crasher: heap-buffer-overflow, invalid-free, and use-after-free. (4dd8b953) · Commits · e / os / android_system_core

debuggerd/crasher/crasher.cpp

+25 −6

Original line number	Diff line number	Diff line
		@@ -145,12 +145,24 @@ noinline int crash(int a) {
		#pragma clang diagnostic push
		#pragma clang diagnostic ignored "-Wfree-nonheap-object"

		noinline void abuse_heap() {
		noinline void invalid_free() {
		char buf[16];
		free(buf); // GCC is smart enough to warn about this, but we're doing it deliberately.
		free(buf); // The compiler is smart enough to warn about this, but we're doing it deliberately.
		}
		#pragma clang diagnostic pop

		noinline void heap_buffer_overflow() {
		volatile char* p = reinterpret_cast<volatile char*>(malloc(32));
		p[32] = p[32];
		}

		noinline void use_after_free() {
		void* allocation = malloc(32);
		volatile char* p = reinterpret_cast<volatile char*>(allocation);
		free(allocation);
		p[0] = p[0];
		}

		noinline void leak() {
		while (true) {
		void* mapping =
		@@ -187,7 +199,10 @@ static int usage() {
		fprintf(stderr, " stack-overflow recurse until the stack overflows\n");
		fprintf(stderr, " nostack crash with a NULL stack pointer\n");
		fprintf(stderr, "\n");
		fprintf(stderr, " heap-usage cause a libc abort by abusing a heap function\n");
		fprintf(stderr, " heap-buffer-overflow write past the end of a heap allocation\n");
		fprintf(stderr, " invalid-free pass a non-heap pointer to free()\n");
		fprintf(stderr, " use-after-free write to a buffer after free()\n");
		fprintf(stderr, "\n");
		fprintf(stderr, " call-null cause a crash by calling through a nullptr\n");
		fprintf(stderr, " leak leak memory until we get OOM-killed\n");
		fprintf(stderr, "\n");
		@@ -351,8 +366,12 @@ noinline int do_action(const char* arg) {
		return strlen_null();
		} else if (!strcasecmp(arg, "pthread_join-NULL")) {
		return pthread_join(0, nullptr);
		} else if (!strcasecmp(arg, "heap-usage")) {
		abuse_heap();
		} else if (!strcasecmp(arg, "heap-buffer-overflow")) {
		heap_buffer_overflow();
		} else if (!strcasecmp(arg, "invalid-free")) {
		invalid_free();
		} else if (!strcasecmp(arg, "use-after-free")) {
		use_after_free();
		} else if (!strcasecmp(arg, "leak")) {
		leak();
		} else if (!strcasecmp(arg, "SIGSEGV-unmapped")) {
		@@ -398,7 +417,7 @@ noinline int do_action(const char* arg) {
		return usage();
		}

		fprintf(stderr, "%s: exiting normally!\n", getprogname());
		fprintf(stderr, "%s: exiting normally (which is unexpected)!\n", getprogname());
		return EXIT_SUCCESS;
		}