Merge "Test that out-of-bounds UAF is not detected with MTE." am: fc7852b741 am: 4e122e057c

Original change: https://android-review.googlesource.com/c/platform/system/core/+/1705657 Change-Id: I90ff2584a0ced92170730c9173c31472dd87f66d
2021-05-13 03:29:30 +00:00 · 2021-05-13 03:29:30 +00:00 · 8958c32319
commit 8958c32319
parent d46c4a6c21 4e122e057c
1 changed files with 32 additions and 0 deletions
--- a/debuggerd/debuggerd_test.cpp
+++ b/debuggerd/debuggerd_test.cpp
@ -514,6 +514,38 @@ TEST_P(SizeParamCrasherTest, mte_uaf) {
 #endif
 }

+TEST_P(SizeParamCrasherTest, mte_oob_uaf) {
+#if defined(__aarch64__)
+  if (!mte_supported()) {
+    GTEST_SKIP() << "Requires MTE";
+  }
+
+  int intercept_result;
+  unique_fd output_fd;
+  StartProcess([&]() {
+    SetTagCheckingLevelSync();
+    volatile int* p = (volatile int*)malloc(GetParam());
+    free((void *)p);
+    p[-1] = 42;
+  });
+
+  StartIntercept(&output_fd);
+  FinishCrasher();
+  AssertDeath(SIGSEGV);
+  FinishIntercept(&intercept_result);
+
+  ASSERT_EQ(1, intercept_result) << "tombstoned reported failure";
+
+  std::string result;
+  ConsumeFd(std::move(output_fd), &result);
+
+  ASSERT_MATCH(result, R"(signal 11 \(SIGSEGV\))");
+  ASSERT_NOT_MATCH(result, R"(Cause: \[MTE\]: Use After Free, 4 bytes left)");
+#else
+  GTEST_SKIP() << "Requires aarch64";
+#endif
+}
+
 TEST_P(SizeParamCrasherTest, mte_overflow) {
 #if defined(__aarch64__)
  if (!mte_supported()) {