# HG changeset patch # User Tassilo Philipp # Date 1655715860 -7200 # Node ID a6d00ee46731371ec3afe556bd75482bdf6ba9ff # Parent 917d5d2138150ebb4f0ae8ac9d3d6bdd8c64eeb1 - dyncallback test: added aggregate arg bounds check diff -r 917d5d213815 -r a6d00ee46731 test/callback_suite_aggrs/globals.c --- a/test/callback_suite_aggrs/globals.c Tue May 31 19:59:10 2022 +0200 +++ b/test/callback_suite_aggrs/globals.c Mon Jun 20 11:04:20 2022 +0200 @@ -85,8 +85,8 @@ K_p[i] = (void*)(long) (((rand_d()-0.5)*2) * (1LL<<(sizeof(void*)*8-1))); K_f[i] = (float) (rand_d() * FLT_MAX); K_d[i] = (double) (((rand_d()-0.5)*2) * DBL_MAX); - K_a[i] = malloc(maxaggrsize+AGGR_MISALIGN); - rand_mem__fp_friendly(K_a[i], maxaggrsize+AGGR_MISALIGN); + K_a[i] = malloc(maxaggrsize+AGGR_MISALIGN+AGGR_BND_CHECK_PAD); + rand_mem__fp_friendly(K_a[i], maxaggrsize+AGGR_MISALIGN+AGGR_BND_CHECK_PAD); K_a[i] = (char*)K_a[i]+AGGR_MISALIGN; } } @@ -103,8 +103,8 @@ #define X(CH,T) V_##CH[i] = (T) 0; DEF_TYPES #undef X - V_a[i] = malloc(maxaggrsize+AGGR_MISALIGN); - memset(V_a[i], 0, maxaggrsize+AGGR_MISALIGN); + V_a[i] = malloc(maxaggrsize+AGGR_MISALIGN+AGGR_BND_CHECK_PAD); + memset(V_a[i], 0, maxaggrsize+AGGR_MISALIGN+AGGR_BND_CHECK_PAD); V_a[i] = (char*)V_a[i]+AGGR_MISALIGN; } aggr_init = 1; diff -r 917d5d213815 -r a6d00ee46731 test/callback_suite_aggrs/globals.h --- a/test/callback_suite_aggrs/globals.h Tue May 31 19:59:10 2022 +0200 +++ b/test/callback_suite_aggrs/globals.h Mon Jun 20 11:04:20 2022 +0200 @@ -56,3 +56,7 @@ void clear_V(); int get_max_aggr_size(); + +/* guaranteed post-aggr space to use for bounds checking */ +#define AGGR_BND_CHECK_PAD 4 + diff -r 917d5d213815 -r a6d00ee46731 test/callback_suite_aggrs/main.c --- a/test/callback_suite_aggrs/main.c Tue May 31 19:59:10 2022 +0200 +++ b/test/callback_suite_aggrs/main.c Mon Jun 20 11:04:20 2022 +0200 @@ -68,10 +68,11 @@ const char* sig = signature; int pos = 0; int s = 0; + int do_bndck = 1; while ( (atype = *sig) != '\0') { switch(atype) { - case '_': sig += 2; /* skip cconv prefix */ continue; - case ')': ++sig; /* skip ret type separator */ continue; + case '_': sig += 2; /* skip cconv prefix */ continue; + case ')': ++sig; /* skip ret type separator */ do_bndck = 0; /* no bounds check on retval */ continue; case 'v': s = (sig > signature) && sig[-1] == ')'; /* assure this was the return type */ break; /*TODO:check that no return-arg was touched.*/ case 'B': s = ( V_B[pos] == K_B[pos] ); if (!s) printf("'%c':%d: %d != %d ; ", atype, pos, V_B[pos], K_B[pos]); break; case 'c': s = ( V_c[pos] == K_c[pos] ); if (!s) printf("'%c':%d: %d != %d ; ", atype, pos, V_c[pos], K_c[pos]); break; @@ -91,11 +92,20 @@ case '{': /* struct */ { /* no check: guaranteed to exist, or invoke func would've exited when passing args, above */ - int len; + int len, bndck_i; int i = find_agg_idx(&len, sig); s = ((int(*)(const void*,const void*))G_agg_cmpfuncs[i])(V_a[pos], K_a[pos]); if (!s) printf("'%c':%d: *%p != *%p ; ", atype, pos, V_a[pos], K_a[pos]); sig += len-1; /* advance to next arg char; -1 to compensate for ++sig, below */ + + /* bounds check */ + for(bndck_i = 0; do_bndck && bndck_i < AGGR_BND_CHECK_PAD; ++bndck_i) { + if(((unsigned char*)V_a[pos] + G_agg_sizes[i])[bndck_i] != 0xab) { + printf("'%c':%d: buffer overflow retrieving aggr arg, target buffer of size %d too small; ", atype, pos, G_agg_sizes[i]); + s = 0; + } + } + break; } default: printf("unknown atype '%c' ; ", atype); return 0; @@ -137,7 +147,12 @@ case DC_SIGCHAR_DOUBLE: V_d[pos] = dcbArgDouble (input); break; case DC_SIGCHAR_STRING: case DC_SIGCHAR_POINTER: V_p[pos] = dcbArgPointer (input); break; - case DC_SIGCHAR_AGGREGATE: dcbArgAggr (input, V_a[pos]); break; + case DC_SIGCHAR_AGGREGATE: + /* bounds check init */ + memset(V_a[pos], 0xab, get_max_aggr_size() + AGGR_BND_CHECK_PAD); + dcbArgAggr(input, V_a[pos]); + break; + case DC_SIGCHAR_CC_PREFIX: ++signature; /* skip cconv prefix */ continue; default: assert(0); } @@ -213,7 +228,7 @@ printf("unknown aggr sig at '%s' ;", signature); return 0; } - dc_sig[len_sig++] = 'A'; + dc_sig[len_sig++] = DC_SIGCHAR_AGGREGATE; dc_aggrs[n_aggrs++] = ((DCaggr*(*)())G_agg_touchAfuncs[i])(); signature += len; /* advance to next arg char */ break;