-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest_mte_stackNew.cpp
161 lines (136 loc) · 5.64 KB
/
test_mte_stackNew.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <cstdlib>
#include <unistd.h>
#include <sys/auxv.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/types.h>
/*
* From arch/arm64/include/uapi/asm/hwcap.h
*/
#define HWCAP2_MTE (1 << 18)
/*
* From arch/arm64/include/uapi/asm/mman.h
*/
#define PROT_MTE 0x20
/*
* From include/uapi/linux/prctl.h
*/
#define PR_SET_TAGGED_ADDR_CTRL 55
#define PR_GET_TAGGED_ADDR_CTRL 56
# define PR_TAGGED_ADDR_ENABLE (1UL << 0)
# define PR_MTE_TCF_SHIFT 1
# define PR_MTE_TCF_NONE (0UL << PR_MTE_TCF_SHIFT)
# define PR_MTE_TCF_SYNC (1UL << PR_MTE_TCF_SHIFT)
# define PR_MTE_TCF_ASYNC (2UL << PR_MTE_TCF_SHIFT)
# define PR_MTE_TCF_MASK (3UL << PR_MTE_TCF_SHIFT)
# define PR_MTE_TAG_SHIFT 3
# define PR_MTE_TAG_MASK (0xffffUL << PR_MTE_TAG_SHIFT)
#define INT_TAG_SUBTRACT_ONE 0x0040000000000000 // to subtract 1 from tag of an int*
__attribute__((constructor)) void prep_main_stack(int argc, char **argv) {
printf("####### EXECUTING prep_main_stack function!!!! \n");
prctl(PR_SET_TAGGED_ADDR_CTRL,
PR_TAGGED_ADDR_ENABLE | PR_MTE_TCF_SYNC |
(0xfffe << PR_MTE_TAG_SHIFT),
0, 0, 0);
mprotect((void *)(((unsigned long)argv) & ~0xFFF), 4096,
PROT_READ | PROT_WRITE | PROT_MTE | PROT_GROWSDOWN); // page
}
// ATTACK as per in paper [Listing 9]:
void src_code(int ind,long delta,int val)
{
printf("IN src_code!!! Inputs: %i, %li, %i \n", ind, delta, val);
int arr1[12] = {0};
int arr2[8];
int* a = arr2 - delta;
if (reinterpret_cast<long>(a) <= 0xffffffffffffff )
a += 15*delta;
printf("arr1: %p, arr2: %p, a: %p , about to access a[%i] \n", arr1, arr2, a, ind);
// arr2 -= delta;
a[ind] = val; // this does NOT throw any seg fault.
// printing just to check that the overwrite worked.
for (int i = 0; i < 12; i++)
printf("arr1[%i] : %i , ", i, arr1[i]);
}
void test_code(long delta, int val)
{
int arr1[12] = {0};
int arr2[8];
int* a1_0 = arr1;
// change a1's tag to 0, try reading beyond a1[11]:
while ((( reinterpret_cast<long>(a1_0) >> 56 ) % 16) > 0)
a1_0 -= delta;
int* a1_dec = arr1 - delta; // Issue: Tag 1 ->
// TODO:if tag was 0, decrement makes it 0, need to change it to ffff:
if ( reinterpret_cast<long>(a1_dec) <= 0xffffffffffffff )
a1_dec += 15*delta;
// a1_dec's tag could be anything in 1-f
int* a1_dec2 = a1_dec - delta;
if ( reinterpret_cast<long>(a1_dec2) <= 0xffffffffffffff )
a1_dec2 += 15*delta;
int* a2_0 = arr2;
while ((( reinterpret_cast<long>(a2_0) >> 56 ) % 16) > 0)
a2_0 -= delta;
int* a2_inc = arr2 + delta;
// if tag was 0xF, the increment will have overflown: change it to 0,then 1 [LLVM excludes tag value 0]
if ( (reinterpret_cast<long>(a2_inc) >> 56) > 0xf)
{
a2_inc -= 16*delta;
a2_inc += delta;
}
printf("In test_code: arr1: %p, arr2: %p, a2_0: %p, a2_inc: %p, a1_0: %p, a1_dec: %p , a1_dec2: %p, addr of input delta: %p, val: %p \n", arr1, arr2, a2_0, a2_inc, a1_0, a1_dec, a1_dec2, &delta, &val);
// 0-tagged:
for (int i = 0; i < 12; i++)
printf("arr1[%i] : %i , \n", i, arr1[i]);
for (int i = 12; i < 16; i++) // overflow into argument:
{
printf("PRINTING a1[%i] : %i (with decremented tag) \n", i, a1_dec[i]); // worked! : this is input variable val
// printf("PRINTING arr1[%i] : %i \n", i, arr1[i]); // threw segfault for i=12
// printf("PRINTING a1_0[%i] : %i \n", i, a1_0[i]); // threw segfault for i=12.
}
for (int i = 16; i < 20; i++)
printf("PRINTING a1_Dec2 [%i] : %i \n", i, a1_dec2[i]); // worked! this is input variable delta
// can overwrite stuff above the func_args: return address/EBP.
for (int i = 20; i < 40; i++)
{
printf("PRINTING a1_0 [%i] : %i \n ", i, a1_0[i]); // worked for i: 20-35,
// if (i < 24)
// {
// printf("OVER writing a1[%i] to -1 \n", i);
// a1_0[i] = -1; // this over-writes a granule that contains ret addr / frame pointer : CAUSES a seg fault when exiting this function!!!!!
// }
}
// accessing memory below a2:
for (int i = -1; i >= -4; i--)
{
printf("ACCESSING a2_inc[%i] : %i \n", i, a2_inc[i]); // worked for -1 to -4! [tag of uninitialized = tag of sp, which is probably icnremented from arr2's tag]
// printf("ACCESSING a2_0[%i] : %i \n", i, a2_0[i]); // seg fault.
}
printf("EXITING Function! \n");
}
int main(int argc, char const *argv[])
{
printf("####### EXECUTING main function!! \n");
unsigned long hwcap2 = getauxval(AT_HWCAP2);
/* check if MTE is present */
if (!(hwcap2 & HWCAP2_MTE))
return EXIT_FAILURE;
/*
* Enable the tagged address ABI [for this thread], synchronous or asynchronous MTE
* tag check faults (based on per-CPU preference) and allow all
* non-zero tags in the randomly generated set.
*/
if (prctl(PR_SET_TAGGED_ADDR_CTRL,
PR_TAGGED_ADDR_ENABLE | PR_MTE_TCF_SYNC | PR_MTE_TCF_ASYNC |
(0xfffe << PR_MTE_TAG_SHIFT),
0, 0, 0)) {
perror("prctl() failed");
return EXIT_FAILURE;
}
printf("SIZE OF int: %lu, long: %lu \n", sizeof(int), sizeof(long));
src_code(atoi(argv[1]), atol(argv[2]), atoi(argv[3]));
test_code(atol(argv[2]), atoi(argv[3]));
printf("BACK in main!! NOW exiting program! \n");
}