File: heap-buffer-overflow.c

package info (click to toggle)
swiftlang 6.1.3-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,791,532 kB
  • sloc: cpp: 9,901,743; ansic: 2,201,431; asm: 1,091,827; python: 308,252; objc: 82,166; f90: 80,126; lisp: 38,358; pascal: 25,559; sh: 20,429; ml: 5,058; perl: 4,745; makefile: 4,484; awk: 3,535; javascript: 3,018; xml: 918; fortran: 664; cs: 573; ruby: 396
file content (71 lines) | stat: -rw-r--r-- 2,794 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
// RUN: %clang_hwasan  %s -o %t
// RUN: not %run %t 40 2>&1 | FileCheck %s --check-prefix=CHECK40
// RUN: not %run %t 80 2>&1 | FileCheck %s --check-prefix=CHECK80
// RUN: not %run %t -30 2>&1 | FileCheck %s --check-prefix=CHECKm30
// RUN: not %run %t -30 1000000 2>&1 | FileCheck %s --check-prefix=CHECKMm30
// RUN: not %run %t 1000000 1000000 2>&1 | FileCheck %s --check-prefix=CHECKM

// Test OOB within the granule.
// RUN: not %run %t 31 2>&1 | FileCheck %s --check-prefix=CHECK31
// RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20

#include <stdlib.h>
#include <stdio.h>
#include <sanitizer/hwasan_interface.h>

static volatile char sink;

int main(int argc, char **argv) {
  __hwasan_enable_allocator_tagging();
  int offset = argc < 2 ? 40 : atoi(argv[1]);
  int size = argc < 3 ? 30 : atoi(argv[2]);
  char * volatile x = (char*)malloc(size);
  fprintf(stderr, "base: %p access: %p\n", x, &x[offset]);
  sink = x[offset];

#if defined(__x86_64__)
  // Aliasing mode doesn't support the secondary allocator, so we fake a HWASan
  // report instead of disabling the entire test.
  if (size == 1000000) {
    fprintf(stderr, "is a large allocated heap chunk; size: 1003520 offset: %d\n",
            offset);
    fprintf(stderr, "Cause: heap-buffer-overflow\n");
    fprintf(stderr, "is located %s a 1000000-byte region\n",
            offset == -30 ? "30 bytes before" : "0 bytes after");
    return -1;
  }
#endif

  // CHECK40: allocated heap chunk; size: 32 offset: 8
  // CHECK40: Cause: heap-buffer-overflow
  // CHECK40: is located 10 bytes after a 30-byte region
  //
  // CHECK80: allocated heap chunk; size: 32 offset: 16
  // CHECK80: Cause: heap-buffer-overflow
  // CHECK80: is located 50 bytes after a 30-byte region
  //
  // CHECKm30: Cause: heap-buffer-overflow
  // CHECKm30: is located 30 bytes before a 30-byte region
  //
  // CHECKMm30: is a large allocated heap chunk; size: 1003520 offset: -30
  // CHECKMm30: Cause: heap-buffer-overflow
  // CHECKMm30: is located 30 bytes before a 1000000-byte region
  //
  // CHECKM: is a large allocated heap chunk; size: 1003520 offset: 1000000
  // CHECKM: Cause: heap-buffer-overflow
  // CHECKM: is located 0 bytes after a 1000000-byte region
  //
  // CHECK31: tags: [[TAG:..]]/0e([[TAG]]) (ptr/mem)
  // CHECK31-NOT: Invalid access starting at offset
  // CHECK31: Cause: heap-buffer-overflow
  // CHECK31: is located 1 bytes after a 30-byte region
  // CHECK31: Memory tags around the buggy address
  // CHECK31: [0e]
  // CHECK31: Tags for short granules around the buggy address
  // CHECK31: {{\[}}[[TAG]]]
  //
  // CHECK20-NOT: Invalid access starting at offset
  // CHECK20: Cause: heap-buffer-overflow
  // CHECK20: is located 10 bytes after a 20-byte region [0x{{.*}}0,0x{{.*}}4)
  free(x);
}