This ensures that any attempts to access memory directly after the input
buffer or delta buffer in a delta test will cause a segmentation fault.
Inspired by vsftpd.
Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
---
t/helper/test-delta.c | 78 +++++++++++++++++++++++++++++--------------
1 file changed, 53 insertions(+), 25 deletions(-)
diff --git a/t/helper/test-delta.c b/t/helper/test-delta.c
index 34c725924..64d0ec902 100644
--- a/t/helper/test-delta.c
+++ b/t/helper/test-delta.c
@@ -16,45 +16,73 @@
static const char usage_str[] =
"test-tool delta (-d|-p) <from_file> <data_file> <out_file>";
-int cmd__delta(int argc, const char **argv)
+/*
+ * We want to detect OOB reads behind the resulting buffer, even in non-ASAN
+ * builds. This helper reads some data into memory, aligns the *end* of the
+ * buffer on a page boundary, and reserves the next virtual page. This ensures
+ * that a single-byte OOB access segfaults.
+ */
+static void *map_with_adjacent_trailing_guard(const char *path,
+ unsigned long *sizep)
{
int fd;
struct stat st;
- void *from_buf, *data_buf, *out_buf;
- unsigned long from_size, data_size, out_size;
+ unsigned long page_size = getpagesize();
+ unsigned long padded_size, padding;
- if (argc != 5 || (strcmp(argv[1], "-d") && strcmp(argv[1], "-p"))) {
- fprintf(stderr, "usage: %s\n", usage_str);
- return 1;
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ perror(path);
+ return NULL;
}
+ if (fstat(fd, &st)) {
+ perror(path);
+ close(fd);
+ return NULL;
+ }
+ *sizep = st.st_size;
- fd = open(argv[2], O_RDONLY);
- if (fd < 0 || fstat(fd, &st)) {
- perror(argv[2]);
- return 1;
+ /* pad in front for alignment and add trailing page */
+ padded_size = ((page_size-1) + st.st_size + page_size) & ~(page_size-1);
+ padding = padded_size - (st.st_size + page_size);
+
+ char *mapping = mmap(NULL, padded_size, PROT_READ|PROT_WRITE,
+ MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+ if (mapping == MAP_FAILED ||
+ mprotect(mapping + padded_size - page_size, page_size, PROT_NONE)) {
+ perror("mmap");
+ close(fd);
+ return NULL;
}
- from_size = st.st_size;
- from_buf = mmap(NULL, from_size, PROT_READ, MAP_PRIVATE, fd, 0);
- if (from_buf == MAP_FAILED) {
- perror(argv[2]);
+ if (read_in_full(fd, mapping + padding, st.st_size) != st.st_size) {
+ perror("read_in_full");
+ munmap(mapping, padded_size);
close(fd);
- return 1;
+ return NULL;
}
+ mprotect(mapping, padded_size - page_size, PROT_READ);
close(fd);
+ return mapping + padding;
+}
- fd = open(argv[3], O_RDONLY);
- if (fd < 0 || fstat(fd, &st)) {
- perror(argv[3]);
+int cmd__delta(int argc, const char **argv)
+{
+ int fd;
+ void *from_buf, *data_buf, *out_buf;
+ unsigned long from_size, data_size, out_size;
+
+ if (argc != 5 || (strcmp(argv[1], "-d") && strcmp(argv[1], "-p"))) {
+ fprintf(stderr, "usage: %s\n", usage_str);
return 1;
}
- data_size = st.st_size;
- data_buf = mmap(NULL, data_size, PROT_READ, MAP_PRIVATE, fd, 0);
- if (data_buf == MAP_FAILED) {
- perror(argv[3]);
- close(fd);
+
+ from_buf = map_with_adjacent_trailing_guard(argv[2], &from_size);
+ if (from_buf == NULL)
+ return 1;
+
+ data_buf = map_with_adjacent_trailing_guard(argv[3], &data_size);
+ if (data_buf == NULL)
return 1;
- }
- close(fd);
if (argv[1][1] == 'd')
out_buf = diff_delta(from_buf, from_size,
--
2.19.0.rc0.228.g281dcd1b4d0-goog
