diff options
author | Eyal Itkin <eyalit@checkpoint.com> | 2020-04-02 07:26:35 -0400 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2020-04-03 07:20:56 -0400 |
commit | 6310d570bf20348135d09e1f9de84a9ae7d06f83 (patch) | |
tree | 62dc48f64b4dc824714690092f7baa4e146ce214 /malloc | |
parent | 1c50d23a20f7b964bc5358dcffbb3623170b6773 (diff) | |
download | glibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.tar.gz glibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.tar.xz glibc-6310d570bf20348135d09e1f9de84a9ae7d06f83.zip |
Add tests for Safe-Linking
Adding the test "tst-safe-linking" for testing that Safe-Linking works as expected. The test checks these 3 main flows: * tcache protection * fastbin protection * malloc_consolidate() correctness As there is a random chance of 1/16 that of the alignment will remain correct, the test checks each flow up to 10 times, using different random values for the pointer corruption. As a result, the chance for a false failure of a given tested flow is 2**(-40), thus highly unlikely. Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Diffstat (limited to 'malloc')
-rw-r--r-- | malloc/Makefile | 1 | ||||
-rw-r--r-- | malloc/tst-safe-linking.c | 179 |
2 files changed, 180 insertions, 0 deletions
diff --git a/malloc/Makefile b/malloc/Makefile index 984045b5b9..e22cbde22d 100644 --- a/malloc/Makefile +++ b/malloc/Makefile @@ -39,6 +39,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ tst-malloc-too-large \ tst-malloc-stats-cancellation \ tst-tcfree1 tst-tcfree2 tst-tcfree3 \ + tst-safe-linking \ tests-static := \ tst-interpose-static-nothread \ diff --git a/malloc/tst-safe-linking.c b/malloc/tst-safe-linking.c new file mode 100644 index 0000000000..067b6c09cf --- /dev/null +++ b/malloc/tst-safe-linking.c @@ -0,0 +1,179 @@ +/* Test reporting of Safe-Linking caught errors. + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <signal.h> +#include <stdint.h> +#include <stdlib.h> +#include <memory.h> +#include <string.h> +#include <time.h> +#include <stdbool.h> +#include <support/capture_subprocess.h> +#include <support/check.h> + +/* Run CALLBACK and check that the data on standard error equals + EXPECTED. */ +static void +check (const char *test, void (*callback) (void *), + const char *expected) +{ + int i, rand_mask; + bool success = false; + /* There is a chance of 1/16 that a corrupted pointer will be aligned. + Try multiple times so that statistical failure will be improbable. */ + for (i = 0; i < 10 && !success; ++i) + { + rand_mask = rand () & 0xFF; + struct support_capture_subprocess result + = support_capture_subprocess (callback, &rand_mask); + /* Did not crash, could happen. Try again. */ + if (strlen (result.err.buffer) == 0) + continue; + /* Crashed, must be the expected result. */ + if (strcmp (result.err.buffer, expected) != 0) + { + support_record_failure (); + printf ("error: test %s unexpected standard error data\n" + " expected: %s\n" + " actual: %s\n", + test, expected, result.err.buffer); + } + TEST_VERIFY (WIFSIGNALED (result.status)); + if (WIFSIGNALED (result.status)) + TEST_VERIFY (WTERMSIG (result.status) == SIGABRT); + support_capture_subprocess_free (&result); + success = true; + } + TEST_VERIFY (success); +} + +/* Implementation details must be kept in sync with malloc. */ +#define TCACHE_FILL_COUNT 7 +#define TCACHE_ALLOC_SIZE 0x20 +#define MALLOC_CONSOLIDATE_SIZE 256*1024 + +/* Try corrupting the tcache list. */ +static void +test_tcache (void *closure) +{ + int mask = ((int *)closure)[0]; + size_t size = TCACHE_ALLOC_SIZE; + + /* Populate the tcache list. */ + void * volatile a = malloc (size); + void * volatile b = malloc (size); + void * volatile c = malloc (size); + free (a); + free (b); + free (c); + + /* Corrupt the pointer with a random value, and avoid optimizations. */ + printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + memset (c, mask & 0xFF, size); + printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + + c = malloc (size); + /* This line will trigger the Safe-Linking check. */ + b = malloc (size); + printf ("b=%p\n", b); +} + +/* Try corrupting the fastbin list. */ +static void +test_fastbin (void *closure) +{ + int i; + int mask = ((int *)closure)[0]; + size_t size = TCACHE_ALLOC_SIZE; + + /* Take the tcache out of the game. */ + for (i = 0; i < TCACHE_FILL_COUNT; ++i) + { + void * volatile p = calloc (1, size); + free (p); + } + + /* Populate the fastbin list. */ + void * volatile a = calloc (1, size); + void * volatile b = calloc (1, size); + void * volatile c = calloc (1, size); + free (a); + free (b); + free (c); + + /* Corrupt the pointer with a random value, and avoid optimizations. */ + printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + memset (c, mask & 0xFF, size); + printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + + c = calloc (1, size); + /* This line will trigger the Safe-Linking check. */ + b = calloc (1, size); + printf ("b=%p\n", b); +} + +/* Try corrupting the fastbin list and trigger a consolidate. */ +static void +test_fastbin_consolidate (void *closure) +{ + int i; + int mask = ((int*)closure)[0]; + size_t size = TCACHE_ALLOC_SIZE; + + /* Take the tcache out of the game. */ + for (i = 0; i < TCACHE_FILL_COUNT; ++i) + { + void * volatile p = calloc (1, size); + free (p); + } + + /* Populate the fastbin list. */ + void * volatile a = calloc (1, size); + void * volatile b = calloc (1, size); + void * volatile c = calloc (1, size); + free (a); + free (b); + free (c); + + /* Corrupt the pointer with a random value, and avoid optimizations. */ + printf ("Before: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + memset (c, mask & 0xFF, size); + printf ("After: c=%p, c[0]=%p\n", c, ((void **)c)[0]); + + /* This line will trigger the Safe-Linking check. */ + b = malloc (MALLOC_CONSOLIDATE_SIZE); + printf ("b=%p\n", b); +} + +static int +do_test (void) +{ + /* Seed the random for the test. */ + srand (time (NULL)); + + check ("test_tcache", test_tcache, + "malloc(): unaligned tcache chunk detected\n"); + check ("test_fastbin", test_fastbin, + "malloc(): unaligned fastbin chunk detected 2\n"); + check ("test_fastbin_consolidate", test_fastbin_consolidate, + "malloc_consolidate(): unaligned fastbin chunk detected\n"); + + return 0; +} + +#include <support/test-driver.c> |