mirror of
https://github.com/yuzu-emu/breakpad.git
synced 2024-11-24 08:35:49 +01:00
exploitability: fix buffer overflow
exploitability_linux assumed a 15 byte buffer to always be passed in as `raw_bytes` for `DisassembleBytes`. This test was passing in a 6 byte buffer. Make `DisassembleBytes` accept a length. Bug: b:235999011 Change-Id: I696c66357faa1c7d762c64009864123897f03488 Reviewed-on: https://chromium-review.googlesource.com/c/breakpad/breakpad/+/3756170 Reviewed-by: Mike Frysinger <vapier@chromium.org>
This commit is contained in:
parent
c161459d7e
commit
4d7cd09800
@ -232,6 +232,7 @@ bool ExploitabilityLinux::EndedOnIllegalWrite(uint64_t instruction_ptr) {
|
||||
char objdump_output_buffer[MAX_OBJDUMP_BUFFER_LEN] = {0};
|
||||
DisassembleBytes(architecture,
|
||||
raw_memory + offset,
|
||||
MAX_INSTRUCTION_LEN,
|
||||
MAX_OBJDUMP_BUFFER_LEN,
|
||||
objdump_output_buffer);
|
||||
|
||||
@ -483,9 +484,11 @@ bool ExploitabilityLinux::TokenizeObjdumpInstruction(const string& line,
|
||||
|
||||
bool ExploitabilityLinux::DisassembleBytes(const string& architecture,
|
||||
const uint8_t* raw_bytes,
|
||||
const unsigned int raw_bytes_len,
|
||||
const unsigned int buffer_len,
|
||||
char* objdump_output_buffer) {
|
||||
if (!raw_bytes || !objdump_output_buffer) {
|
||||
if (!raw_bytes || !objdump_output_buffer ||
|
||||
raw_bytes_len > MAX_INSTRUCTION_LEN) {
|
||||
BPLOG(ERROR) << "Bad input parameters.";
|
||||
return false;
|
||||
}
|
||||
@ -499,8 +502,7 @@ bool ExploitabilityLinux::DisassembleBytes(const string& architecture,
|
||||
unlink(raw_bytes_tmpfile);
|
||||
return false;
|
||||
}
|
||||
if (write(raw_bytes_fd, raw_bytes, MAX_INSTRUCTION_LEN)
|
||||
!= MAX_INSTRUCTION_LEN) {
|
||||
if (write(raw_bytes_fd, raw_bytes, raw_bytes_len) != raw_bytes_len) {
|
||||
BPLOG(ERROR) << "Writing of raw bytes failed.";
|
||||
unlink(raw_bytes_tmpfile);
|
||||
return false;
|
||||
|
@ -83,6 +83,7 @@ class ExploitabilityLinux : public Exploitability {
|
||||
// was a success, and the caller owns all pointers.
|
||||
static bool DisassembleBytes(const string& architecture,
|
||||
const uint8_t* raw_bytes,
|
||||
const unsigned int raw_bytes_len,
|
||||
const unsigned int MAX_OBJDUMP_BUFFER_LEN,
|
||||
char* objdump_output_buffer);
|
||||
|
||||
|
@ -30,6 +30,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <type_traits>
|
||||
#include <string>
|
||||
|
||||
#include "breakpad_googletest_includes.h"
|
||||
@ -187,13 +188,11 @@ TEST(ExploitabilityTest, TestLinuxEngine) {
|
||||
|
||||
#ifndef _WIN32
|
||||
TEST(ExploitabilityLinuxUtilsTest, DisassembleBytesTest) {
|
||||
ASSERT_FALSE(ExploitabilityLinuxTest::DisassembleBytes("", NULL, 5, NULL));
|
||||
ASSERT_FALSE(ExploitabilityLinuxTest::DisassembleBytes("", NULL, 0, 5, NULL));
|
||||
uint8_t bytes[6] = {0xc7, 0x0, 0x5, 0x0, 0x0, 0x0};
|
||||
char buffer[1024] = {0};
|
||||
ASSERT_TRUE(ExploitabilityLinuxTest::DisassembleBytes("i386:x86-64",
|
||||
bytes,
|
||||
1024,
|
||||
buffer));
|
||||
ASSERT_TRUE(ExploitabilityLinuxTest::DisassembleBytes(
|
||||
"i386:x86-64", bytes, std::extent<decltype(bytes)>::value, 1024, buffer));
|
||||
std::stringstream objdump_stream;
|
||||
objdump_stream.str(string(buffer));
|
||||
string line = "";
|
||||
|
Loading…
Reference in New Issue
Block a user