forked from andreafioraldi/asan-giovese
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test.c
128 lines (90 loc) · 2.79 KB
/
test.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// Required definitions
#include <stdint.h>
typedef uintptr_t target_ulong;
#define h2g(x) (x)
#define g2h(x) (x)
// Include the impl
#include "asan-giovese-inl.h"
// Test-only headers
#include "pmparser.h"
#include <stdio.h>
target_ulong get_pc() {
return (target_ulong)__builtin_return_address(0);
}
void asan_giovese_populate_context(struct call_context* ctx, target_ulong pc) {
ctx->addresses = calloc(sizeof(void*), 16);
int i;
ctx->size = 1;
ctx->tid = 0;
ctx->addresses[0] = pc;
for (i = 1; i < 16; ++i) {
switch (i - 1) {
\
#define _RA_CASE(x) \
case x: ctx->addresses[i] = (target_ulong)__builtin_return_address(x); break;
_RA_CASE(0)
_RA_CASE(1)
_RA_CASE(2)
_RA_CASE(3)
_RA_CASE(4)
_RA_CASE(5)
_RA_CASE(6)
_RA_CASE(7)
_RA_CASE(8)
_RA_CASE(9)
_RA_CASE(10)
_RA_CASE(11)
_RA_CASE(12)
_RA_CASE(13)
_RA_CASE(14)
}
if (ctx->addresses[i] && (uintptr_t)ctx->addresses[i] < 0x7fffffffffff)
++ctx->size;
else
break;
}
}
char* asan_giovese_printaddr(target_ulong guest_addr) {
procmaps_iterator* maps = pmparser_parse(-1);
procmaps_struct* maps_tmp = NULL;
uintptr_t a = (uintptr_t)guest_addr;
while ((maps_tmp = pmparser_next(maps)) != NULL) {
if (a >= (uintptr_t)maps_tmp->addr_start &&
a < (uintptr_t)maps_tmp->addr_end) {
size_t l = strlen(maps_tmp->pathname) + 32;
char* s = malloc(l);
snprintf(s, l, " (%s+0x%lx)", maps_tmp->pathname,
a - (uintptr_t)maps_tmp->addr_start);
pmparser_free(maps);
return s;
}
}
pmparser_free(maps);
return NULL;
}
char data[1000];
int main() {
asan_giovese_init();
asan_giovese_poison_region((target_ulong)data, 16, ASAN_HEAP_LEFT_RZ);
asan_giovese_poison_region((target_ulong)&data[16 + 10], 16 + 6,
ASAN_HEAP_RIGHT_RZ);
struct call_context* ctx = calloc(sizeof(struct call_context), 1);
asan_giovese_populate_context(ctx, get_pc());
asan_giovese_alloc_insert((target_ulong)&data[16],
(target_ulong)&data[16 + 10], ctx);
asan_giovese_poison_region((target_ulong)&data[16], 16, ASAN_HEAP_FREED);
struct chunk_info* ckinfo =
asan_giovese_alloc_search((target_ulong)&data[16]);
if (ckinfo) {
ckinfo->free_ctx = calloc(sizeof(struct call_context), 1);
asan_giovese_populate_context(ckinfo->free_ctx, get_pc());
}
target_ulong pc = get_pc();
register target_ulong sp asm("rsp");
register target_ulong bp asm("rbp");
const int IDX = 18;
printf("<test> accessing %p\n", &data[IDX]);
if (asan_giovese_loadN((target_ulong)&data[IDX], 11))
asan_giovese_report_and_crash(ACCESS_TYPE_LOAD, (target_ulong)&data[IDX],
11, pc, bp, sp);
}