mirror of https://github.com/pwndbg/pwndbg.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 lines
4.7 KiB
C
144 lines
4.7 KiB
C
// Test the find_fake_fast command.
|
|
|
|
#include <stdlib.h>
|
|
#include <assert.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <sys/mman.h>
|
|
|
|
// Part of this test requires unmapped virtual memory at a specific alignment.
|
|
#define LIKELY_UNMAPPED_MEMORY_ADDRESS (void *)0x500000000000
|
|
|
|
/* GLIBC's HEAP_MAX_SIZE constant, used to align the aforementioned unmapped virtual memory.
|
|
* HEAP_MAX_SIZE is defined at:
|
|
* https://github.com/bminor/glibc/blob/f704192911c6c7b65a54beab3ab369fca7609a5d/malloc/arena.c#L31
|
|
* It is calculated using DEFAULT_MMAP_THRESHOLD_MAX, which is defined at:
|
|
* https://github.com/bminor/glibc/blob/f704192911c6c7b65a54beab3ab369fca7609a5d/malloc/malloc.c#L956
|
|
* (x64 architecture is assumed for this test)
|
|
*/
|
|
#define HEAP_MAX_SIZE (2 * 4 * 1024 * 1024 * sizeof(long))
|
|
|
|
void break_here(void) {}
|
|
|
|
// Fake chunk size field for use with issue #1142 test.
|
|
char *fake_chunk = NULL;
|
|
|
|
// This buffer will contain the fake chunk sizes
|
|
unsigned long buf[64] __attribute__((aligned(0x10)));
|
|
|
|
// This is the address we want the fake chunks to overlap with
|
|
unsigned long target_address;
|
|
|
|
/*
|
|
* Put the value of `size` at `distance` bytes before the address of
|
|
* `target_address`
|
|
*/
|
|
void setup_mem(unsigned long size, unsigned distance)
|
|
{
|
|
memset(buf, 0, sizeof(buf));
|
|
target_address = 0;
|
|
|
|
char *chunk_size_addr = (char *)&target_address - distance;
|
|
*(unsigned long *)chunk_size_addr = size;
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
assert((unsigned long)&target_address - (unsigned long)buf == sizeof(buf));
|
|
|
|
/* Test whether the find_fake_fast command can deal with a fake chunk that has a set
|
|
* NON_MAIN_ARENA flag, but no heap_info struct (the struct would reside in unmapped memory).
|
|
* Issue #1142
|
|
*/
|
|
void *aligned_memory = NULL;
|
|
for (void *requested_address = LIKELY_UNMAPPED_MEMORY_ADDRESS; requested_address > 0; requested_address -= HEAP_MAX_SIZE)
|
|
{
|
|
// Attempt to find unmapped memory aligned to HEAP_MAX_SIZE.
|
|
void *mmapped_address = mmap(requested_address, 2 * getpagesize(), PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
|
|
if (mmapped_address == requested_address)
|
|
{
|
|
aligned_memory = mmapped_address;
|
|
break;
|
|
}
|
|
else
|
|
{
|
|
munmap(mmapped_address, 2 * getpagesize());
|
|
}
|
|
}
|
|
assert(aligned_memory != NULL);
|
|
|
|
// Set up a candidate fake fast chunk size field with a set NON_MAIN_ARENA flag.
|
|
fake_chunk = aligned_memory + getpagesize();
|
|
fake_chunk[8] = '\x85';
|
|
|
|
// Unmap the memory where the fake chunk's heap_info struct would reside.
|
|
int unmapped = munmap(aligned_memory, getpagesize());
|
|
assert(unmapped == 0);
|
|
|
|
// Initialize malloc so heap commands can run.
|
|
void *m = malloc(0x18);
|
|
|
|
// A valid aligned fastbin chunk with no flags set
|
|
setup_mem(0x20, 0x8);
|
|
break_here();
|
|
|
|
// A valid aligned fastbin chunk with all flags set
|
|
setup_mem(0x2F, 0x8);
|
|
break_here();
|
|
|
|
// A valid unaligned fastbin chunk
|
|
setup_mem(0x20, 0x9);
|
|
break_here();
|
|
|
|
// A valid aligned fastbin chunk that's too close to the target address (the
|
|
// size overlaps the target address)
|
|
setup_mem(0x20, 0x0);
|
|
break_here();
|
|
|
|
// A valid unaligned fastbin chunk that's too close to the target address (the
|
|
// size overlaps the target address)
|
|
setup_mem(0x20, 0x7);
|
|
break_here();
|
|
|
|
// An invalid chunk with a size below the minimum chunk size
|
|
setup_mem(0x1F, 0x8);
|
|
break_here();
|
|
|
|
// A valid aligned fastbin chunk just in range of the target address
|
|
setup_mem(0x80, 0x78);
|
|
break_here();
|
|
|
|
/* // A valid unaligned fastbin chunk just in range of the target address */
|
|
/* setup_mem(0x80, 0x7F); */
|
|
/* break_here(); */
|
|
|
|
// A valid aligned fastbin chunk just out of range of the target address
|
|
setup_mem(0x80, 0x80);
|
|
break_here();
|
|
|
|
// A fastbin chunk with a size greater than `global_max_fast`, less than
|
|
// `global_max_fast` bytes away from the target address
|
|
setup_mem(0x100, 0x10);
|
|
break_here();
|
|
|
|
// A fastbin chunk with a size greater than `global_max_fast`, more than
|
|
// `global_max_fast` bytes away from the target address
|
|
setup_mem(0x100, 0x90);
|
|
break_here();
|
|
|
|
// A fastbin chunk with a size greater than `global_max_fast`, just out of
|
|
// range of the target address
|
|
setup_mem(0x100, 0x100);
|
|
break_here();
|
|
|
|
// A fastbin chunk with a size that has top 4 bytes clobbered, due to glibc
|
|
// fastbin size bug, this is still valid
|
|
setup_mem(0xAABBCCDD00000020, 0x8);
|
|
break_here();
|
|
|
|
// A fastbin chunk that overlaps only the first byte of the target address
|
|
// Used to test the --partial-overwrite option
|
|
setup_mem(0x8000, 0x80);
|
|
break_here();
|
|
}
|