We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
ladybird
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d56240759f
Branches Tags
ladybird
/
Userland
/
Tests
/
UserspaceEmulator
/
write-oob.cpp

write-oob.cpp 3.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 
  1. /*
    2. 

  2.  * Copyright (c) 2021, Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * Redistribution and use in source and binary forms, with or without
    6. 

  6.  * modification, are permitted provided that the following conditions are met:
    7. 

  7.  *
    8. 

  8.  * 1. Redistributions of source code must retain the above copyright notice, this
    9. 

  9.  *    list of conditions and the following disclaimer.
    10. 

  10.  *
    11. 

  11.  * 2. Redistributions in binary form must reproduce the above copyright notice,
    12. 

  12.  *    this list of conditions and the following disclaimer in the documentation
    13. 

  13.  *    and/or other materials provided with the distribution.
    14. 

  14.  *
    15. 

  15.  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    16. 

  16.  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    17. 

  17.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
    18. 

  18.  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
    19. 

  19.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    20. 

  20.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
    21. 

  21.  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
    22. 

  22.  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
    23. 

  23.  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    24. 

  24.  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    25. 

  25.  */
    26. 

  26. 

  27. #include <AK/Assertions.h>
    28. 

  28. #include <LibCore/ArgsParser.h>
    29. 

  29. #include <mman.h>
    30. 

  30. #include <stdint.h>
    31. 

  31. #include <stdio.h>
    32. 

  32. #include <stdlib.h>
    33. 

  33. 

  34. static void write8(void* ptr) { *(volatile uint8_t*)ptr = 1; }
    35. 

  35. static void write16(void* ptr) { *(volatile uint16_t*)ptr = 1; }
    36. 

  36. static void write32(void* ptr) { *(volatile uint32_t*)ptr = 1; }
    37. 

  37. static void write64(void* ptr) { *(volatile double*)ptr = 1.0; }
    38. 

  38. // A u64 write might be translated by the compiler as a 32-then-32-bit write:
    39. 

  39. // static void write64_bad(void* ptr) { *(volatile uint64_t*)ptr = 1.0; }
    40. 

  40. // Let's hope this won't be translated like that.
    41. 

  41. // Godbolt says yes: https://godbolt.org/z/1b9WGo
    42. 

  42. 

  43. static void run_test(void* region, ssize_t offset, size_t bits)
    44. 

  44. {
    45. 

  45.     void* ptr = (char*)region + offset;
    46. 

  46.     printf("Writing to %p\n", ptr);
    47. 

  47.     switch (bits) {
    48. 

  48.     case 8:
    49. 

  49.         write8(ptr);
    50. 

  50.         break;
    51. 

  51.     case 16:
    52. 

  52.         write16(ptr);
    53. 

  53.         break;
    54. 

  54.     case 32:
    55. 

  55.         write32(ptr);
    56. 

  56.         break;
    57. 

  57.     case 64:
    58. 

  58.         write64(ptr);
    59. 

  59.         break;
    60. 

  60.     default:
    61. 

  61.         ASSERT_NOT_REACHED();
    62. 

  62.     }
    63. 

  63. }
    64. 

  64. 

  65. int main(int argc, char** argv)
    66. 

  66. {
    67. 

  67.     bool do_static = false;
    68. 

  68.     int size = 10 * PAGE_SIZE;
    69. 

  69.     int offset = 10 * PAGE_SIZE - 1;
    70. 

  70.     int bits = 16;
    71. 

  71. 

  72.     auto args_parser = Core::ArgsParser();
    73. 

  73.     args_parser.set_general_help(
    74. 

  74.         "Access out of bounds memory; a great testcase for UserEmulator.");
    75. 

  75.     args_parser.add_option(do_static, "Use a static region instead of an mmap'ed region. Fixes 'size' to 10*PAGESIZE = 40960. (Default: false)", "static", 'S');
    76. 

  76.     args_parser.add_option(size, "The size of the region to allocate. (Default: 10*PAGESIZE = 40960)", "size", 's', "size");
    77. 

  77.     args_parser.add_option(offset, "The signed offset at which to start writing. (Default: 10*PAGESIZE-1 = 40959)", "offset", 'o', "offset");
    78. 

  78.     args_parser.add_option(bits, "Amount of bits to write in a single instruction. (Default: 16)", "bits", 'b', "bits");
    79. 

  79.     args_parser.parse(argc, argv);
    80. 

  80. 

  81.     if (do_static)
    82. 

  82.         size = 10 * PAGE_SIZE;
    83. 

  83. 

  84.     printf("Writing %d bits to %s region of size %d at offset %d.\n",
    85. 

  85.         bits, do_static ? "static" : "MMAP", size, offset);
    86. 

  86. 

  87.     if (do_static) {
    88. 

  88.         // Let's just hope the linker puts nothing after it!
    89. 

  89.         static unsigned char region[PAGE_SIZE * 10] = { 0 };
    90. 

  90. 

  91.         run_test(region, offset, 64);
    92. 

  92.     } else {
    93. 

  93.         void* region = mmap(nullptr, size, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    94. 

  94.         ASSERT(region);
    95. 

  95.         run_test(region, offset, bits);
    96. 

  96.     }
    97. 

  97. 

  98.     printf("FAIL (should have caused SIGSEGV)\n");
    99. 

  99.     return 1;
    100. 

  100. }
    101.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5