2019-07-22 01:36:16 -07:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <assert.h>
|
|
|
|
#include <string.h>
|
2019-10-18 18:11:04 -07:00
|
|
|
#include <stdint.h>
|
2019-07-22 01:36:16 -07:00
|
|
|
|
|
|
|
#include <mimalloc.h>
|
|
|
|
#include <mimalloc-override.h> // redefines malloc etc.
|
2020-04-06 23:39:09 -07:00
|
|
|
|
2019-10-19 08:34:18 -07:00
|
|
|
static void double_free1();
|
|
|
|
static void double_free2();
|
2019-10-28 15:54:33 -07:00
|
|
|
static void corrupt_free();
|
2020-01-29 17:10:57 -08:00
|
|
|
static void block_overflow1();
|
2020-04-06 16:10:43 -07:00
|
|
|
static void block_overflow2();
|
2020-02-11 09:37:26 -08:00
|
|
|
static void dangling_ptr_write();
|
2020-07-20 14:33:03 -07:00
|
|
|
static void invalid_free();
|
2019-10-18 18:11:04 -07:00
|
|
|
|
2019-07-22 01:36:16 -07:00
|
|
|
int main() {
|
|
|
|
mi_version();
|
2020-04-20 17:09:28 -07:00
|
|
|
mi_heap_set_extra_padding(mi_heap_get_default(), 200);
|
2019-10-28 15:54:33 -07:00
|
|
|
// detect double frees and heap corruption
|
2020-04-06 13:42:39 -07:00
|
|
|
// double_free1();
|
|
|
|
// double_free2();
|
|
|
|
// corrupt_free();
|
2020-04-06 16:10:43 -07:00
|
|
|
// block_overflow1();
|
2020-04-06 23:39:09 -07:00
|
|
|
// block_overflow2();
|
2020-04-06 13:30:17 -07:00
|
|
|
// dangling_ptr_write();
|
2020-07-20 14:33:03 -07:00
|
|
|
invalid_free();
|
2019-10-28 15:54:33 -07:00
|
|
|
|
2020-05-03 16:29:15 -07:00
|
|
|
void* (*fun_mimalloc)(size_t) = &mi_malloc;
|
2019-10-28 15:54:33 -07:00
|
|
|
|
2019-07-22 01:36:16 -07:00
|
|
|
void* p1 = malloc(78);
|
2020-05-03 16:29:15 -07:00
|
|
|
void* p2 = fun_mimalloc(24);
|
2019-07-22 01:36:16 -07:00
|
|
|
free(p1);
|
2020-02-01 17:29:30 -08:00
|
|
|
p1 = mi_malloc(8);
|
2019-07-22 01:36:16 -07:00
|
|
|
//char* s = strdup("hello\n");
|
|
|
|
free(p2);
|
|
|
|
p2 = malloc(16);
|
|
|
|
p1 = realloc(p1, 32);
|
2020-04-07 09:04:20 -07:00
|
|
|
mi_heap_check_leak(NULL,NULL,NULL);
|
2019-07-22 01:36:16 -07:00
|
|
|
free(p1);
|
|
|
|
free(p2);
|
|
|
|
//free(s);
|
|
|
|
//mi_collect(true);
|
|
|
|
|
|
|
|
/* now test if override worked by allocating/freeing across the api's*/
|
|
|
|
//p1 = mi_malloc(32);
|
|
|
|
//free(p1);
|
|
|
|
//p2 = malloc(32);
|
|
|
|
//mi_free(p2);
|
|
|
|
mi_stats_print(NULL);
|
|
|
|
return 0;
|
|
|
|
}
|
2019-10-18 18:11:04 -07:00
|
|
|
|
2020-07-20 14:33:03 -07:00
|
|
|
static void invalid_free() {
|
|
|
|
free((void*)0xBADBEEF);
|
|
|
|
realloc((void*)0xBADBEEF,10);
|
|
|
|
}
|
|
|
|
|
2020-01-29 17:10:57 -08:00
|
|
|
static void block_overflow1() {
|
2020-01-31 23:39:51 -08:00
|
|
|
uint8_t* p = (uint8_t*)mi_malloc(17);
|
|
|
|
p[18] = 0;
|
2020-01-29 17:10:57 -08:00
|
|
|
free(p);
|
|
|
|
}
|
2020-04-06 16:10:43 -07:00
|
|
|
static void block_overflow2() {
|
|
|
|
void* p[100];
|
|
|
|
for (int i = 0; i < 100; i++) {
|
|
|
|
p[i] = mi_malloc(17);
|
|
|
|
}
|
|
|
|
memset(p[10], 0, 90);
|
|
|
|
memset(p[40], 0, 90);
|
|
|
|
memset(p[79], 0, 70);
|
|
|
|
for (int i = 99; i >= 0; i-=2) {
|
|
|
|
if (i > 0) free(p[i - 1]);
|
|
|
|
free(p[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-02-11 09:37:26 -08:00
|
|
|
static void dangling_ptr_write() {
|
|
|
|
for (int i = 0; i < 1000; i++) {
|
|
|
|
uint8_t* p = (uint8_t*)mi_malloc(16);
|
|
|
|
free(p);
|
|
|
|
p[0] = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-28 15:54:33 -07:00
|
|
|
// The double free samples come ArcHeap [1] by Insu Yun (issue #161)
|
|
|
|
// [1]: https://arxiv.org/pdf/1903.00503.pdf
|
|
|
|
|
2019-10-19 08:34:18 -07:00
|
|
|
static void double_free1() {
|
2019-10-18 18:11:04 -07:00
|
|
|
void* p[256];
|
2019-10-28 15:54:33 -07:00
|
|
|
//uintptr_t buf[256];
|
2019-10-18 18:11:04 -07:00
|
|
|
|
|
|
|
p[0] = mi_malloc(622616);
|
|
|
|
p[1] = mi_malloc(655362);
|
|
|
|
p[2] = mi_malloc(786432);
|
|
|
|
mi_free(p[2]);
|
|
|
|
// [VULN] Double free
|
|
|
|
mi_free(p[2]);
|
|
|
|
p[3] = mi_malloc(786456);
|
|
|
|
// [BUG] Found overlap
|
|
|
|
// p[3]=0x429b2ea2000 (size=917504), p[1]=0x429b2e42000 (size=786432)
|
|
|
|
fprintf(stderr, "p3: %p-%p, p1: %p-%p, p2: %p\n", p[3], (uint8_t*)(p[3]) + 786456, p[1], (uint8_t*)(p[1]) + 655362, p[2]);
|
|
|
|
}
|
2019-10-19 08:34:18 -07:00
|
|
|
|
|
|
|
static void double_free2() {
|
|
|
|
void* p[256];
|
2019-10-28 15:54:33 -07:00
|
|
|
//uintptr_t buf[256];
|
2019-10-19 08:34:18 -07:00
|
|
|
// [INFO] Command buffer: 0x327b2000
|
|
|
|
// [INFO] Input size: 182
|
|
|
|
p[0] = malloc(712352);
|
|
|
|
p[1] = malloc(786432);
|
|
|
|
free(p[0]);
|
|
|
|
// [VULN] Double free
|
|
|
|
free(p[0]);
|
|
|
|
p[2] = malloc(786440);
|
|
|
|
p[3] = malloc(917504);
|
|
|
|
p[4] = malloc(786440);
|
|
|
|
// [BUG] Found overlap
|
|
|
|
// p[4]=0x433f1402000 (size=917504), p[1]=0x433f14c2000 (size=786432)
|
|
|
|
fprintf(stderr, "p1: %p-%p, p2: %p-%p\n", p[4], (uint8_t*)(p[4]) + 917504, p[1], (uint8_t*)(p[1]) + 786432);
|
|
|
|
}
|
2019-10-28 15:54:33 -07:00
|
|
|
|
|
|
|
|
|
|
|
// Try to corrupt the heap through buffer overflow
|
2020-04-06 13:42:39 -07:00
|
|
|
#define N 1024
|
|
|
|
#define SZ 40
|
2019-10-28 15:54:33 -07:00
|
|
|
|
|
|
|
static void corrupt_free() {
|
|
|
|
void* p[N];
|
|
|
|
// allocate
|
|
|
|
for (int i = 0; i < N; i++) {
|
|
|
|
p[i] = malloc(SZ);
|
|
|
|
}
|
|
|
|
// free some
|
|
|
|
for (int i = 0; i < N; i += (N/10)) {
|
|
|
|
free(p[i]);
|
|
|
|
p[i] = NULL;
|
|
|
|
}
|
|
|
|
// try to corrupt the free list
|
|
|
|
for (int i = 0; i < N; i++) {
|
|
|
|
if (p[i] != NULL) {
|
2020-04-06 13:42:39 -07:00
|
|
|
memset(p[i], 0, SZ+32);
|
2019-10-28 15:54:33 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
// allocate more.. trying to trigger an allocation from a corrupted entry
|
|
|
|
// this may need many allocations to get there (if at all)
|
2020-04-06 13:42:39 -07:00
|
|
|
for (int i = 0; i < 4*4096; i++) {
|
2019-10-28 15:54:33 -07:00
|
|
|
malloc(SZ);
|
|
|
|
}
|
2020-01-15 10:53:54 -08:00
|
|
|
}
|