From 825f99f16e8a437f9c6da117aacf8da787d7c739 Mon Sep 17 00:00:00 2001 From: Guillaume Souchere Date: Wed, 27 Sep 2023 15:04:26 +0200 Subject: [PATCH] fix(heap): Fixed integrity check on used blocks by the tlsf component This commit updates the tlsf submodule to include the modification made in the component aiming to perform integrity check on all blocks (not only the free ones). Added test to test the fix in test_apps/heap_tests. Fixes https://github.com/espressif/esp-idf/issues/12231 --- components/heap/test/test_corruption_check.c | 52 +++++++++++++++++++- components/heap/tlsf | 2 +- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/components/heap/test/test_corruption_check.c b/components/heap/test/test_corruption_check.c index 9c4dd47eb2..3bd5575a0d 100644 --- a/components/heap/test/test_corruption_check.c +++ b/components/heap/test/test_corruption_check.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -66,3 +66,53 @@ TEST_CASE("multi_heap poisoning detection", "[heap]") TEST_ASSERT_TRUE(is_heap_ok); } } + +#if !defined(CONFIG_HEAP_TLSF_USE_ROM_IMPL) + +#ifdef CONFIG_HEAP_TASK_TRACKING +#define HEAD_CANARY_OFFSET 3 // head canary | task tracking | allocated size +#else +#define HEAD_CANARY_OFFSET 2 // head canary | allocated size +#endif // CONFIG_HEAP_TASK_TRACKING + +#define TAIL_CANARY_OFFSET 1 + +/* This test will corrupt the canary of a allocated memory block and call the + * heap_caps_check_integrity() function to check that the corruption is detected. + */ +TEST_CASE("canary corruption in light or comprehensive poisoning mode", "[heap]") +{ + const uint8_t allocation_size = 1 * sizeof(uint32_t); + /* malloc some memory to get a pointer */ + uint32_t *ptr = heap_caps_malloc(allocation_size, MALLOC_CAP_DEFAULT); + TEST_ASSERT_NOT_NULL(ptr); + + /* corrupt the head canary */ + uint32_t canary = ptr[-HEAD_CANARY_OFFSET]; + ptr[-HEAD_CANARY_OFFSET] = 0xdeadbeef; + + /* call the integrity check function and verify that it returns 0 (corruption detected) */ + bool is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false); + TEST_ASSERT_TRUE(is_corrupted); + + /* fix the head canary */ + ptr[-HEAD_CANARY_OFFSET] = canary; + + /* re run the corruption check to make sure the function returns no corruption */ + is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false); + TEST_ASSERT_FALSE(is_corrupted); + + /* corrupt tail canary */ + canary = ptr[TAIL_CANARY_OFFSET]; + ptr[TAIL_CANARY_OFFSET] = 0xdeadbeef; + + /* call the integrity check function and verify that it returns 0 (corruption detected) */ + is_corrupted = !heap_caps_check_integrity(MALLOC_CAP_DEFAULT, false); + TEST_ASSERT_TRUE(is_corrupted); + + /* clear the corruption and free the pointer before returning */ + ptr[TAIL_CANARY_OFFSET] = canary; + heap_caps_free(ptr); +} + +#endif // !CONFIG_HEAP_TLSF_USE_ROM_IMPL diff --git a/components/heap/tlsf b/components/heap/tlsf index 8c9cd0517a..d2e28f8724 160000 --- a/components/heap/tlsf +++ b/components/heap/tlsf @@ -1 +1 @@ -Subproject commit 8c9cd0517adf99e363812e9a295dfe3898fdd345 +Subproject commit d2e28f872472ffc6a704faae65ddee1f24e2dfba