TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / OP-TEE / optee_test / 50339ef2fe5b7f6c5a33fdb159f6ea205b38b1b5^! / . / ta / os_test / os_test.c
commit50339ef2fe5b7f6c5a33fdb159f6ea205b38b1b5[log] [tgz]
authorJens Wiklander <jens.wiklander@linaro.org>Tue Apr 12 20:47:27 2022 +0200
committerJérôme Forissier <jerome@forissier.org>Mon May 02 09:57:53 2022 +0200
treef730816da6d00f8704975d688788c6ba8c5e832c
parent88fe494ce3289d1152930e878e483f4f6b634b82 [diff] [blame]
regression: add test 1038 to test MTE

Adds regression test case 1038 to test MTE (Memory Tagging Extension).
Four tests are performed:
- use-after-free
- invalid tag
- double free
- buffer overrun

The tests are skipped if MTE isn't supported.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

diff --git a/ta/os_test/os_test.c b/ta/os_test/os_test.c
index 04128d3..0e68cc6 100644
--- a/ta/os_test/os_test.c
+++ b/ta/os_test/os_test.c

@@ -2,10 +2,12 @@
 /*
  * Copyright (c) 2014, STMicroelectronics International N.V.
  * All rights reserved.
+ * Copyright (c) 2022, Linaro Limited.
  */
 #include <compiler.h>
 #include <dlfcn.h>
 #include <link.h>
+#include <memtag.h>
 #include <setjmp.h>
 #include <stdint.h>
 #include <string.h>
@@ -1460,3 +1462,71 @@
 
 	return res;
 }
+
+TEE_Result ta_entry_memtag_use_after_free(void)
+{
+	uint32_t *p = NULL;
+
+	if (!memtag_is_enabled())
+		return TEE_ERROR_NOT_SUPPORTED;
+
+	p = TEE_Malloc(sizeof(*p), TEE_MALLOC_FILL_ZERO);
+	*p = 43;
+	TEE_Free(p);
+	(*p) += 2;
+	return TEE_ERROR_GENERIC;
+}
+
+TEE_Result ta_entry_memtag_invalid_tag(void)
+{
+	uint32_t *p = NULL;
+	uint32_t *p2 = NULL;
+
+	if (!memtag_is_enabled())
+		return TEE_ERROR_NOT_SUPPORTED;
+
+	p = TEE_Malloc(sizeof(*p), TEE_MALLOC_FILL_ZERO);
+
+	if (!memtag_get_tag(p)) {
+		EMSG("missing tag in %p", (void *)p);
+		goto err;
+	}
+	*p = 32;
+
+	p2 = memtag_insert_tag(p, (memtag_get_tag(p) + 1) & 0xf);
+	*p2 = 42;
+	EMSG("Expected to crash when writing to %p which was allocated as %p",
+	     (void *)p2, (void *)p);
+err:
+	TEE_Free(p);
+	return TEE_ERROR_GENERIC;
+}
+
+TEE_Result ta_entry_memtag_double_free(void)
+{
+	uint32_t *p = NULL;
+
+	if (!memtag_is_enabled())
+		return TEE_ERROR_NOT_SUPPORTED;
+
+	p = TEE_Malloc(sizeof(*p), TEE_MALLOC_FILL_ZERO);
+	*p = 43;
+	TEE_Free(p);
+	TEE_Free(p);
+	return TEE_ERROR_GENERIC;
+}
+
+TEE_Result ta_entry_memtag_buffer_overrun(void)
+{
+	uint64_t *p = NULL;
+
+	if (!memtag_is_enabled())
+		return TEE_ERROR_NOT_SUPPORTED;
+
+	p = TEE_Malloc(sizeof(*p) * 2, TEE_MALLOC_FILL_ZERO);
+	p[2] += 44;
+	TEE_Free(p);
+	return TEE_ERROR_GENERIC;
+}
+
+