1# $NetBSD: t_asan_heap_overflow.sh,v 1.2 2018/07/16 07:27:26 kamil Exp $ 2# 3# Copyright (c) 2018 The NetBSD Foundation, Inc. 4# All rights reserved. 5# 6# This code is derived from software contributed to The NetBSD Foundation 7# by Siddharth Muralee. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28# POSSIBILITY OF SUCH DAMAGE. 29# 30 31SUPPORT='n' 32test_target() { 33 if uname -m | grep -q "amd64"; then 34 SUPPORT='y' 35 fi 36 37 if uname -m | grep -q "i386"; then 38 SUPPORT='y' 39 fi 40} 41 42atf_test_case heap_overflow 43heap_overflow_head() { 44 atf_set "descr" "compile and run \"Heap Overflow example\"" 45 atf_set "require.progs" "c++ paxctl" 46} 47 48atf_test_case heap_overflow_profile 49heap_overflow_profile_head() { 50 atf_set "descr" "compile and run \"Heap Overflow example\" with profiling option" 51 atf_set "require.progs" "c++ paxctl" 52} 53 54atf_test_case heap_overflow_pic 55heap_overflow_pic_head() { 56 atf_set "descr" "compile and run PIC \"Heap Overflow example\"" 57 atf_set "require.progs" "c++ paxctl" 58} 59 60atf_test_case heap_overflow_pie 61heap_overflow_pie_head() { 62 atf_set "descr" "compile and run position independent (PIE) \"Heap Overflow example\"" 63 atf_set "require.progs" "c++ paxctl" 64} 65 66atf_test_case heap_overflow32 67heap_overflow32_head() { 68 atf_set "descr" "compile and run \"Heap Overflow example\" for/in netbsd32 emulation" 69 atf_set "require.progs" "c++ paxctl file diff cat" 70} 71 72atf_test_case target_not_supported 73target_not_supported_head() 74{ 75 atf_set "descr" "Test forced skip" 76} 77 78heap_overflow_body() { 79 cat > test.cpp << EOF 80#include <stdio.h> 81#include <stdlib.h> 82#include <string.h> 83int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 84int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 85EOF 86 c++ -fsanitize=address -o test test.cpp 87 paxctl -a test 88 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./test 89} 90 91heap_overflow_profile_body() { 92 cat > test.cpp << EOF 93#include <stdio.h> 94#include <stdlib.h> 95#include <string.h> 96int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 97int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 98EOF 99 c++ -fsanitize=address -o test -pg test.cpp 100 paxctl +a test 101 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./test 102} 103 104heap_overflow_pic_body() { 105 cat > test.cpp << EOF 106#include <stdio.h> 107#include <stdlib.h> 108#include <string.h> 109int foo(int); 110int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 111EOF 112 cat > pic.cpp << EOF 113#include <stdio.h> 114#include <stdlib.h> 115#include <string.h> 116int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 117EOF 118 119 c++ -fPIC -fsanitize=address -shared -o libtest.so pic.cpp 120 c++ -o test test.cpp -fsanitize=address -L. -ltest 121 paxctl +a test 122 123 export LD_LIBRARY_PATH=. 124 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./test 125} 126 127heap_overflow_pie_body() { 128 # check whether this arch supports -pice 129 if ! c++ -pie -dM -E - < /dev/null 2>/dev/null >/dev/null; then 130 atf_set_skip "c++ -pie not supported on this architecture" 131 fi 132 cat > test.cpp << EOF 133#include <stdio.h> 134#include <stdlib.h> 135#include <string.h> 136int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 137int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 138EOF 139 c++ -fsanitize=address -fpie -pie -o test test.cpp 140 paxctl +a test 141 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./test 142} 143 144heap_overflow32_body() { 145 # check whether this arch is 64bit 146 if ! c++ -dM -E - < /dev/null | fgrep -q _LP64; then 147 atf_skip "this is not a 64 bit architecture" 148 fi 149 if ! c++ -m32 -dM -E - < /dev/null 2>/dev/null > ./def32; then 150 atf_skip "c++ -m32 not supported on this architecture" 151 else 152 if fgrep -q _LP64 ./def32; then 153 atf_fail "c++ -m32 does not generate netbsd32 binaries" 154 fi 155fi 156 157 cat > test.cpp << EOF 158#include <stdio.h> 159#include <stdlib.h> 160#include <string.h> 161int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 162int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 163EOF 164 c++ -fsanitize=address -o ho32 -m32 test.cpp 165 c++ -fsanitize=address -o ho64 test.cpp 166 file -b ./ho32 > ./ftype32 167 file -b ./ho64 > ./ftype64 168 if diff ./ftype32 ./ftype64 >/dev/null; then 169 atf_fail "generated binaries do not differ" 170 fi 171 echo "32bit binaries on this platform are:" 172 cat ./ftype32 173 echo "While native (64bit) binaries are:" 174 cat ./ftype64 175 paxctl +a ho32 176 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./ho32 177 178# and another test with profile 32bit binaries 179 cat > test.cpp << EOF 180#include <stdio.h> 181#include <stdlib.h> 182#include <string.h> 183int foo(int index) { int *x = (int *)malloc(20); int res = x[index * 4]; free(x); return res;} 184int main(int argc, char **argv) {foo(argc + 19); printf("CHECK\n"); exit(0);} 185EOF 186 c++ -o test -m32 -fsanitize=address -pg test.cpp 187 paxctl +a test 188 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-buffer-overflow" ./test 189} 190 191target_not_supported_body() 192{ 193 atf_skip "Target is not supported" 194} 195 196atf_init_test_cases() 197{ 198 test_target 199 test $SUPPORT = 'n' && { 200 atf_add_test_case target_not_supported 201 return 0 202 } 203 204 atf_add_test_case heap_overflow 205# atf_add_test_case heap_overflow_profile 206 atf_add_test_case heap_overflow_pic 207 atf_add_test_case heap_overflow_pie 208# atf_add_test_case heap_overflow32 209 # static option not supported 210 # -static and -fsanitize=address can't be used together for compilation 211 # (gcc version 5.4.0 and clang 7.1) tested on April 2nd 2018. 212} 213