mirror of
https://github.com/RGBCube/serenity
synced 2025-07-24 17:47:43 +00:00
UserspaceEmulator: Report heap buffer overflows :^)
This commit is contained in:
parent
030edbd513
commit
80eef2c014
2 changed files with 36 additions and 4 deletions
|
@ -96,6 +96,18 @@ MallocTracer::Mallocation* MallocTracer::find_mallocation(FlatPtr address)
|
||||||
return nullptr;
|
return nullptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
MallocTracer::Mallocation* MallocTracer::find_mallocation_before(FlatPtr address)
|
||||||
|
{
|
||||||
|
Mallocation* found_mallocation = nullptr;
|
||||||
|
for (auto& mallocation : m_mallocations) {
|
||||||
|
if (mallocation.address >= address)
|
||||||
|
continue;
|
||||||
|
if (!found_mallocation || (mallocation.address > found_mallocation->address))
|
||||||
|
found_mallocation = &mallocation;
|
||||||
|
}
|
||||||
|
return found_mallocation;
|
||||||
|
}
|
||||||
|
|
||||||
void MallocTracer::audit_read(FlatPtr address, size_t size)
|
void MallocTracer::audit_read(FlatPtr address, size_t size)
|
||||||
{
|
{
|
||||||
if (!m_auditing_enabled)
|
if (!m_auditing_enabled)
|
||||||
|
@ -105,8 +117,18 @@ void MallocTracer::audit_read(FlatPtr address, size_t size)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
auto* mallocation = find_mallocation(address);
|
auto* mallocation = find_mallocation(address);
|
||||||
if (!mallocation)
|
|
||||||
|
if (!mallocation) {
|
||||||
|
report("\n");
|
||||||
|
report("==%d== \033[31;1mHeap buffer overflow\033[0m, invalid %zu-byte read at address %p\n", getpid(), size, address);
|
||||||
|
Emulator::the().dump_backtrace();
|
||||||
|
if ((mallocation = find_mallocation_before(address))) {
|
||||||
|
size_t offset_into_mallocation = address - mallocation->address;
|
||||||
|
report("==%d== Address is %zu byte(s) after block of size %zu, allocated at:\n", getpid(), offset_into_mallocation - mallocation->size, mallocation->size);
|
||||||
|
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
size_t offset_into_mallocation = address - mallocation->address;
|
size_t offset_into_mallocation = address - mallocation->address;
|
||||||
|
|
||||||
|
@ -114,7 +136,7 @@ void MallocTracer::audit_read(FlatPtr address, size_t size)
|
||||||
report("\n");
|
report("\n");
|
||||||
report("==%d== \033[31;1mUse-after-free\033[0m, invalid %zu-byte read at address %p\n", getpid(), size, address);
|
report("==%d== \033[31;1mUse-after-free\033[0m, invalid %zu-byte read at address %p\n", getpid(), size, address);
|
||||||
Emulator::the().dump_backtrace();
|
Emulator::the().dump_backtrace();
|
||||||
report("==%d== Address is %zu bytes into block of size %zu, allocated at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
report("==%d== Address is %zu byte(s) into block of size %zu, allocated at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
||||||
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
||||||
report("==%d== Later freed at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
report("==%d== Later freed at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
||||||
Emulator::the().dump_backtrace(mallocation->free_backtrace);
|
Emulator::the().dump_backtrace(mallocation->free_backtrace);
|
||||||
|
@ -131,8 +153,17 @@ void MallocTracer::audit_write(FlatPtr address, size_t size)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
auto* mallocation = find_mallocation(address);
|
auto* mallocation = find_mallocation(address);
|
||||||
if (!mallocation)
|
if (!mallocation) {
|
||||||
|
report("\n");
|
||||||
|
report("==%d== \033[31;1mHeap buffer overflow\033[0m, invalid %zu-byte write at address %p\n", getpid(), size, address);
|
||||||
|
Emulator::the().dump_backtrace();
|
||||||
|
if ((mallocation = find_mallocation_before(address))) {
|
||||||
|
size_t offset_into_mallocation = address - mallocation->address;
|
||||||
|
report("==%d== Address is %zu byte(s) after block of size %zu, allocated at:\n", getpid(), offset_into_mallocation - mallocation->size, mallocation->size);
|
||||||
|
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
size_t offset_into_mallocation = address - mallocation->address;
|
size_t offset_into_mallocation = address - mallocation->address;
|
||||||
|
|
||||||
|
@ -140,7 +171,7 @@ void MallocTracer::audit_write(FlatPtr address, size_t size)
|
||||||
report("\n");
|
report("\n");
|
||||||
report("==%d== \033[31;1mUse-after-free\033[0m, invalid %zu-byte write at address %p\n", getpid(), size, address);
|
report("==%d== \033[31;1mUse-after-free\033[0m, invalid %zu-byte write at address %p\n", getpid(), size, address);
|
||||||
Emulator::the().dump_backtrace();
|
Emulator::the().dump_backtrace();
|
||||||
report("==%d== Address is %zu bytes into block of size %zu, allocated at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
report("==%d== Address is %zu byte(s) into block of size %zu, allocated at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
||||||
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
Emulator::the().dump_backtrace(mallocation->malloc_backtrace);
|
||||||
report("==%d== Later freed at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
report("==%d== Later freed at:\n", getpid(), offset_into_mallocation, mallocation->size);
|
||||||
Emulator::the().dump_backtrace(mallocation->free_backtrace);
|
Emulator::the().dump_backtrace(mallocation->free_backtrace);
|
||||||
|
|
|
@ -62,6 +62,7 @@ private:
|
||||||
};
|
};
|
||||||
|
|
||||||
Mallocation* find_mallocation(FlatPtr);
|
Mallocation* find_mallocation(FlatPtr);
|
||||||
|
Mallocation* find_mallocation_before(FlatPtr);
|
||||||
bool is_reachable(const Mallocation&) const;
|
bool is_reachable(const Mallocation&) const;
|
||||||
|
|
||||||
Vector<Mallocation> m_mallocations;
|
Vector<Mallocation> m_mallocations;
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue