Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dc47634e authored by Peter Collingbourne's avatar Peter Collingbourne
Browse files

Test that out-of-bounds UAF is not detected with MTE. 

This type of error is unlikely and attempting to detect it with MTE
is likely to produce false positive reports. Make sure that this type
of error is not detected by the allocator.

Change-Id: I90676d1a031411d6b725890311317802bc24b459
parent afe3212a

debuggerd/debuggerd_test.cpp

+32 −0
Original line number Original line Diff line number Diff line
@@ -512,6 +512,38 @@ TEST_P(SizeParamCrasherTest, mte_uaf) { 
#endif

#endif

}

}





TEST_P(SizeParamCrasherTest, mte_oob_uaf) {

#if defined(__aarch64__)

  if (!mte_supported()) {

    GTEST_SKIP() << "Requires MTE";

  }



  int intercept_result;

  unique_fd output_fd;

  StartProcess([&]() {

    SetTagCheckingLevelSync();

    volatile int* p = (volatile int*)malloc(GetParam());

    free((void *)p);

    p[-1] = 42;

  });



  StartIntercept(&output_fd);

  FinishCrasher();

  AssertDeath(SIGSEGV);

  FinishIntercept(&intercept_result);



  ASSERT_EQ(1, intercept_result) << "tombstoned reported failure";



  std::string result;

  ConsumeFd(std::move(output_fd), &result);



  ASSERT_MATCH(result, R"(signal 11 \(SIGSEGV\))");

  ASSERT_NOT_MATCH(result, R"(Cause: \[MTE\]: Use After Free, 4 bytes left)");

#else

  GTEST_SKIP() << "Requires aarch64";

#endif

}



TEST_P(SizeParamCrasherTest, mte_overflow) {

TEST_P(SizeParamCrasherTest, mte_overflow) {

#if defined(__aarch64__)

#if defined(__aarch64__)

  if (!mte_supported()) {

  if (!mte_supported()) {