t_asan_uaf.sh revision 1.1
1# $NetBSD: t_asan_uaf.sh,v 1.1 2018/04/04 23:53:26 kamil Exp $ 2# 3# Copyright (c) 2018 The NetBSD Foundation, Inc. 4# All rights reserved. 5# 6# This code is derived from software contributed to The NetBSD Foundation 7# by Siddharth Muralee. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 1. Redistributions of source code must retain the above copyright 13# notice, this list of conditions and the following disclaimer. 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28# POSSIBILITY OF SUCH DAMAGE. 29# 30 31SUPPORT='n' 32test_target() { 33 if uname -m | grep -q "amd64"; then 34 SUPPORT='y' 35 fi 36 37 if uname -m | grep -q "i386"; then 38 SUPPORT='y' 39 fi 40} 41 42atf_test_case uaf 43uaf_head() { 44 atf_set "descr" "compile and run \"Use After Free example\"" 45 atf_set "require.progs" "c++ paxctl" 46} 47 48atf_test_case uaf_profile 49uaf_profile_head() { 50 atf_set "descr" "compile and run \"Use After Free example\" with profiling option" 51 atf_set "require.progs" "c++ paxctl" 52} 53 54atf_test_case uaf_pic 55uaf_pic_head() { 56 atf_set "descr" "compile and run PIC \"Use After Free example\"" 57 atf_set "require.progs" "c++ paxctl" 58} 59 60atf_test_case uaf_pie 61uaf_pie_head() { 62 atf_set "descr" "compile and run position independent (PIE) \"Use After Free example\"" 63 atf_set "require.progs" "c++ paxctl" 64} 65 66atf_test_case uaf32 67uaf32_head() { 68 atf_set "descr" "compile and run \"Use After Free example\" for/in netbsd32 emulation" 69 atf_set "require.progs" "c++ paxctl file diff cat" 70} 71 72atf_test_case target_not_supported 73target_not_supported_head() 74{ 75 atf_set "descr" "Test forced skip" 76} 77 78uaf_body() { 79 cat > test.cpp << EOF 80#include <stdlib.h> 81#include <stdio.h> 82int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 83int main() {foo(); printf("CHECK\n"); exit(0);} 84EOF 85 c++ -fsanitize=address -o test test.cpp 86 paxctl -a test 87 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./test 88} 89 90uaf_profile_body() { 91 cat > test.cpp << EOF 92#include <stdlib.h> 93#include <stdio.h> 94int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 95int main() {foo(); printf("CHECK\n"); exit(0);} 96EOF 97 c++ -fsanitize=address -o test -pg test.cpp 98 paxctl +a test 99 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./test 100} 101 102uaf_pic_body() { 103 cat > test.cpp << EOF 104#include <stdlib.h> 105#include <stdio.h> 106int foo(); 107int main() {foo(); printf("CHECK\n"); exit(0);} 108EOF 109 cat > pic.cpp << EOF 110#include <stdlib.h> 111#include <stdio.h> 112int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 113EOF 114 115 c++ -fPIC -fsanitize=address -shared -o libtest.so pic.cpp 116 c++ -o test test.cpp -fsanitize=address -L. -ltest 117 paxctl +a test 118 119 export LD_LIBRARY_PATH=. 120 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./test 121} 122 123uaf_pie_body() { 124 # check whether this arch supports -pice 125 if ! c++ -pie -dM -E - < /dev/null 2>/dev/null >/dev/null; then 126 atf_set_skip "c++ -pie not supported on this architecture" 127 fi 128 cat > test.cpp << EOF 129#include <stdlib.h> 130#include <stdio.h> 131int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 132int main() {foo(); printf("CHECK\n"); exit(0);} 133EOF 134 c++ -fsanitize=address -fpie -pie -o test test.cpp 135 paxctl +a test 136 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./test 137} 138 139uaf32_body() { 140 # check whether this arch is 64bit 141 if ! c++ -dM -E - < /dev/null | fgrep -q _LP64; then 142 atf_skip "this is not a 64 bit architecture" 143 fi 144 if ! c++ -m32 -dM -E - < /dev/null 2>/dev/null > ./def32; then 145 atf_skip "c++ -m32 not supported on this architecture" 146 else 147 if fgrep -q _LP64 ./def32; then 148 atf_fail "c++ -m32 does not generate netbsd32 binaries" 149 fi 150fi 151 152 cat > test.cpp << EOF 153#include <stdlib.h> 154#include <stdio.h> 155int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 156int main() {foo(); printf("CHECK\n"); exit(0);} 157EOF 158 c++ -fsanitize=address -o uaf32 -m32 test.cpp 159 c++ -fsanitize=address -o uaf64 test.cpp 160 file -b ./uaf32 > ./ftype32 161 file -b ./uaf64 > ./ftype64 162 if diff ./ftype32 ./ftype64 >/dev/null; then 163 atf_fail "generated binaries do not differ" 164 fi 165 echo "32bit binaries on this platform are:" 166 cat ./ftype32 167 echo "While native (64bit) binaries are:" 168 cat ./ftype64 169 paxctl +a uaf32 170 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./uaf32 171 172# and another test with profile 32bit binaries 173 cat > test.cpp << EOF 174#include <stdlib.h> 175#include <stdio.h> 176int foo() {int *x = (int *)malloc(10 * sizeof(int)); free(x); return x[0];} 177int main() {foo(); printf("CHECK\n"); exit(0);} 178EOF 179 c++ -o test -m32 -fsanitize=address -pg test.cpp 180 paxctl +a test 181 atf_check -s not-exit:0 -o not-match:"CHECK\n" -e match:"heap-use-after-free" ./test 182} 183 184target_not_supported_body() 185{ 186 atf_skip "Target is not supported" 187} 188 189atf_init_test_cases() 190{ 191 test_target 192 test $SUPPORT = 'n' && { 193 atf_add_test_case target_not_supported 194 return 0 195 } 196 197 atf_add_test_case uaf 198 atf_add_test_case uaf_profile 199 atf_add_test_case uaf_pic 200 atf_add_test_case uaf_pie 201 atf_add_test_case uaf32 202 # static option not supported 203 # -static and -fsanitize=address can't be used together for compilation 204 # (gcc version 5.4.0 and clang 7.1) tested on April 2nd 2018. 205} 206