Skip to content

Commit

Permalink
fix(heap): Fixed integrity check on used blocks by the tlsf component
Browse files Browse the repository at this point in the history
This commit updates the tlsf submodule to include the modification made in the component
aiming to perform integrity check on all blocks (not only the free ones).
Added test to test the fix in test_apps/heap_tests.

Fixes espressif#12231
  • Loading branch information
SoucheSouche authored and movsb committed Dec 1, 2023
1 parent 88c79bf commit f0fe418
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 4 deletions.
55 changes: 52 additions & 3 deletions components/heap/test_apps/heap_tests/main/test_corruption_check.c
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@

#include "esp_heap_caps.h"

//This test only makes sense with poisoning enabled (light or comprehensive)
#if defined(CONFIG_HEAP_POISONING_COMPREHENSIVE) || defined(CONFIG_HEAP_POISONING_LIGHT)
// these tests only make sense with poisoning enabled (light or comprehensive)
#if defined(CONFIG_HEAP_POISONING_LIGHT) || defined(CONFIG_HEAP_POISONING_COMPREHENSIVE)

/* executing multi_heap_internal_check_block_poisoning()
* takes longer on external RAM and therefore the timeout
Expand Down Expand Up @@ -70,4 +70,53 @@ TEST_CASE("multi_heap poisoning detection", "[heap]")
}
}

#endif
#if !defined(CONFIG_HEAP_TLSF_USE_ROM_IMPL)

#ifdef CONFIG_HEAP_TASK_TRACKING
#define HEAD_CANARY_OFFSET 3 // head canary | task tracking | allocated size
#else
#define HEAD_CANARY_OFFSET 2 // head canary | allocated size
#endif // CONFIG_HEAP_TASK_TRACKING

#define TAIL_CANARY_OFFSET 1

/* This test will corrupt the canary of a allocated memory block and call the
* heap_caps_check_integrity() function to check that the corruption is detected.
*/
TEST_CASE("canary corruption in light or comprehensive poisoning mode", "[heap]")
{
const uint8_t allocation_size = 1 * sizeof(uint32_t);
/* malloc some memory to get a pointer */
uint32_t *ptr = heap_caps_malloc(allocation_size, MALLOC_CAP_DEFAULT);
TEST_ASSERT_NOT_NULL(ptr);

/* corrupt the head canary */
uint32_t canary = ptr[-HEAD_CANARY_OFFSET];
ptr[-HEAD_CANARY_OFFSET] = 0xdeadbeef;

/* call the integrity check function and verify that it returns 0 (corruption detected) */
bool is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false);
TEST_ASSERT_TRUE(is_corrupted);

/* fix the head canary */
ptr[-HEAD_CANARY_OFFSET] = canary;

/* re run the corruption check to make sure the function returns no corruption */
is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false);
TEST_ASSERT_FALSE(is_corrupted);

/* corrupt tail canary */
canary = ptr[TAIL_CANARY_OFFSET];
ptr[TAIL_CANARY_OFFSET] = 0xdeadbeef;

/* call the integrity check function and verify that it returns 0 (corruption detected) */
is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false);
TEST_ASSERT_TRUE(is_corrupted);

/* clear the corruption and free the pointer before returning */
ptr[TAIL_CANARY_OFFSET] = canary;
heap_caps_free(ptr);
}

#endif // !CONFIG_HEAP_TLSF_USE_ROM_IMPL
#endif // CONFIG_HEAP_POISONING_LIGHT && CONFIG_HEAP_LIGHT_POISONING
2 changes: 1 addition & 1 deletion components/heap/tlsf
Submodule tlsf updated 1 files
+19 −18 tlsf.c

0 comments on commit f0fe418

Please sign in to comment.