1 /*
2 * Copyright (c) Huawei Technologies Co., Ltd. 2024-2025. All rights reserved.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <securec.h>
17 #include <string>
18 #include <unistd.h>
19 #include "napi/native_api.h"
20
21 constexpr int MAX_BUFFER_SIZE = 128;
22 constexpr const char *ASAN_LOG_FILE_PATH = "/data/storage/el2/log/asanXtsLog.appspawn";
23 const int NUMFIVE = 5;
24 const int NUMTEN = 10;
25 const int NUMELEVEN = 11;
26 const int NUMTWELVE = 12;
27 const int NUMNEGATIVEONE = -1;
GetBuffer(int pid)28 static std::string GetBuffer(int pid)
29 {
30 std::string buffer;
31 char file[MAX_BUFFER_SIZE];
32 int filePathRes = snprintf_s(file, sizeof(file), sizeof(file) - 1, "%s.%d", ASAN_LOG_FILE_PATH, pid);
33 if (filePathRes < 0) {
34 return buffer;
35 }
36 FILE *fp = fopen(file, "r+");
37 if (!fp) {
38 return buffer;
39 }
40 if (fseek(fp, 0, SEEK_END) == -1) {
41 return buffer;
42 }
43 int size = ftell(fp);
44 if (size <= 0) {
45 ftruncate(fileno(fp), 0);
46 rewind(fp);
47 fclose(fp);
48 return buffer;
49 }
50 buffer.resize(size);
51 if (fseek(fp, 0, SEEK_SET) == -1) {
52 ftruncate(fileno(fp), 0);
53 rewind(fp);
54 fclose(fp);
55 return buffer;
56 }
57 int rsize = fread(&buffer[0], 1, size, fp);
58 if (rsize == 0) {
59 ftruncate(fileno(fp), 0);
60 rewind(fp);
61 fclose(fp);
62 return buffer;
63 }
64 ftruncate(fileno(fp), 0);
65 rewind(fp);
66 fclose(fp);
67 return buffer;
68 }
69
CheckAsanLog(const std::string & errType,const std::string & buffer)70 static bool CheckAsanLog(const std::string& errType, const std::string& buffer)
71 {
72 if (buffer.empty()) {
73 return false;
74 }
75 bool checkEventTypeFail = buffer.find(errType.c_str()) == std::string::npos;
76 if (checkEventTypeFail) {
77 return false;
78 }
79 return true;
80 }
81
StackBufferOverflow(napi_env env,napi_callback_info info)82 __attribute__((optnone)) static napi_value StackBufferOverflow(napi_env env, napi_callback_info info)
83 {
84 int a[NUMTEN];
85 a[NUMELEVEN] = 1;
86 std::string bufferLog = GetBuffer(getpid());
87 bool findAsanLog = CheckAsanLog("AddressSanitizer: stack-buffer-overflow", bufferLog) &&
88 CheckAsanLog("WRITE of size 4", bufferLog) &&
89 CheckAsanLog("thread T0", bufferLog) &&
90 CheckAsanLog("'a' (line 84)", bufferLog) &&
91 CheckAsanLog("[f2]", bufferLog);
92 int checkRes = findAsanLog ? 1 : 0;
93 napi_value result = nullptr;
94 napi_create_int32(env, checkRes, &result);
95 return result;
96 }
97
StackBufferUnderflow(napi_env env,napi_callback_info info)98 __attribute__((optnone)) static napi_value StackBufferUnderflow(napi_env env, napi_callback_info info)
99 {
100 int a[NUMTEN];
101 a[NUMNEGATIVEONE] = 1;
102 std::string bufferLog = GetBuffer(getpid());
103 bool findAsanLog = CheckAsanLog("AddressSanitizer: stack-buffer-underflow", bufferLog) &&
104 CheckAsanLog("WRITE of size 4", bufferLog) &&
105 CheckAsanLog("thread T0", bufferLog) &&
106 CheckAsanLog("'a' (line 100)", bufferLog) &&
107 CheckAsanLog("[f1]", bufferLog);
108 int checkRes = findAsanLog ? 1 : 0;
109 napi_value result = nullptr;
110 napi_create_int32(env, findAsanLog, &result);
111 return result;
112 }
113
HeapBufferOverflow(napi_env env,napi_callback_info info)114 __attribute__((optnone)) static napi_value HeapBufferOverflow(napi_env env, napi_callback_info info)
115 {
116 char *buffer = (char *)malloc(NUMTEN);
117 if (buffer != nullptr) {
118 *(buffer + NUMTWELVE) = 'n';
119 }
120 free(buffer);
121 std::string bufferLog = GetBuffer(getpid());
122 bool findAsanLog = CheckAsanLog("AddressSanitizer: heap-buffer-overflow", bufferLog) &&
123 CheckAsanLog("WRITE of size 1", bufferLog) &&
124 CheckAsanLog("thread T0", bufferLog) &&
125 CheckAsanLog("[02]", bufferLog);
126 int checkRes = findAsanLog ? 1 : 0;
127 napi_value result = nullptr;
128 napi_create_int32(env, findAsanLog, &result);
129 return result;
130 }
131
HeapBufferUnderflow(napi_env env,napi_callback_info info)132 __attribute__((optnone)) static napi_value HeapBufferUnderflow(napi_env env, napi_callback_info info)
133 {
134 char *x = (char*)malloc(NUMTEN * sizeof(char));
135 memset_s(x, NUMTEN * sizeof(char), 0, NUMTEN * sizeof(char));
136 int res = x[NUMNEGATIVEONE];
137 free(x);
138 std::string bufferLog = GetBuffer(getpid());
139 bool findAsanLog = CheckAsanLog("AddressSanitizer: heap-buffer-overflow", bufferLog) &&
140 CheckAsanLog("READ of size 1", bufferLog) &&
141 CheckAsanLog("thread T0", bufferLog) &&
142 CheckAsanLog("[fa]", bufferLog);
143 int checkRes = findAsanLog ? 1 : 0;
144 napi_value result = nullptr;
145 napi_create_int32(env, findAsanLog, &result);
146 return result;
147 }
148
HeapUseAfterFree(napi_env env,napi_callback_info info)149 __attribute__((optnone)) static napi_value HeapUseAfterFree(napi_env env, napi_callback_info info)
150 {
151 char *x = (char*)malloc(NUMTEN * sizeof(char));
152 free(x);
153 char tmp = x[5];
154 std::string bufferLog = GetBuffer(getpid());
155 bool findAsanLog = CheckAsanLog("AddressSanitizer: heap-use-after-free", bufferLog) &&
156 CheckAsanLog("READ of size 1", bufferLog) &&
157 CheckAsanLog("thread T0", bufferLog) &&
158 CheckAsanLog("[fd]", bufferLog);
159 int checkRes = findAsanLog ? 1 : 0;
160 napi_value result = nullptr;
161 napi_create_int32(env, findAsanLog, &result);
162 return result;
163 }
164
165 volatile int *g_p = nullptr;
StackUseAfterScope(napi_env env,napi_callback_info info)166 __attribute__((optnone)) static napi_value StackUseAfterScope(napi_env env, napi_callback_info info)
167 {
168 {
169 int x = 0;
170 g_p = &x;
171 }
172 *g_p = NUMFIVE;
173 std::string bufferLog = GetBuffer(getpid());
174 bool findAsanLog = CheckAsanLog("AddressSanitizer: stack-use-after-scope", bufferLog) &&
175 CheckAsanLog("WRITE of size 4", bufferLog) &&
176 CheckAsanLog("thread T0", bufferLog) &&
177 CheckAsanLog("'x' (line 169)", bufferLog) &&
178 CheckAsanLog("[f8]", bufferLog);
179 int checkRes = findAsanLog ? 1 : 0;
180 napi_value result = nullptr;
181 napi_create_int32(env, findAsanLog, &result);
182 return result;
183 }
184
Fun()185 __attribute__((optnone)) int* Fun()
186 {
187 int a = 3;
188 return &a;
189 }
190
StackUseAfterReturn(napi_env env,napi_callback_info info)191 __attribute__((optnone)) static napi_value StackUseAfterReturn(napi_env env, napi_callback_info info)
192 {
193 g_p = Fun();
194 int c = *g_p;
195 std::string bufferLog = GetBuffer(getpid());
196 bool findAsanLog = CheckAsanLog("AddressSanitizer: stack-use-after-return", bufferLog) &&
197 CheckAsanLog("READ of size 4", bufferLog) &&
198 CheckAsanLog("thread T0", bufferLog) &&
199 CheckAsanLog("'a' (line 187)", bufferLog) &&
200 CheckAsanLog("[f5]", bufferLog);
201 int checkRes = findAsanLog ? 1 : 0;
202 napi_value result = nullptr;
203 napi_create_int32(env, findAsanLog, &result);
204 return result;
205 }
206
DoubleFree(napi_env env,napi_callback_info info)207 __attribute__((optnone)) static napi_value DoubleFree(napi_env env, napi_callback_info info)
208 {
209 char *x = (char*)malloc(NUMTEN * sizeof(char));
210 memset_s(x, NUMTEN * sizeof(char), 0, NUMTEN * sizeof(char));
211 int res = x[1];
212 free(x);
213 free(x);
214 std::string bufferLog = GetBuffer(getpid());
215 bool findAsanLog = CheckAsanLog("AddressSanitizer: attempting double-free", bufferLog) &&
216 CheckAsanLog("in thread T0", bufferLog);
217 int checkRes = findAsanLog ? 1 : 0;
218 napi_value result = nullptr;
219 napi_create_int32(env, findAsanLog, &result);
220 return result;
221 }
222
WildFree(napi_env env,napi_callback_info info)223 __attribute__((optnone)) static napi_value WildFree(napi_env env, napi_callback_info info)
224 {
225 char *x = (char*)malloc(NUMTEN * sizeof(char));
226 memset_s(x, NUMTEN * sizeof(char), 0, NUMTEN * sizeof(char));
227 int res = x[NUMTEN];
228 free(x + NUMFIVE);
229 std::string bufferLog = GetBuffer(getpid());
230 bool findAsanLog = CheckAsanLog("AddressSanitizer: attempting free on address which was not malloc()", bufferLog) &&
231 CheckAsanLog("allocated by thread T0", bufferLog);
232 int checkRes = findAsanLog ? 1 : 0;
233 napi_value result = nullptr;
234 napi_create_int32(env, findAsanLog, &result);
235 return result;
236 }
237
238 EXTERN_C_START
Init(napi_env env,napi_value exports)239 static napi_value Init(napi_env env, napi_value exports)
240 {
241 napi_property_descriptor desc[] = {
242 { "stackBufferOverflow", nullptr, StackBufferOverflow, nullptr, nullptr, nullptr, napi_default, nullptr },
243 { "stackBufferUnderflow", nullptr, StackBufferUnderflow, nullptr, nullptr, nullptr, napi_default, nullptr },
244 { "heapBufferOverflow", nullptr, HeapBufferOverflow, nullptr, nullptr, nullptr, napi_default, nullptr },
245 { "heapBufferUnderflow", nullptr, HeapBufferUnderflow, nullptr, nullptr, nullptr, napi_default, nullptr },
246 { "heapUseAfterFree", nullptr, HeapUseAfterFree, nullptr, nullptr, nullptr, napi_default, nullptr },
247 { "stackUseAfterScope", nullptr, StackUseAfterScope, nullptr, nullptr, nullptr, napi_default, nullptr },
248 { "stackUseAfterReturn", nullptr, StackUseAfterReturn, nullptr, nullptr, nullptr, napi_default, nullptr },
249 { "doubleFree", nullptr, DoubleFree, nullptr, nullptr, nullptr, napi_default, nullptr },
250 { "wildFree", nullptr, WildFree, nullptr, nullptr, nullptr, napi_default, nullptr }
251 };
252 napi_define_properties(env, exports, sizeof(desc) / sizeof(desc[0]), desc);
253 return exports;
254 }
255 EXTERN_C_END
256
257 static napi_module demoModule = {
258 .nm_version = 1,
259 .nm_flags = 0,
260 .nm_filename = nullptr,
261 .nm_register_func = Init,
262 .nm_modname = "entry",
263 .nm_priv = ((void*)0),
264 .reserved = { 0 },
265 };
266
RegisterEntryModule(void)267 extern "C" __attribute__((constructor)) void RegisterEntryModule(void)
268 {
269 napi_module_register(&demoModule);
270 }
271