mirror of
https://github.com/google/sandboxed-api.git
synced 2024-03-22 13:11:30 +08:00
Use a longer string in the CRC4 buffer overflow example.
On some newer compiler versions, compiler optimizations and loop unrolling change the memory layout so that 64 bytes are not enough to overwrite the return address reliably. PiperOrigin-RevId: 240343358 Change-Id: Ifb1a1dc1cb482793b7387887f0fd68a237879227
This commit is contained in:
parent
137426c9dd
commit
33206c5d3f
|
@ -17,6 +17,7 @@
|
||||||
|
|
||||||
#include <syscall.h>
|
#include <syscall.h>
|
||||||
|
|
||||||
|
#include <cstdint>
|
||||||
#include <cstring>
|
#include <cstring>
|
||||||
|
|
||||||
#include <glog/logging.h>
|
#include <glog/logging.h>
|
||||||
|
@ -66,7 +67,8 @@ int main(int argc, char** argv) {
|
||||||
|
|
||||||
// Make sure we don't inline the function. See the comment in
|
// Make sure we don't inline the function. See the comment in
|
||||||
// ComputeCRC4Impl() for more details.
|
// ComputeCRC4Impl() for more details.
|
||||||
std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 = ComputeCRC4Impl;
|
std::function<uint32_t(const uint8_t*, uint64_t)> ComputeCRC4 =
|
||||||
|
ComputeCRC4Impl;
|
||||||
|
|
||||||
uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size());
|
uint32_t crc4 = ComputeCRC4(buffer.data(), buffer.size());
|
||||||
|
|
||||||
|
|
|
@ -61,10 +61,7 @@ TEST_F(CRC4Test, TestExploitAttempt) {
|
||||||
|
|
||||||
std::string output;
|
std::string output;
|
||||||
SAPI_ASSERT_OK_AND_ASSIGN(
|
SAPI_ASSERT_OK_AND_ASSIGN(
|
||||||
int exit_code,
|
int exit_code, util::Communicate({path_, "-input", std::string(128, 'A')},
|
||||||
util::Communicate(
|
|
||||||
{path_, "-input",
|
|
||||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"},
|
|
||||||
env_, &output));
|
env_, &output));
|
||||||
|
|
||||||
LOG(INFO) << "Output: " << output;
|
LOG(INFO) << "Output: " << output;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user