Merge pull request #92 from struct/update_uaf_test

update the use after free test for when UAF_PTR_PAGE

Author: struct

Makefile

@@ -259,7 +259,7 @@ tests: clean library_debug_unit_tests
 	@echo "make library_debug_unit_tests"
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/tagged_ptr_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/tagged_ptr_test $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/tests $(LDFLAGS)
-	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf
+	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/uaf.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/uaf $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/interfaces_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/interfaces_test $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) tests/thread_tests.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/thread_tests $(LDFLAGS)
 	$(CC) $(CFLAGS) $(EXE_CFLAGS) $(DEBUG_LOG_FLAGS) $(GDB_FLAGS) $(UNIT_TESTING) tests/big_canary_test.c $(ISO_ALLOC_PRINTF_SRC) -o $(BUILD_DIR)/big_canary_test $(LDFLAGS)

src/iso_alloc_search.c

@@ -7,32 +7,29 @@
  * value and return it or overwrite the first potentially
  * dangling pointer with the address of an unmapped page */
 INTERNAL_HIDDEN void *_iso_alloc_ptr_search(void *n, bool poison) {
-    uint8_t *h = NULL;
+    uint8_t *search = NULL;
+    uint8_t *end = NULL;
 
     for(int32_t i = 0; i < _root->zones_used; i++) {
         iso_alloc_zone_t *zone = &_root->zones[i];
 
-        UNMASK_ZONE_PTRS(zone);
-        h = zone->user_pages_start;
+        search = UNMASK_USER_PTR(zone);
+        end = search + ZONE_USER_SIZE;
 
-        while(h <= (uint8_t *) (zone->user_pages_start + ZONE_USER_SIZE - sizeof(uint64_t))) {
-            if(LIKELY((uint64_t) * (uint64_t *) h != (uint64_t) n)) {
-                h++;
+        while(search <= (uint8_t *) (end - sizeof(uint64_t))) {
+            if(LIKELY((uint64_t) * (uint64_t *) search != (uint64_t) n)) {
+                search++;
             } else {
                 if(poison == false) {
-                    MASK_ZONE_PTRS(zone);
-                    return h;
+                    return search;
                 } else {
 #if UAF_PTR_PAGE
-                    *(uint64_t *) h = UAF_PTR_PAGE_ADDR;
-                    MASK_ZONE_PTRS(zone);
-                    return h;
+                    *(uint64_t *) search = UAF_PTR_PAGE_ADDR;
+                    return search;
 #endif
                 }
             }
         }
-
-        MASK_ZONE_PTRS(zone);
     }
 
     return NULL;

tests/uaf.c

@@ -4,9 +4,10 @@
 #include "iso_alloc.h"
 #include "iso_alloc_internal.h"
 
-#if defined(UAF_PTR_PAGE) && !defined(ALLOC_SANITY)
-/* This test should be run manually. You need to enable UAF_PTR_PAGE
- * and then disable the sampling logic in iso_alloc. */
+#if UAF_PTR_PAGE && !ALLOC_SANITY
+/* This test should be run manually after enabling UAF_PTR_PAGE
+ * and disabling the sampling mechanism before the call to
+ * _iso_alloc_ptr_search in _iso_free_internal_unlocked */
 typedef struct test {
     char *str;
 } test_t;
@@ -15,14 +16,19 @@ int main(int argc, char *argv[]) {
     void *str = iso_alloc(32);
     test_t *test = (test_t *) iso_alloc(1024);
     test->str = str;
-    memcpy(str, "a string!", 9);
-    iso_free(str);
+
+    const char *s = "a string!";
+    memcpy(str, s, strlen(s));
+
+    /* We free the chunk permanently because
+     * it bypasses the quarantine */
+    iso_free_permanently(str);
 
     /* Dereference a pointer that should have been
      * detected and overwritten with UAF_PTR_PAGE */
-    LOG("Attempting to dereference test->str.\nWe should fault on %x", UAF_PTR_PAGE_ADDR);
-    LOG("%s", test->str);
-    iso_free(test);
+    fprintf(stdout, "Dereferencing test->str @ %p. Fault address will be %lx\n", test->str, UAF_PTR_PAGE_ADDR);
+    fprintf(stdout, "[%s]\n", test->str);
+    iso_free_permanently(test);
 
     return OK;
 }