We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
ladybird
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 87d19dfa28
Branches Tags
ladybird
/
Tests
/
UserspaceEmulator
/
ue-write-oob.cpp

ue-write-oob.cpp 2.6 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. /*
    2. 

  2.  * Copyright (c) 2021, Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
    3. 

  3.  *
    4. 

  4.  * SPDX-License-Identifier: BSD-2-Clause
    5. 

  5.  */
    6. 

  6. 

  7. #include <AK/Assertions.h>
    8. 

  8. #include <LibCore/ArgsParser.h>
    9. 

  9. #include <stdint.h>
    10. 

  10. #include <stdio.h>
    11. 

  11. #include <stdlib.h>
    12. 

  12. #include <sys/mman.h>
    13. 

  13. 

  14. static void write8(void* ptr) { *(volatile uint8_t*)ptr = 1; }
    15. 

  15. static void write16(void* ptr) { *(volatile uint16_t*)ptr = 1; }
    16. 

  16. static void write32(void* ptr) { *(volatile uint32_t*)ptr = 1; }
    17. 

  17. static void write64(void* ptr) { *(volatile double*)ptr = 1.0; }
    18. 

  18. // A u64 write might be translated by the compiler as a 32-then-32-bit write:
    19. 

  19. // static void write64_bad(void* ptr) { *(volatile uint64_t*)ptr = 1.0; }
    20. 

  20. // Let's hope this won't be translated like that.
    21. 

  21. // Godbolt says yes: https://godbolt.org/z/1b9WGo
    22. 

  22. 

  23. static void run_test(void* region, ssize_t offset, size_t bits)
    24. 

  24. {
    25. 

  25.     void* ptr = (char*)region + offset;
    26. 

  26.     printf("Writing to %p\n", ptr);
    27. 

  27.     switch (bits) {
    28. 

  28.     case 8:
    29. 

  29.         write8(ptr);
    30. 

  30.         break;
    31. 

  31.     case 16:
    32. 

  32.         write16(ptr);
    33. 

  33.         break;
    34. 

  34.     case 32:
    35. 

  35.         write32(ptr);
    36. 

  36.         break;
    37. 

  37.     case 64:
    38. 

  38.         write64(ptr);
    39. 

  39.         break;
    40. 

  40.     default:
    41. 

  41.         VERIFY_NOT_REACHED();
    42. 

  42.     }
    43. 

  43. }
    44. 

  44. 

  45. int main(int argc, char** argv)
    46. 

  46. {
    47. 

  47.     bool do_static = false;
    48. 

  48.     int size = 10 * PAGE_SIZE;
    49. 

  49.     int offset = 10 * PAGE_SIZE - 1;
    50. 

  50.     int bits = 16;
    51. 

  51. 

  52.     auto args_parser = Core::ArgsParser();
    53. 

  53.     args_parser.set_general_help(
    54. 

  54.         "Access out of bounds memory; a great testcase for UserEmulator.");
    55. 

  55.     args_parser.add_option(do_static, "Use a static region instead of an mmap'ed region. Fixes 'size' to 10*PAGESIZE = 40960. (Default: false)", "static", 'S');
    56. 

  56.     args_parser.add_option(size, "The size of the region to allocate. (Default: 10*PAGESIZE = 40960)", "size", 's', "size");
    57. 

  57.     args_parser.add_option(offset, "The signed offset at which to start writing. (Default: 10*PAGESIZE-1 = 40959)", "offset", 'o', "offset");
    58. 

  58.     args_parser.add_option(bits, "Amount of bits to write in a single instruction. (Default: 16)", "bits", 'b', "bits");
    59. 

  59.     args_parser.parse(argc, argv);
    60. 

  60. 

  61.     if (do_static)
    62. 

  62.         size = 10 * PAGE_SIZE;
    63. 

  63. 

  64.     printf("Writing %d bits to %s region of size %d at offset %d.\n",
    65. 

  65.         bits, do_static ? "static" : "MMAP", size, offset);
    66. 

  66. 

  67.     if (do_static) {
    68. 

  68.         // Let's just hope the linker puts nothing after it!
    69. 

  69.         static unsigned char region[PAGE_SIZE * 10] = { 0 };
    70. 

  70. 

  71.         run_test(region, offset, 64);
    72. 

  72.     } else {
    73. 

  73.         void* region = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    74. 

  74.         VERIFY(region);
    75. 

  75.         run_test(region, offset, bits);
    76. 

  76.     }
    77. 

  77. 

  78.     printf("FAIL (should have caused SIGSEGV)\n");
    79. 

  79.     return 1;
    80. 

  80. }
    81.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5