This ensures that any attempts to access memory directly after the input buffer or delta buffer in a delta test will cause a segmentation fault.
Inspired by vsftpd. Signed-off-by: Jann Horn <[email protected]> --- t/helper/test-delta.c | 78 +++++++++++++++++++++++++++++-------------- 1 file changed, 53 insertions(+), 25 deletions(-) diff --git a/t/helper/test-delta.c b/t/helper/test-delta.c index 34c725924..64d0ec902 100644 --- a/t/helper/test-delta.c +++ b/t/helper/test-delta.c @@ -16,45 +16,73 @@ static const char usage_str[] = "test-tool delta (-d|-p) <from_file> <data_file> <out_file>"; -int cmd__delta(int argc, const char **argv) +/* + * We want to detect OOB reads behind the resulting buffer, even in non-ASAN + * builds. This helper reads some data into memory, aligns the *end* of the + * buffer on a page boundary, and reserves the next virtual page. This ensures + * that a single-byte OOB access segfaults. + */ +static void *map_with_adjacent_trailing_guard(const char *path, + unsigned long *sizep) { int fd; struct stat st; - void *from_buf, *data_buf, *out_buf; - unsigned long from_size, data_size, out_size; + unsigned long page_size = getpagesize(); + unsigned long padded_size, padding; - if (argc != 5 || (strcmp(argv[1], "-d") && strcmp(argv[1], "-p"))) { - fprintf(stderr, "usage: %s\n", usage_str); - return 1; + fd = open(path, O_RDONLY); + if (fd < 0) { + perror(path); + return NULL; } + if (fstat(fd, &st)) { + perror(path); + close(fd); + return NULL; + } + *sizep = st.st_size; - fd = open(argv[2], O_RDONLY); - if (fd < 0 || fstat(fd, &st)) { - perror(argv[2]); - return 1; + /* pad in front for alignment and add trailing page */ + padded_size = ((page_size-1) + st.st_size + page_size) & ~(page_size-1); + padding = padded_size - (st.st_size + page_size); + + char *mapping = mmap(NULL, padded_size, PROT_READ|PROT_WRITE, + MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if (mapping == MAP_FAILED || + mprotect(mapping + padded_size - page_size, page_size, PROT_NONE)) { + perror("mmap"); + close(fd); + return NULL; } - from_size = st.st_size; - from_buf = mmap(NULL, from_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (from_buf == MAP_FAILED) { - perror(argv[2]); + if (read_in_full(fd, mapping + padding, st.st_size) != st.st_size) { + perror("read_in_full"); + munmap(mapping, padded_size); close(fd); - return 1; + return NULL; } + mprotect(mapping, padded_size - page_size, PROT_READ); close(fd); + return mapping + padding; +} - fd = open(argv[3], O_RDONLY); - if (fd < 0 || fstat(fd, &st)) { - perror(argv[3]); +int cmd__delta(int argc, const char **argv) +{ + int fd; + void *from_buf, *data_buf, *out_buf; + unsigned long from_size, data_size, out_size; + + if (argc != 5 || (strcmp(argv[1], "-d") && strcmp(argv[1], "-p"))) { + fprintf(stderr, "usage: %s\n", usage_str); return 1; } - data_size = st.st_size; - data_buf = mmap(NULL, data_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (data_buf == MAP_FAILED) { - perror(argv[3]); - close(fd); + + from_buf = map_with_adjacent_trailing_guard(argv[2], &from_size); + if (from_buf == NULL) + return 1; + + data_buf = map_with_adjacent_trailing_guard(argv[3], &data_size); + if (data_buf == NULL) return 1; - } - close(fd); if (argv[1][1] == 'd') out_buf = diff_delta(from_buf, from_size, -- 2.19.0.rc0.228.g281dcd1b4d0-goog
