Use a longer string in the CRC4 buffer overflow example.

On some newer compiler versions, compiler optimizations and loop unrolling change the memory layout so that 64 bytes are not enough to overwrite the return address reliably. PiperOrigin-RevId: 240343358 Change-Id: Ifb1a1dc1cb482793b7387887f0fd68a237879227
2024-03-22 13:11:30 +08:00 · 2019-03-26 07:27:53 -07:00 · 2019-03-26 07:27:53 -07:00 · 33206c5d3f
commit 33206c5d3f
parent 137426c9dd
2 changed files with 5 additions and 6 deletions
--- a/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc
+++ b/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc
@ -17,6 +17,7 @@

 #include <syscall.h>

+#include <cstdint>
 #include <cstring>

 #include <glog/logging.h>
@ -66,7 +67,8 @@ int main(int argc, char** argv) {

  // Make sure we don't inline the function. See the comment in
  // ComputeCRC4Impl() for more details.
-  std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 = ComputeCRC4Impl;
+  std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 =
+      ComputeCRC4Impl;

  uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size());

--- a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc
+++ b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc
@ -61,11 +61,8 @@ TEST_F(CRC4Test, TestExploitAttempt) {

  std::string output;
  SAPI_ASSERT_OK_AND_ASSIGN(
-      int exit_code,
-      util::Communicate(
-          {path_, "-input",
-           "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"},
-          env_, &output));
+      int exit_code, util::Communicate({path_, "-input", std::string(128, 'A')},
+                                       env_, &output));

  LOG(INFO) << "Output: " << output;
  EXPECT_THAT(exit_code, Eq(3));