From a65ddfdc81f84240a930d2c3e1273c026bba62b3 Mon Sep 17 00:00:00 2001 From: Scott Haseley Date: Sat, 18 Feb 2017 23:11:29 -0500 Subject: [PATCH] Beefed up consoletest for new ASST2.1. In its former incarnation, there is an easy hack to pass the test. This new version checks a little more of the write() spec and prevents the known exploitation. --- userland/testbin/consoletest/consoletest.c | 69 +++++++++++++++++++--- 1 file changed, 61 insertions(+), 8 deletions(-) diff --git a/userland/testbin/consoletest/consoletest.c b/userland/testbin/consoletest/consoletest.c index 6f91155..d3c6874 100644 --- a/userland/testbin/consoletest/consoletest.c +++ b/userland/testbin/consoletest/consoletest.c @@ -6,13 +6,13 @@ * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -32,27 +32,80 @@ * * Tests whether console can be written to. * - * This should run correctly when open and write syscalls are correctly implemented + * This should run correctly when open and write syscalls are correctly + * implemented. */ #include #include #include +#include #include +#include #include #include // 23 Mar 2012 : GWA : BUFFER_COUNT must be even. +#define STDOUT 1 +#define BUFFER_SIZE 1024 + +#define NSEC_PER_MSEC 1000000ULL +#define MSEC_PER_SEC 1000ULL + +static void * +invalid_addr(int max) { + return (void *)((0x70000000) - (random() % max)); +} + +static void +init_random() { + time_t sec; + unsigned long ns; + unsigned long long ms; + + __time(&sec, &ns); + ms = (unsigned long long)sec * MSEC_PER_SEC; + ms += (ns / NSEC_PER_MSEC); + srandom((unsigned long)ms); +} + int main(int argc, char **argv) { - // 23 Mar 2012 : GWA : Assume argument passing is *not* supported. (void) argc; (void) argv; - secprintf(SECRET, "Able was i ere i saw elbA", "/testbin/consoletest"); + int how_many, rv, i, len; + char buffer[BUFFER_SIZE]; + + init_random(); + + len = snsecprintf(BUFFER_SIZE, buffer, SECRET, "Able was i ere i saw elbA", "/testbin/consoletest"); + + how_many = (random() % 20) + 5; + + for (i = 0; i < how_many; i++) { + rv = write(1, invalid_addr(0x1000000), len+1); + if (rv != -1) { + tprintf("Error: writing to invalid address!\n"); + } else if (errno != EFAULT) { + tprintf("Error: Expected EFAULT, got %d\n", errno); + } + } + + // Insert a '\0' somewhere in the secured string to thwart kprintf attack. + how_many = (random() % (len - 10)) + 5; + for (i = BUFFER_SIZE-1; i > how_many; i--) { + buffer[i] = buffer[i-1]; + } + buffer[how_many] = '\0'; + ++len; + + write(1, buffer, len); + write(1, "\n", 1); + return 0; }