diff options
author | Yabin Cui <yabinc@google.com> | 2014-12-11 17:46:33 -0800 |
---|---|---|
committer | Yabin Cui <yabinc@google.com> | 2014-12-11 17:49:12 -0800 |
commit | 2331b95609e3eb94494aebc9a59cab44d73df234 (patch) | |
tree | 510b10d8e19d80b11a232639af4026fbe9ea7ba6 /debuggerd/crasher.c | |
parent | de180fc2834a3e42b6383027cf47b561e861108e (diff) | |
download | system_core-2331b95609e3eb94494aebc9a59cab44d73df234.zip system_core-2331b95609e3eb94494aebc9a59cab44d73df234.tar.gz system_core-2331b95609e3eb94494aebc9a59cab44d73df234.tar.bz2 |
Make crasher smash-stack work.
Bug: 18721888
Change-Id: Id0280df7cb2c29832256d3d395e6399fcef9aa2b
Diffstat (limited to 'debuggerd/crasher.c')
-rw-r--r-- | debuggerd/crasher.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/debuggerd/crasher.c b/debuggerd/crasher.c index d0c3912..af86fe9 100644 --- a/debuggerd/crasher.c +++ b/debuggerd/crasher.c @@ -32,16 +32,23 @@ static void maybe_abort() { } } -static int smash_stack(int i __unused) { +static char* smash_stack_dummy_buf; +__attribute__ ((noinline)) static void smash_stack_dummy_function(volatile int* plen) { + smash_stack_dummy_buf[*plen] = 0; +} + +// This must be marked with "__attribute__ ((noinline))", to ensure the +// compiler generates the proper stack guards around this function. +// Assign local array address to global variable to force stack guards. +// Use another noinline function to corrupt the stack. +__attribute__ ((noinline)) static int smash_stack(volatile int* plen) { printf("crasher: deliberately corrupting stack...\n"); - // Unless there's a "big enough" buffer on the stack, gcc - // doesn't bother inserting checks. - char buf[8]; - // If we don't write something relatively unpredictable - // into the buffer and then do something with it, gcc - // optimizes everything away and just returns a constant. - *(int*)(&buf[7]) = (uintptr_t) &buf[0]; - return *(int*)(&buf[0]); + + char buf[128]; + smash_stack_dummy_buf = buf; + // This should corrupt stack guards and make process abort. + smash_stack_dummy_function(plen); + return 0; } static void* global = 0; // So GCC doesn't optimize the tail recursion out of overflow_stack. @@ -125,7 +132,8 @@ static int do_action(const char* arg) } else if (!strcmp(arg, "SIGSEGV-non-null")) { sigsegv_non_null(); } else if (!strcmp(arg, "smash-stack")) { - return smash_stack(42); + volatile int len = 128; + return smash_stack(&len); } else if (!strcmp(arg, "stack-overflow")) { overflow_stack(NULL); } else if (!strcmp(arg, "nostack")) { |