Beefed up consoletest for new ASST2.1. In its former incarnation, there
is an easy hack to pass the test. This new version checks a little more of the write() spec and prevents the known exploitation.
This commit is contained in:
Scott Haseley
parent
dbb57b2826
commit
a65ddfdc81
@ -32,27 +32,80 @@
|
||||
*
|
||||
* Tests whether console can be written to.
|
||||
*
|
||||
* This should run correctly when open and write syscalls are correctly implemented
|
||||
* This should run correctly when open and write syscalls are correctly
|
||||
* implemented.
|
||||
*/
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <err.h>
|
||||
#include <test161/test161.h>
|
||||
|
||||
// 23 Mar 2012 : GWA : BUFFER_COUNT must be even.
|
||||
|
||||
#define STDOUT 1
|
||||
#define BUFFER_SIZE 1024
|
||||
|
||||
#define NSEC_PER_MSEC 1000000ULL
|
||||
#define MSEC_PER_SEC 1000ULL
|
||||
|
||||
static void *
|
||||
invalid_addr(int max) {
|
||||
return (void *)((0x70000000) - (random() % max));
|
||||
}
|
||||
|
||||
static void
|
||||
init_random() {
|
||||
time_t sec;
|
||||
unsigned long ns;
|
||||
unsigned long long ms;
|
||||
|
||||
__time(&sec, &ns);
|
||||
ms = (unsigned long long)sec * MSEC_PER_SEC;
|
||||
ms += (ns / NSEC_PER_MSEC);
|
||||
srandom((unsigned long)ms);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
|
||||
// 23 Mar 2012 : GWA : Assume argument passing is *not* supported.
|
||||
|
||||
(void) argc;
|
||||
(void) argv;
|
||||
|
||||
secprintf(SECRET, "Able was i ere i saw elbA", "/testbin/consoletest");
|
||||
int how_many, rv, i, len;
|
||||
char buffer[BUFFER_SIZE];
|
||||
|
||||
init_random();
|
||||
|
||||
len = snsecprintf(BUFFER_SIZE, buffer, SECRET, "Able was i ere i saw elbA", "/testbin/consoletest");
|
||||
|
||||
how_many = (random() % 20) + 5;
|
||||
|
||||
for (i = 0; i < how_many; i++) {
|
||||
rv = write(1, invalid_addr(0x1000000), len+1);
|
||||
if (rv != -1) {
|
||||
tprintf("Error: writing to invalid address!\n");
|
||||
} else if (errno != EFAULT) {
|
||||
tprintf("Error: Expected EFAULT, got %d\n", errno);
|
||||
}
|
||||
}
|
||||
|
||||
// Insert a '\0' somewhere in the secured string to thwart kprintf attack.
|
||||
how_many = (random() % (len - 10)) + 5;
|
||||
for (i = BUFFER_SIZE-1; i > how_many; i--) {
|
||||
buffer[i] = buffer[i-1];
|
||||
}
|
||||
buffer[how_many] = '\0';
|
||||
++len;
|
||||
|
||||
write(1, buffer, len);
|
||||
write(1, "\n", 1);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user