opal: Add unit test for buffer overrun in prlog/printf

Add unit test for buffer overrun in prlog/printf.

Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Acked-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
[stewart@linux.vnet.ibm.com: rebased to stable branch]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>

3 files changed, 127 insertions, 2 deletions

diff --git a/core/test/Makefile.check b/core/test/Makefile.check
index 37dac46..d576fc1 100644
--- a/core/test/Makefile.check
+++ b/core/test/Makefile.check
@@ -1,11 +1,16 @@
 # -*-Makefile-*-
 CORE_TEST := core/test/run-device core/test/run-mem_region core/test/run-malloc core/test/run-malloc-speed core/test/run-mem_region_init core/test/run-mem_region_release_unused core/test/run-mem_region_release_unused_noalloc core/test/run-trace core/test/run-msg
 
-check: $(CORE_TEST:%=%-check)
+CORE_TEST_NOSTUB := core/test/run-console-log-buf-overrun
+
+check: $(CORE_TEST:%=%-check) $(CORE_TEST_NOSTUB:%=%-check)
 
 $(CORE_TEST:%=%-check) : %-check: %
 	$(VALGRIND) $<
 
+$(CORE_TEST_NOSTUB:%=%-check) : %-check: %
+	$(VALGRIND) $<
+
 core/test/stubs.o: core/test/stubs.c
 	$(HOSTCC) $(HOSTCFLAGS) -g -c -o $@ $<
 
@@ -14,7 +19,12 @@ $(CORE_TEST) : core/test/stubs.o
 $(CORE_TEST) : % : %.c 
 	$(HOSTCC) $(HOSTCFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $< core/test/stubs.o
 
-$(CORE_TEST): % : %.d
+$(CORE_TEST_NOSTUB): % : %.d
+
+$(CORE_TEST_NOSTUB) : % : %.c 
+	$(HOSTCC) $(HOSTCFLAGS) -O0 -g -I include -I . -I libfdt -o $@ $<
+
+$(CORE_TEST_NOSTUB): % : %.d
 
 core/test/stubs.o: core/test/stubs.d
 
diff --git a/core/test/run-console-log-buf-overrun.c b/core/test/run-console-log-buf-overrun.c
new file mode 100644
index 0000000..eda99e2
--- /dev/null
+++ b/core/test/run-console-log-buf-overrun.c
@@ -0,0 +1,113 @@
+/* Copyright 2014-2015 IBM Corp.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <stdarg.h>
+#include <compiler.h>
+
+#define __TEST__
+
+#define CHECK_BUF_ASSERT(buf, str)			\
+	assert(memcmp(buf, str, strlen(str)) == 0)
+
+#define CHECK_ASSERT(str)				\
+	CHECK_BUF_ASSERT(console_buffer, str)
+
+int huge_tb;
+
+static inline unsigned long mftb(void)
+{
+	/*
+	 * return huge value for TB that overrun tmp[16] buffer defined
+	 * in print_itoa().
+	 */
+	if (huge_tb)
+		return 1223372515963611388;
+	else
+		return 42;
+}
+
+#include "../console-log.c"
+#include "../../libc/stdio/snprintf.c"
+#include "../../libc/stdio/vsnprintf.c"
+
+char console_buffer[4096];
+struct debug_descriptor debug_descriptor;
+
+bool flushed_to_drivers;
+
+ssize_t console_write(bool flush_to_drivers, const void *buf, size_t count)
+{
+	flushed_to_drivers = flush_to_drivers;
+	memcpy(console_buffer, buf, count);
+	return count;
+}
+
+int main(void)
+{
+	unsigned long value = 0xffffffffffffffff;
+	char *ptr = console_buffer;
+
+	debug_descriptor.console_log_levels = 0x75;
+
+	/* Test for huge TB value. */
+	huge_tb = 1;
+
+	prlog(PR_EMERG, "Hello World");
+	CHECK_ASSERT("[1223372515963611388,0] Hello World");
+
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	/* Test for normal TB with huge unsigned long value */
+	huge_tb = 0;
+
+	prlog(PR_EMERG, "Hello World %lu", value);
+	CHECK_ASSERT("[42,0] Hello World 18446744073709551615");
+
+	printf("Hello World %lu", value);
+	CHECK_ASSERT("[42,5] Hello World 18446744073709551615");
+
+	/*
+	 * Test string of size > 320
+	 *
+	 * core/console-log.c:vprlog() uses buffer[320] to print message
+	 * Try printing more than 320 bytes to test stack corruption.
+	 * You would see Segmentation fault on stack corruption.
+	 */
+	prlog(PR_EMERG, "%330s", "Hello World");
+
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	/*
+	 * Test boundary condition.
+	 *
+	 * Print string of exact size 320. We should see string truncated
+	 * with console_buffer[319] == '\0'.
+	 */
+	memset(console_buffer, 0, sizeof(console_buffer));
+
+	prlog(PR_EMERG, "%313s", "Hello World");
+	assert(console_buffer[319] == 0);
+
+	/* compare truncated string */
+	ptr += 320 - strlen("Hello World");
+	CHECK_BUF_ASSERT(ptr, "Hello Worl");
+
+	return 0;
+}
diff --git a/include/timebase.h b/include/timebase.h
index 4537256..156c296 100644
--- a/include/timebase.h
+++ b/include/timebase.h
@@ -24,6 +24,7 @@
 
 #include <time.h>
 
+#ifndef __TEST__
 static inline unsigned long mftb(void)
 {
 	unsigned long tb;
@@ -34,6 +35,7 @@ static inline unsigned long mftb(void)
 	asm volatile("mftb %0" : "=r"(tb) : : "memory");
 	return tb;
 }
+#endif
 
 enum tb_cmpval {
 	TB_ABEFOREB = -1,