Adding buffer overflow mitigation example for cheriot
- buffer overflow when strlen is used for copying a larger string to a smaller buffer results in an exception
Bypass-Presubmit-Reason: Quick submit for CES
Change-Id: I61145df383bc5c08a849c6f685a119b1fd6b5d33
diff --git a/sw/device/cheriot/buffer_overflow/buffer_overflow.cc b/sw/device/cheriot/buffer_overflow/buffer_overflow.cc
new file mode 100644
index 0000000..70a0b8e
--- /dev/null
+++ b/sw/device/cheriot/buffer_overflow/buffer_overflow.cc
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <compartment.h>
+#include <fail-simulator-on-error.h>
+
+#include <debug.hh>
+
+using Debug = ConditionalDebug<true, "Buffer overflow compartment">;
+
+void local_function(const char* inp) {
+ char b1[5] = "AAAA";
+ char b2[5] = "BBBB";
+ Debug::log(b1);
+ Debug::log(b2);
+ for (int i = 0; inp[i] != '\0' /*&& i < sizeof(b1)*/; i++) {
+ b1[i] = inp[i];
+ }
+ Debug::log(b1);
+ Debug::log(b2);
+}
+
+void __cheri_compartment("buffer_overflow") entry() {
+ local_function("PPPPQQQQR");
+}
diff --git a/sw/device/cheriot/buffer_overflow/xmake.lua b/sw/device/cheriot/buffer_overflow/xmake.lua
new file mode 100644
index 0000000..bd8b6ab
--- /dev/null
+++ b/sw/device/cheriot/buffer_overflow/xmake.lua
@@ -0,0 +1,56 @@
+--
+-- Copyright 2023 Google LLC
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+set_project("CHERIoT buffer overflow avoidance demo")
+
+local shodan_dir = os.getenv("ROOTDIR")
+if shodan_dir == nil or shodan_dir == '' then
+ raise("ROOTDIR not set")
+end
+
+local sdkdir = path.join(shodan_dir, "sw/cheriot-rtos/sdk")
+includes(sdkdir)
+set_toolchains("cheriot-clang")
+
+option("board")
+ set_default("sail")
+
+-- Support libraries
+includes(path.join(sdkdir, "lib"))
+includes(path.join(sdkdir, "lib/freestanding"))
+
+-- Application.
+compartment("buffer_overflow")
+ add_files("buffer_overflow.cc")
+ add_deps("debug")
+ add_defines("CHERIOT_NO_AMBIENT_MALLOC")
+
+-- Firmware image.
+firmware("buffer_overflow-firmware")
+ add_deps("buffer_overflow")
+ add_deps("freestanding")
+ on_load(function(target)
+ target:values_set("board", "$(board)")
+ local threads = {
+ {
+ compartment = "buffer_overflow",
+ priority = 1,
+ entry_point = "entry",
+ stack_size = 0x1000, -- 4KB
+ trusted_stack_frames = 1
+ },
+ }
+ target:values_set("threads", threads, {expand = false})
+ end)
