LadybirdBrowser/ladybird
1
1
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-11 09:18:05 +03:00
Code Issues Packages Projects Releases Wiki Activity

crash: Remove -x and -y which do not crash (write to / read from freed memory)

Browse Source 
These do not crash the process anymore.
Fixes #4685.
This commit is contained in:
Linus Groh 2021-01-04 21:18:20 +01:00 committed by Andreas Kling
parent ce2894c95b
commit 7b9322dbc5
Notes: sideshowbarker 2024-07-19 00:07:05 +09:00 
Author: https://github.com/linusg
Commit: https://github.com/SerenityOS/serenity/commit/7b9322dbc50
Pull-request: https://github.com/SerenityOS/serenity/pull/4799
Issue: https://github.com/SerenityOS/serenity/issues/4685
1 changed files with 0 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Userland/crash.cpp
View File

@ -117,8 +117,6 @@ int main(int argc, char** argv)
bool do_invalid_stack_pointer_on_syscall = false;
bool do_invalid_stack_pointer_on_page_fault = false;
bool do_syscall_from_writeable_memory = false;
bool do_write_to_freed_memory_still_cached_by_malloc = false;
bool do_read_from_freed_memory_still_cached_by_malloc = false;
bool do_execute_non_executable_memory = false;
bool do_trigger_user_mode_instruction_prevention = false;
bool do_use_io_instruction = false;
@ -141,8 +139,6 @@ int main(int argc, char** argv)
args_parser.add_option(do_invalid_stack_pointer_on_syscall, "Make a syscall while using an invalid stack pointer", nullptr, 'T');
args_parser.add_option(do_invalid_stack_pointer_on_page_fault, "Trigger a page fault while using an invalid stack pointer", nullptr, 't');
args_parser.add_option(do_syscall_from_writeable_memory, "Make a syscall from writeable memory", nullptr, 'S');
args_parser.add_option(do_write_to_freed_memory_still_cached_by_malloc, "Read from recently freed memory (tests an opportunistic malloc guard)", nullptr, 'x');
args_parser.add_option(do_read_from_freed_memory_still_cached_by_malloc, "Write to recently free memory (tests an opportunistic malloc guard)", nullptr, 'y');
args_parser.add_option(do_execute_non_executable_memory, "Attempt to execute non-executable memory (not mapped with PROT_EXEC)", nullptr, 'X');
args_parser.add_option(do_trigger_user_mode_instruction_prevention, "Attempt to trigger an x86 User Mode Instruction Prevention fault", nullptr, 'U');
args_parser.add_option(do_use_io_instruction, "Use an x86 I/O instruction in userspace", nullptr, 'I');
@ -294,31 +290,6 @@ int main(int argc, char** argv)
}).run(run_type);
}
if (do_read_from_freed_memory_still_cached_by_malloc || do_all_crash_types) {
Crash("Read from memory still cached by malloc", []() {
auto* ptr = (u8*)malloc(1024);
if (!ptr)
return Crash::Failure::UnexpectedError;
free(ptr);
dbgprintf("ptr = %p\n", ptr);
[[maybe_unused]] volatile auto foo = *ptr;
return Crash::Failure::DidNotCrash;
}).run(run_type);
}
if (do_write_to_freed_memory_still_cached_by_malloc || do_all_crash_types) {
Crash("Write to freed memory still cached by malloc", []() {
auto* ptr = (u8*)malloc(1024);
if (!ptr)
return Crash::Failure::UnexpectedError;
free(ptr);
dbgprintf("ptr = %p\n", ptr);
*ptr = 'x';
return Crash::Failure::DidNotCrash;
}).run(run_type);
}
if (do_execute_non_executable_memory || do_all_crash_types) {
Crash("Execute non executable memory", []() {
auto* ptr = (u8*)mmap(nullptr, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);