216 lines
6.7 KiB
Diff
216 lines
6.7 KiB
Diff
|
From 6310d570bf20348135d09e1f9de84a9ae7d06f83 Mon Sep 17 00:00:00 2001
|
||
|
From: Eyal Itkin <eyalit@checkpoint.com>
|
||
|
Date: Thu, 2 Apr 2020 07:26:35 -0400
|
||
|
Subject: Add tests for Safe-Linking
|
||
|
|
||
|
Adding the test "tst-safe-linking" for testing that Safe-Linking works
|
||
|
as expected. The test checks these 3 main flows:
|
||
|
* tcache protection
|
||
|
* fastbin protection
|
||
|
* malloc_consolidate() correctness
|
||
|
|
||
|
As there is a random chance of 1/16 that of the alignment will remain
|
||
|
correct, the test checks each flow up to 10 times, using different random
|
||
|
values for the pointer corruption. As a result, the chance for a false
|
||
|
failure of a given tested flow is 2**(-40), thus highly unlikely.
|
||
|
|
||
|
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
||
|
|
||
|
diff --git a/malloc/Makefile b/malloc/Makefile
|
||
|
index 984045b5b9..e22cbde22d 100644
|
||
|
--- a/malloc/Makefile
|
||
|
+++ b/malloc/Makefile
|
||
|
@@ -39,6 +39,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \
|
||
|
tst-malloc-too-large \
|
||
|
tst-malloc-stats-cancellation \
|
||
|
tst-tcfree1 tst-tcfree2 tst-tcfree3 \
|
||
|
+ tst-safe-linking \
|
||
|
|
||
|
tests-static := \
|
||
|
tst-interpose-static-nothread \
|
||
|
diff --git a/malloc/tst-safe-linking.c b/malloc/tst-safe-linking.c
|
||
|
new file mode 100644
|
||
|
index 0000000000..067b6c09cf
|
||
|
--- /dev/null
|
||
|
+++ b/malloc/tst-safe-linking.c
|
||
|
@@ -0,0 +1,179 @@
|
||
|
+/* Test reporting of Safe-Linking caught errors.
|
||
|
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||
|
+ This file is part of the GNU C Library.
|
||
|
+
|
||
|
+ The GNU C Library is free software; you can redistribute it and/or
|
||
|
+ modify it under the terms of the GNU Lesser General Public
|
||
|
+ License as published by the Free Software Foundation; either
|
||
|
+ version 2.1 of the License, or (at your option) any later version.
|
||
|
+
|
||
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||
|
+ Lesser General Public License for more details.
|
||
|
+
|
||
|
+ You should have received a copy of the GNU Lesser General Public
|
||
|
+ License along with the GNU C Library; if not, see
|
||
|
+ <https://www.gnu.org/licenses/>. */
|
||
|
+
|
||
|
+#include <signal.h>
|
||
|
+#include <stdint.h>
|
||
|
+#include <stdlib.h>
|
||
|
+#include <memory.h>
|
||
|
+#include <string.h>
|
||
|
+#include <time.h>
|
||
|
+#include <stdbool.h>
|
||
|
+#include <support/capture_subprocess.h>
|
||
|
+#include <support/check.h>
|
||
|
+
|
||
|
+/* Run CALLBACK and check that the data on standard error equals
|
||
|
+ EXPECTED. */
|
||
|
+static void
|
||
|
+check (const char *test, void (*callback) (void *),
|
||
|
+ const char *expected)
|
||
|
+{
|
||
|
+ int i, rand_mask;
|
||
|
+ bool success = false;
|
||
|
+ /* There is a chance of 1/16 that a corrupted pointer will be aligned.
|
||
|
+ Try multiple times so that statistical failure will be improbable. */
|
||
|
+ for (i = 0; i < 10 && !success; ++i)
|
||
|
+ {
|
||
|
+ rand_mask = rand () & 0xFF;
|
||
|
+ struct support_capture_subprocess result
|
||
|
+ = support_capture_subprocess (callback, &rand_mask);
|
||
|
+ /* Did not crash, could happen. Try again. */
|
||
|
+ if (strlen (result.err.buffer) == 0)
|
||
|
+ continue;
|
||
|
+ /* Crashed, must be the expected result. */
|
||
|
+ if (strcmp (result.err.buffer, expected) != 0)
|
||
|
+ {
|
||
|
+ support_record_failure ();
|
||
|
+ printf ("error: test %s unexpected standard error data\n"
|
||
|
+ " expected: %s\n"
|
||
|
+ " actual: %s\n",
|
||
|
+ test, expected, result.err.buffer);
|
||
|
+ }
|
||
|
+ TEST_VERIFY (WIFSIGNALED (result.status));
|
||
|
+ if (WIFSIGNALED (result.status))
|
||
|
+ TEST_VERIFY (WTERMSIG (result.status) == SIGABRT);
|
||
|
+ support_capture_subprocess_free (&result);
|
||
|
+ success = true;
|
||
|
+ }
|
||
|
+ TEST_VERIFY (success);
|
||
|
+}
|
||
|
+
|
||
|
+/* Implementation details must be kept in sync with malloc. */
|
||
|
+#define TCACHE_FILL_COUNT 7
|
||
|
+#define TCACHE_ALLOC_SIZE 0x20
|
||
|
+#define MALLOC_CONSOLIDATE_SIZE 256*1024
|
||
|
+
|
||
|
+/* Try corrupting the tcache list. */
|
||
|
+static void
|
||
|
+test_tcache (void *closure)
|
||
|
+{
|
||
|
+ int mask = ((int *)closure)[0];
|
||
|
+ size_t size = TCACHE_ALLOC_SIZE;
|
||
|
+
|
||
|
+ /* Populate the tcache list. */
|
||
|
+ void * volatile a = malloc (size);
|
||
|
+ void * volatile b = malloc (size);
|
||
|
+ void * volatile c = malloc (size);
|
||
|
+ free (a);
|
||
|
+ free (b);
|
||
|
+ free (c);
|
||
|
+
|
||
|
+ /* Corrupt the pointer with a random value, and avoid optimizations. */
|
||
|
+ printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+ memset (c, mask & 0xFF, size);
|
||
|
+ printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+
|
||
|
+ c = malloc (size);
|
||
|
+ /* This line will trigger the Safe-Linking check. */
|
||
|
+ b = malloc (size);
|
||
|
+ printf ("b=%p\n", b);
|
||
|
+}
|
||
|
+
|
||
|
+/* Try corrupting the fastbin list. */
|
||
|
+static void
|
||
|
+test_fastbin (void *closure)
|
||
|
+{
|
||
|
+ int i;
|
||
|
+ int mask = ((int *)closure)[0];
|
||
|
+ size_t size = TCACHE_ALLOC_SIZE;
|
||
|
+
|
||
|
+ /* Take the tcache out of the game. */
|
||
|
+ for (i = 0; i < TCACHE_FILL_COUNT; ++i)
|
||
|
+ {
|
||
|
+ void * volatile p = calloc (1, size);
|
||
|
+ free (p);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Populate the fastbin list. */
|
||
|
+ void * volatile a = calloc (1, size);
|
||
|
+ void * volatile b = calloc (1, size);
|
||
|
+ void * volatile c = calloc (1, size);
|
||
|
+ free (a);
|
||
|
+ free (b);
|
||
|
+ free (c);
|
||
|
+
|
||
|
+ /* Corrupt the pointer with a random value, and avoid optimizations. */
|
||
|
+ printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+ memset (c, mask & 0xFF, size);
|
||
|
+ printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+
|
||
|
+ c = calloc (1, size);
|
||
|
+ /* This line will trigger the Safe-Linking check. */
|
||
|
+ b = calloc (1, size);
|
||
|
+ printf ("b=%p\n", b);
|
||
|
+}
|
||
|
+
|
||
|
+/* Try corrupting the fastbin list and trigger a consolidate. */
|
||
|
+static void
|
||
|
+test_fastbin_consolidate (void *closure)
|
||
|
+{
|
||
|
+ int i;
|
||
|
+ int mask = ((int*)closure)[0];
|
||
|
+ size_t size = TCACHE_ALLOC_SIZE;
|
||
|
+
|
||
|
+ /* Take the tcache out of the game. */
|
||
|
+ for (i = 0; i < TCACHE_FILL_COUNT; ++i)
|
||
|
+ {
|
||
|
+ void * volatile p = calloc (1, size);
|
||
|
+ free (p);
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Populate the fastbin list. */
|
||
|
+ void * volatile a = calloc (1, size);
|
||
|
+ void * volatile b = calloc (1, size);
|
||
|
+ void * volatile c = calloc (1, size);
|
||
|
+ free (a);
|
||
|
+ free (b);
|
||
|
+ free (c);
|
||
|
+
|
||
|
+ /* Corrupt the pointer with a random value, and avoid optimizations. */
|
||
|
+ printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+ memset (c, mask & 0xFF, size);
|
||
|
+ printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
|
||
|
+
|
||
|
+ /* This line will trigger the Safe-Linking check. */
|
||
|
+ b = malloc (MALLOC_CONSOLIDATE_SIZE);
|
||
|
+ printf ("b=%p\n", b);
|
||
|
+}
|
||
|
+
|
||
|
+static int
|
||
|
+do_test (void)
|
||
|
+{
|
||
|
+ /* Seed the random for the test. */
|
||
|
+ srand (time (NULL));
|
||
|
+
|
||
|
+ check ("test_tcache", test_tcache,
|
||
|
+ "malloc(): unaligned tcache chunk detected\n");
|
||
|
+ check ("test_fastbin", test_fastbin,
|
||
|
+ "malloc(): unaligned fastbin chunk detected 2\n");
|
||
|
+ check ("test_fastbin_consolidate", test_fastbin_consolidate,
|
||
|
+ "malloc_consolidate(): unaligned fastbin chunk detected\n");
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+#include <support/test-driver.c>
|