From 33206c5d3f97e408b7e3a81d0bdc3d57a0a53d4f Mon Sep 17 00:00:00 2001 From: Christian Blichmann Date: Tue, 26 Mar 2019 07:27:53 -0700 Subject: [PATCH] Use a longer string in the CRC4 buffer overflow example. On some newer compiler versions, compiler optimizations and loop unrolling change the memory layout so that 64 bytes are not enough to overwrite the return address reliably. PiperOrigin-RevId: 240343358 Change-Id: Ifb1a1dc1cb482793b7387887f0fd68a237879227 --- sandboxed_api/sandbox2/examples/crc4/crc4bin.cc | 4 +++- sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc | 7 ++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc b/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc index c0b10a4..8a44bf2 100644 --- a/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc +++ b/sandboxed_api/sandbox2/examples/crc4/crc4bin.cc @@ -17,6 +17,7 @@ #include +#include #include #include @@ -66,7 +67,8 @@ int main(int argc, char** argv) { // Make sure we don't inline the function. See the comment in // ComputeCRC4Impl() for more details. - std::function ComputeCRC4 = ComputeCRC4Impl; + std::function ComputeCRC4 = + ComputeCRC4Impl; uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size()); diff --git a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc index edeac4f..3fcae81 100644 --- a/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc +++ b/sandboxed_api/sandbox2/examples/crc4/crc4sandbox_test.cc @@ -61,11 +61,8 @@ TEST_F(CRC4Test, TestExploitAttempt) { std::string output; SAPI_ASSERT_OK_AND_ASSIGN( - int exit_code, - util::Communicate( - {path_, "-input", - "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}, - env_, &output)); + int exit_code, util::Communicate({path_, "-input", std::string(128, 'A')}, + env_, &output)); LOG(INFO) << "Output: " << output; EXPECT_THAT(exit_code, Eq(3));