-
Notifications
You must be signed in to change notification settings - Fork 7.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap_caps_check_integrity doesn’t find overflows (IDFGH-11050) #12231
Comments
Thanks for the thorough investigation! I agree, |
Please note that the code from the proof-of-concept patch is incompatible with |
@MattiasTF thanks for reporting this problem! I updated the TLSF component to call I will need to document the changes and add some testing. I will let yo know when the changes are merged internally. Also note that it is currently not planed to patch the ROM implementation of the TLSF to incorporate this changes so the fixed version will only be available if |
This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes #12231
This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes #12231
This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes espressif#12231
This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes #12231
This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes espressif#12231
Answers checklist.
IDF version.
v4.4.5-400-gc57d30e1df
Operating System used.
Linux
How did you build your project?
VS Code IDE
If you are using Windows, please specify command line type.
None
Development Kit.
Custom Board
Power Supply used.
USB
What is the expected behavior?
I expected the family of heap_caps_check_integrity functions to detect heap corruption, such as buffer overflows, when CONFIG_HEAP_POISONING_LIGHT=y is set.
What is the actual behavior?
Heap buffer overflows are not detected by any heap_caps_check_integrity function and only a free() will trigger a check that aborts the program.
Steps to reproduce.
My project contains the following code to deliberately cause a buffer overflow on the heap:
This is the output when run:
Printing the memory before and after the buffer shows that the canaries are present and free() detects the corruption, which means that the heap is properly poisoned and the detection works, but heap_caps_check_integrity_all() does not.
Debug Logs.
No response
More Information.
multi_heap_poisoning.c
containsmulti_heap_internal_check_block_poisoning
, which has code to check the poisoning of in-use blocks. Inmulti_heap.c
, this function is used in thetlsf_check_hook
. However, inheap_tslf.c
, this hook is only called while checking the free lists and never for any in-use blocks. Therefore, corruption in in-use blocks is not detected.The
tlsf_check_hook
can be added to theintegrity_walker
to check in-use blocks, similar to how it is called intlsf_check
. The check will fail, however, because the address of the block to check is incorrectly calculated inmulti_heap_internal_check_block_poisoning
.sizeof(poison_head_t)
is added to the start address even though the start address is already positioned after the poison head. This was probably not found because the code never runs. If the start address is directly passed totlsf_check_hook
without the offset, the heap validation works as expected and both the buffer under- and overflow from the test code are detected.My project is incompatible with IDF 5.x, so I cannot check if the issue is still present there, but looking at the relevant files on master shows that
tlsf_check_hook
is also called only during the free list verification and the calculation of the block address also contains the probably incorrect offset, so I expect both issues to be present there as well.Here is a proof-of-concept patch that includes both changes mentioned above.
Edit: The proof-of-concept patch has been updated to print more useful information when a corruption was found.
The text was updated successfully, but these errors were encountered: