|
|
@@ -117,8 +117,6 @@ int main(int argc, char** argv)
|
|
|
bool do_invalid_stack_pointer_on_syscall = false;
|
|
|
bool do_invalid_stack_pointer_on_page_fault = false;
|
|
|
bool do_syscall_from_writeable_memory = false;
|
|
|
- bool do_write_to_freed_memory_still_cached_by_malloc = false;
|
|
|
- bool do_read_from_freed_memory_still_cached_by_malloc = false;
|
|
|
bool do_execute_non_executable_memory = false;
|
|
|
bool do_trigger_user_mode_instruction_prevention = false;
|
|
|
bool do_use_io_instruction = false;
|
|
|
@@ -141,8 +139,6 @@ int main(int argc, char** argv)
|
|
|
args_parser.add_option(do_invalid_stack_pointer_on_syscall, "Make a syscall while using an invalid stack pointer", nullptr, 'T');
|
|
|
args_parser.add_option(do_invalid_stack_pointer_on_page_fault, "Trigger a page fault while using an invalid stack pointer", nullptr, 't');
|
|
|
args_parser.add_option(do_syscall_from_writeable_memory, "Make a syscall from writeable memory", nullptr, 'S');
|
|
|
- args_parser.add_option(do_write_to_freed_memory_still_cached_by_malloc, "Read from recently freed memory (tests an opportunistic malloc guard)", nullptr, 'x');
|
|
|
- args_parser.add_option(do_read_from_freed_memory_still_cached_by_malloc, "Write to recently free memory (tests an opportunistic malloc guard)", nullptr, 'y');
|
|
|
args_parser.add_option(do_execute_non_executable_memory, "Attempt to execute non-executable memory (not mapped with PROT_EXEC)", nullptr, 'X');
|
|
|
args_parser.add_option(do_trigger_user_mode_instruction_prevention, "Attempt to trigger an x86 User Mode Instruction Prevention fault", nullptr, 'U');
|
|
|
args_parser.add_option(do_use_io_instruction, "Use an x86 I/O instruction in userspace", nullptr, 'I');
|
|
|
@@ -294,31 +290,6 @@ int main(int argc, char** argv)
|
|
|
}).run(run_type);
|
|
|
}
|
|
|
|
|
|
- if (do_read_from_freed_memory_still_cached_by_malloc || do_all_crash_types) {
|
|
|
- Crash("Read from memory still cached by malloc", []() {
|
|
|
- auto* ptr = (u8*)malloc(1024);
|
|
|
- if (!ptr)
|
|
|
- return Crash::Failure::UnexpectedError;
|
|
|
-
|
|
|
- free(ptr);
|
|
|
- dbgprintf("ptr = %p\n", ptr);
|
|
|
- [[maybe_unused]] volatile auto foo = *ptr;
|
|
|
- return Crash::Failure::DidNotCrash;
|
|
|
- }).run(run_type);
|
|
|
- }
|
|
|
-
|
|
|
- if (do_write_to_freed_memory_still_cached_by_malloc || do_all_crash_types) {
|
|
|
- Crash("Write to freed memory still cached by malloc", []() {
|
|
|
- auto* ptr = (u8*)malloc(1024);
|
|
|
- if (!ptr)
|
|
|
- return Crash::Failure::UnexpectedError;
|
|
|
- free(ptr);
|
|
|
- dbgprintf("ptr = %p\n", ptr);
|
|
|
- *ptr = 'x';
|
|
|
- return Crash::Failure::DidNotCrash;
|
|
|
- }).run(run_type);
|
|
|
- }
|
|
|
-
|
|
|
if (do_execute_non_executable_memory || do_all_crash_types) {
|
|
|
Crash("Execute non executable memory", []() {
|
|
|
auto* ptr = (u8*)mmap(nullptr, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
|
Linus Groh