1 /*
2 * Copyright (C) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <stdlib.h>
17 #include <unistd.h>
18 #include <sys/wait.h>
19 #include <signal.h>
20 #include <errno.h>
21 #include <string.h>
22 #include "test.h"
23
handler(int s)24 static void handler(int s)
25 {
26 }
27
28 volatile uintptr_t *p0;
29 volatile uintptr_t *p1;
30 volatile void *tmp[512];
31
child(void)32 static int child(void)
33 {
34 p0 = (uintptr_t *)malloc(10 * sizeof(uintptr_t));
35 if (!p0) {
36 t_error("Malloc failed:%s\n", strerror(errno));
37 return -1;
38 }
39 /* Malloc a dividing chunk to avoid combination of neighbouring freed chunk */
40 tmp[0] = malloc(10 * sizeof(uintptr_t));
41 /* Malloc another chunk to get a key */
42 p1 = (uintptr_t *)malloc(10 * sizeof(uintptr_t));
43 if (!p1) {
44 t_error("Malloc failed:%s\n", strerror(errno));
45 return -1;
46 }
47 /* Malloc a dividing chunk to avoid combination of neighbouring freed chunk */
48 tmp[0] = malloc(10 * sizeof(uintptr_t));
49
50 free((void *)p0);
51 free((void *)p1);
52
53 uintptr_t *fake_ptr = (uintptr_t *)((uintptr_t)((char *)p1 - sizeof(size_t) * 2) ^ (uintptr_t)p0[0]);
54 p0[0] = (uintptr_t)fake_ptr;
55 p1[0] = (uintptr_t)fake_ptr;
56
57 /*
58 * The init procedure makes the freelist unpredictable. To make sure to trigger the ivalid ptr
59 * acess, here we create as many chunks as possible to make sure there are enough chunks in
60 * bin[j] of size "10 * sizeof(uintptr_t)". Basically this is heap spray.
61 */
62 for (int i = 0; i < 512; ++i) {
63 tmp[i] = malloc(10 *sizeof(uintptr_t));
64 }
65
66 /*
67 * When freelist quarantine is on, the modifiy-pointer chunk maybe in quarantine. So here we
68 * need free the pointer.
69 */
70 for (int i = 0; i < 512; ++i) {
71 free((void *)tmp[i]);
72 }
73 return 0;
74 }
75
start_child(void)76 static pid_t start_child(void)
77 {
78 pid_t pid;
79 int ret;
80 pid = fork();
81 if (pid == 0) {
82 ret = child();
83 t_error("child process normally out with %d\n", ret);
84 return ret;
85 }
86 return pid;
87 }
88
main(int argc,char * argv[])89 int main(int argc, char *argv[])
90 {
91 sigset_t set;
92 int status;
93 pid_t pid;
94 int flag = 0;
95
96 sigemptyset(&set);
97 sigaddset(&set, SIGCHLD);
98 sigprocmask(SIG_BLOCK, &set, 0);
99 signal(SIGCHLD, handler);
100
101 pid = start_child();
102 if (pid == -1) {
103 t_error("%s fork failed: %s\n", argv[0], strerror(errno));
104 return -1;
105 }
106 if (sigtimedwait(&set, 0, &(struct timespec){5, 0}) == -1) { /* Wait for 5 seconds */
107 if (errno == EAGAIN)
108 flag = 1;
109 else
110 t_error("%s sigtimedwait failed: %s\n", argv[0], strerror(errno));
111 if (kill(pid, SIGKILL) == -1)
112 t_error("%s kill failed: %s\n", argv[0], strerror(errno));
113 }
114
115 if (waitpid(pid, &status, 0) != pid) {
116 t_error("%s waitpid failed: %s\n", argv[0], strerror(errno));
117 return -1;
118 }
119
120 if (flag) {
121 t_error("Child process time out\n");
122 }
123
124 if (WIFSIGNALED(status)) {
125 if (WTERMSIG(status) != SIGSEGV && WTERMSIG(status) != SIGILL) {
126 t_error("%s child process out with %s\n", argv[0], strsignal(WTERMSIG(status)));
127 return -1;
128 }
129 } else {
130 t_error("%s child process finished normally\n", argv[0]);
131 }
132 return 0;
133 }
134