageIntegrity,ReadVectorTooLarge2)115 TEST(IPCMessageIntegrity, ReadVectorTooLarge2) {
116 // This was BUG 1006367. This is the large but positive with an additional
117 // integer overflow when computing the actual byte size. Again we try to hit
118 // the non-specialized case vector<P>.
119 IPC::Message m(0, 1, IPC::Message::PRIORITY_NORMAL);
120 m.WriteInt(0x71000000); // This is the count of elements.
121 m.WriteInt64(1);
122 m.WriteInt64(2);
123
124 std::vector<int64_t> vec;
125 base::PickleIterator iter(m);
126 EXPECT_FALSE(ReadParam(&m, &iter, &vec));
127 }
128
129 // This test needs ~20 seconds in Debug mode, or ~4 seconds in Release mode.
130 // See http://crbug.com/741866 for details.
TEST(IPCMessageIntegrity,DISABLED_ReadVectorTooLarge3)131 TEST(IPCMessageIntegrity, DISABLED_ReadVectorTooLarge3) {
132 base::Pickle pickle;
133 IPC::WriteParam(&pickle, 256 * 1024 * 1024);
134 IPC::WriteParam(&pickle, 0);
135 IPC::WriteParam(&pickle, 1);
136 IPC::WriteParam(&pickle, 2);
137
138 base::PickleIterator iter(pickle);
139 std::vector<int> vec;
140 EXPECT_FALSE(IPC::ReadParam(&pickle, &iter, &vec));
141 }
142
143 class SimpleListener : public IPC::Listener {
144 public:
145 SimpleListener() = default;
Init(IPC::Sender * s)146 void Init(IPC::Sender* s) { other_ = s; }
set_run_loop(base::RunLoop * loop)147 void set_run_loop(base::RunLoop* loop) { loop_ = loop; }
Reset()148 void Reset() {
149 other_ = nullptr;
150 loop_ = nullptr;
151 }
152
153 protected:
154 raw_ptr<base::RunLoop> loop_ = nullptr;
155 raw_ptr<IPC::Sender> other_ = nullptr;
156 };
157
158 enum {
159 FUZZER_ROUTING_ID = 5
160 };
161
162 // The fuzzer server class. It runs in a child process and expects
163 // only two IPC calls; after that it exits the message loop which
164 // terminates the child process.
165 class FuzzerServerListener : public SimpleListener {
166 public:
FuzzerServerListener()167 FuzzerServerListener() : message_count_(2), pending_messages_(0) {
168 }
OnMessageReceived(const IPC::Message & msg)169 bool OnMessageReceived(const IPC::Message& msg) override {
170 if (msg.routing_id() == MSG_ROUTING_CONTROL) {
171 ++pending_messages_;
172 IPC_BEGIN_MESSAGE_MAP(FuzzerServerListener, msg)
173 IPC_MESSAGE_HANDLER(MsgClassIS, OnMsgClassISMessage)
174 IPC_MESSAGE_HANDLER(MsgClassSI, OnMsgClassSIMessage)
175 IPC_END_MESSAGE_MAP()
176 if (pending_messages_) {
177 // Probably a problem de-serializing the message.
178 ReplyMsgNotHandled(msg.type());
179 }
180 }
181 return true;
182 }
183
184 private:
OnMsgClassISMessage(int value,const std::u16string & text)185 void OnMsgClassISMessage(int value, const std::u16string& text) {
186 UseData(MsgClassIS::ID, value, text);
187 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassIS::ID, value);
188 Cleanup();
189 }
190
OnMsgClassSIMessage(const std::u16string & text,int value)191 void OnMsgClassSIMessage(const std::u16string& text, int value) {
192 UseData(MsgClassSI::ID, value, text);
193 RoundtripAckReply(FUZZER_ROUTING_ID, MsgClassSI::ID, value);
194 Cleanup();
195 }
196
RoundtripAckReply(int routing,uint32_t type_id,int reply)197 bool RoundtripAckReply(int routing, uint32_t type_id, int reply) {
198 IPC::Message* message = new IPC::Message(routing, type_id,
199 IPC::Message::PRIORITY_NORMAL);
200 message->WriteInt(reply + 1);
201 message->WriteInt(reply);
202 return other_->Send(message);
203 }
204
Cleanup()205 void Cleanup() {
206 --message_count_;
207 --pending_messages_;
208 if (0 == message_count_)
209 loop_->QuitWhenIdle();
210 }
211
ReplyMsgNotHandled(uint32_t type_id)212 void ReplyMsgNotHandled(uint32_t type_id) {
213 RoundtripAckReply(FUZZER_ROUTING_ID, MsgUnhandled::ID, type_id);
214 Cleanup();
215 }
216
UseData(int caller,int value,const std::u16string & text)217 void UseData(int caller, int value, const std::u16string& text) {
218 std::ostringstream os;
219 os << "IPC fuzzer:" << caller << " [" << value << " "
220 << base::UTF16ToUTF8(text) << "]\n";
221 std::string output = os.str();
222 LOG(WARNING) << output;
223 }
224
225 int message_count_;
226 int pending_messages_;
227 };
228
229 class FuzzerClientListener : public SimpleListener {
230 public:
231 FuzzerClientListener() = default;
232
OnMessageReceived(const IPC::Message & msg)233 bool OnMessageReceived(const IPC::Message& msg) override {
234 last_msg_ = std::make_unique<IPC::Message>(msg);
235 loop_->QuitWhenIdle();
236 return true;
237 }
238
ExpectMessage(int value,uint32_t type_id)239 bool ExpectMessage(int value, uint32_t type_id) {
240 if (!MsgHandlerInternal(type_id))
241 return false;
242 int msg_value1 = 0;
243 int msg_value2 = 0;
244 base::PickleIterator iter(*last_msg_);
245 if (!iter.ReadInt(&msg_value1))
246 return false;
247 if (!iter.ReadInt(&msg_value2))
248 return false;
249 if ((msg_value2 + 1) != msg_value1)
250 return false;
251 if (msg_value2 != value)
252 return false;
253 last_msg_.reset();
254 return true;
255 }
256
ExpectMsgNotHandled(uint32_t type_id)257 bool ExpectMsgNotHandled(uint32_t type_id) {
258 return ExpectMessage(type_id, MsgUnhandled::ID);
259 }
260
261 private:
MsgHandlerInternal(uint32_t type_id)262 bool MsgHandlerInternal(uint32_t type_id) {
263 loop_->Run();
264 if (!last_msg_)
265 return false;
266 if (FUZZER_ROUTING_ID != last_msg_->routing_id())
267 return false;
268 return (type_id == last_msg_->type());
269 }
270
271 std::unique_ptr<IPC::Message> last_msg_;
272 };
273
274 // Runs the fuzzing server child mode. Returns when the preset number of
275 // messages have been received.
DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient)276 DEFINE_IPC_CHANNEL_MOJO_TEST_CLIENT(FuzzServerClient) {
277 FuzzerServerListener listener;
278 base::RunLoop loop;
279 Connect(&listener);
280 listener.Init(channel());
281 listener.set_run_loop(&loop);
282 loop.Run();
283 Close();
284 }
285
286 using IPCFuzzingTest = IPCChannelMojoTestBase;
287
288 // This test makes sure that the FuzzerClientListener and FuzzerServerListener
289 // are working properly by generating two well formed IPC calls.
TEST_F(IPCFuzzingTest,SanityTest)290 TEST_F(IPCFuzzingTest, SanityTest) {
291 Init("FuzzServerClient");
292 base::RunLoop loop1;
293 base::RunLoop loop2;
294 FuzzerClientListener listener;
295 CreateChannel(&listener);
296 listener.Init(channel());
297 listener.set_run_loop(&loop1);
298 ASSERT_TRUE(ConnectChannel());
299
300 IPC::Message* msg = nullptr;
301 int value = 43;
302 msg = new MsgClassIS(value, u"expect 43");
303 sender()->Send(msg);
304 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassIS::ID));
305
306 listener.set_run_loop(&loop2);
307 msg = new MsgClassSI(u"expect 44", ++value);
308 sender()->Send(msg);
309 EXPECT_TRUE(listener.ExpectMessage(value, MsgClassSI::ID));
310
311 listener.Reset();
312 EXPECT_TRUE(WaitForClientShutdown());
313 DestroyChannel();
314 }
315
316 // This test uses a payload that is smaller than expected. This generates an
317 // error while unpacking the IPC buffer. Right after we generate another valid
318 // IPC to make sure framing is working properly.
TEST_F(IPCFuzzingTest,MsgBadPayloadShort)319 TEST_F(IPCFuzzingTest, MsgBadPayloadShort) {
320 Init("FuzzServerClient");
321 base::RunLoop loop1;
322 base::RunLoop loop2;
323 FuzzerClientListener listener;
324 CreateChannel(&listener);
325 listener.Init(channel());
326 listener.set_run_loop(&loop1);
327 ASSERT_TRUE(ConnectChannel());
328
329 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassIS::ID,
330 IPC::Message::PRIORITY_NORMAL);
331 msg->WriteInt(666);
332 sender()->Send(msg);
333 EXPECT_TRUE(listener.ExpectMsgNotHandled(MsgClassIS::ID));
334
335 listener.set_run_loop(&loop2);
336 msg = new MsgClassSI(u"expect one", 1);
337 sender()->Send(msg);
338 EXPECT_TRUE(listener.ExpectMessage(1, MsgClassSI::ID));
339
340 listener.Reset();
341 EXPECT_TRUE(WaitForClientShutdown());
342 DestroyChannel();
343 }
344
345 // This test uses a payload that has too many arguments, but so the payload size
346 // is big enough so the unpacking routine does not generate an error as in the
347 // case of MsgBadPayloadShort test. This test does not pinpoint a flaw (per se)
348 // as by design we don't carry type information on the IPC message.
TEST_F(IPCFuzzingTest,MsgBadPayloadArgs)349 TEST_F(IPCFuzzingTest, MsgBadPayloadArgs) {
350 Init("FuzzServerClient");
351 base::RunLoop loop1;
352 base::RunLoop loop2;
353 FuzzerClientListener listener;
354 CreateChannel(&listener);
355 listener.Init(channel());
356 listener.set_run_loop(&loop1);
357 ASSERT_TRUE(ConnectChannel());
358
359 IPC::Message* msg = new IPC::Message(MSG_ROUTING_CONTROL, MsgClassSI::ID,
360 IPC::Message::PRIORITY_NORMAL);
361 msg->WriteString16(u"d");
362 msg->WriteInt(0);
363 msg->WriteInt(0x65); // Extra argument.
364
365 sender()->Send(msg);
366 EXPECT_TRUE(listener.ExpectMessage(0, MsgClassSI::ID));
367
368 listener.set_run_loop(&loop2);
369 // Now send a well formed message to make sure the receiver wasn't
370 // thrown out of sync by the extra argument.
371 msg = new MsgClassIS(3, u"expect three");
372 sender()->Send(msg);
373 EXPECT_TRUE(listener.ExpectMessage(3, MsgClassIS::ID));
374
375 listener.Reset();
376 EXPECT_TRUE(WaitForClientShutdown());
377 DestroyChannel();
378 }
379
380 } // namespace
381