about summary refs log tree commit diff
path: root/malloc
diff options
context:
space:
mode:
authorEyal Itkin <eyalit@checkpoint.com>2020-04-02 07:26:35 -0400
committerCarlos O'Donell <carlos@redhat.com>2020-04-03 07:20:56 -0400
commit6310d570bf20348135d09e1f9de84a9ae7d06f83 (patch)
tree62dc48f64b4dc824714690092f7baa4e146ce214 /malloc
parent1c50d23a20f7b964bc5358dcffbb3623170b6773 (diff)
downloadglibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.tar.gz
glibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.tar.xz
glibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.zip
Add tests for Safe-Linking
Adding the test "tst-safe-linking" for testing that Safe-Linking works
as expected. The test checks these 3 main flows:
 * tcache protection
 * fastbin protection
 * malloc_consolidate() correctness

As there is a random chance of 1/16 that of the alignment will remain
correct, the test checks each flow up to 10 times, using different random
values for the pointer corruption. As a result, the chance for a false
failure of a given tested flow is 2**(-40), thus highly unlikely.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'malloc')
-rw-r--r--malloc/Makefile1
-rw-r--r--malloc/tst-safe-linking.c179
2 files changed, 180 insertions, 0 deletions
diff --git a/malloc/Makefile b/malloc/Makefile
index 984045b5b9..e22cbde22d 100644
--- a/malloc/Makefile
+++ b/malloc/Makefile
@@ -39,6 +39,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \
 	 tst-malloc-too-large \
 	 tst-malloc-stats-cancellation \
 	 tst-tcfree1 tst-tcfree2 tst-tcfree3 \
+	 tst-safe-linking \
 
 tests-static := \
 	 tst-interpose-static-nothread \
diff --git a/malloc/tst-safe-linking.c b/malloc/tst-safe-linking.c
new file mode 100644
index 0000000000..067b6c09cf
--- /dev/null
+++ b/malloc/tst-safe-linking.c
@@ -0,0 +1,179 @@
+/* Test reporting of Safe-Linking caught errors.
+   Copyright (C) 2020 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <signal.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <memory.h>
+#include <string.h>
+#include <time.h>
+#include <stdbool.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+
+/* Run CALLBACK and check that the data on standard error equals
+   EXPECTED.  */
+static void
+check (const char *test, void (*callback) (void *),
+       const char *expected)
+{
+  int i, rand_mask;
+  bool success = false;
+  /* There is a chance of 1/16 that a corrupted pointer will be aligned.
+     Try multiple times so that statistical failure will be improbable.  */
+  for (i = 0; i < 10 && !success; ++i)
+    {
+      rand_mask = rand () & 0xFF;
+      struct support_capture_subprocess result
+	= support_capture_subprocess (callback, &rand_mask);
+      /* Did not crash, could happen.  Try again.  */
+      if (strlen (result.err.buffer) == 0)
+	continue;
+      /* Crashed, must be the expected result.  */
+      if (strcmp (result.err.buffer, expected) != 0)
+	{
+	  support_record_failure ();
+	  printf ("error: test %s unexpected standard error data\n"
+	          "  expected: %s\n"
+	          "  actual:   %s\n",
+	          test, expected, result.err.buffer);
+	}
+      TEST_VERIFY (WIFSIGNALED (result.status));
+      if (WIFSIGNALED (result.status))
+	TEST_VERIFY (WTERMSIG (result.status) == SIGABRT);
+      support_capture_subprocess_free (&result);
+      success = true;
+    }
+  TEST_VERIFY (success);
+}
+
+/* Implementation details must be kept in sync with malloc.  */
+#define TCACHE_FILL_COUNT               7
+#define TCACHE_ALLOC_SIZE               0x20
+#define MALLOC_CONSOLIDATE_SIZE         256*1024
+
+/* Try corrupting the tcache list.  */
+static void
+test_tcache (void *closure)
+{
+  int mask = ((int *)closure)[0];
+  size_t size = TCACHE_ALLOC_SIZE;
+
+  /* Populate the tcache list.  */
+  void * volatile a = malloc (size);
+  void * volatile b = malloc (size);
+  void * volatile c = malloc (size);
+  free (a);
+  free (b);
+  free (c);
+
+  /* Corrupt the pointer with a random value, and avoid optimizations.  */
+  printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+  memset (c, mask & 0xFF, size);
+  printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+
+  c = malloc (size);
+  /* This line will trigger the Safe-Linking check.  */
+  b = malloc (size);
+  printf ("b=%p\n", b);
+}
+
+/* Try corrupting the fastbin list.  */
+static void
+test_fastbin (void *closure)
+{
+  int i;
+  int mask = ((int *)closure)[0];
+  size_t size = TCACHE_ALLOC_SIZE;
+
+  /* Take the tcache out of the game.  */
+  for (i = 0; i < TCACHE_FILL_COUNT; ++i)
+    {
+      void * volatile p = calloc (1, size);
+      free (p);
+    }
+
+  /* Populate the fastbin list.  */
+  void * volatile a = calloc (1, size);
+  void * volatile b = calloc (1, size);
+  void * volatile c = calloc (1, size);
+  free (a);
+  free (b);
+  free (c);
+
+  /* Corrupt the pointer with a random value, and avoid optimizations.  */
+  printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+  memset (c, mask & 0xFF, size);
+  printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+
+  c = calloc (1, size);
+  /* This line will trigger the Safe-Linking check.  */
+  b = calloc (1, size);
+  printf ("b=%p\n", b);
+}
+
+/* Try corrupting the fastbin list and trigger a consolidate.  */
+static void
+test_fastbin_consolidate (void *closure)
+{
+  int i;
+  int mask = ((int*)closure)[0];
+  size_t size = TCACHE_ALLOC_SIZE;
+
+  /* Take the tcache out of the game.  */
+  for (i = 0; i < TCACHE_FILL_COUNT; ++i)
+    {
+      void * volatile p = calloc (1, size);
+      free (p);
+    }
+
+  /* Populate the fastbin list.  */
+  void * volatile a = calloc (1, size);
+  void * volatile b = calloc (1, size);
+  void * volatile c = calloc (1, size);
+  free (a);
+  free (b);
+  free (c);
+
+  /* Corrupt the pointer with a random value, and avoid optimizations.  */
+  printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+  memset (c, mask & 0xFF, size);
+  printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]);
+
+  /* This line will trigger the Safe-Linking check.  */
+  b = malloc (MALLOC_CONSOLIDATE_SIZE);
+  printf ("b=%p\n", b);
+}
+
+static int
+do_test (void)
+{
+  /* Seed the random for the test.  */
+  srand (time (NULL));
+
+  check ("test_tcache", test_tcache,
+         "malloc(): unaligned tcache chunk detected\n");
+  check ("test_fastbin", test_fastbin,
+         "malloc(): unaligned fastbin chunk detected 2\n");
+  check ("test_fastbin_consolidate", test_fastbin_consolidate,
+         "malloc_consolidate(): unaligned fastbin chunk detected\n");
+
+  return 0;
+}
+
+#include <support/test-driver.c>