Google Git
Sign in
opensecura/hw/matcha/69fd5634ed180e512cdf0c6b928bb28aafb2ff3a^!/.
commit
69fd5634ed180e512cdf0c6b928bb28aafb2ff3a
[log]
author
Murali Vijayaraghavan <muralivi@google.com>
Wed Dec 04 18:48:08 2024 +0000
committer
Murali Vijayaraghavan <muralivi@google.com>
Wed Dec 04 20:38:09 2024 +0000
tree
3b60a009eec23e9f4fdd88f5cd2ae4d0b6876228
parent
f31b8fc097183b58f334f45cb777042d8650dc90 [diff]
Adding buffer overflow mitigation example for cheriot
- buffer overflow when strlen is used for copying a larger string to a smaller buffer results in an exception

Bypass-Presubmit-Reason: Quick submit for CES

Change-Id: I61145df383bc5c08a849c6f685a119b1fd6b5d33

diff --git a/sw/device/cheriot/buffer_overflow/buffer_overflow.cc b/sw/device/cheriot/buffer_overflow/buffer_overflow.cc
new file mode 100644
index 0000000..70a0b8e
--- /dev/null
+++ b/sw/device/cheriot/buffer_overflow/buffer_overflow.cc

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <compartment.h>
+#include <fail-simulator-on-error.h>
+
+#include <debug.hh>
+
+using Debug = ConditionalDebug<true, "Buffer overflow compartment">;
+
+void local_function(const char* inp) {
+  char b1[5] = "AAAA";
+  char b2[5] = "BBBB";
+  Debug::log(b1);
+  Debug::log(b2);
+  for (int i = 0; inp[i] != '\0' /*&& i < sizeof(b1)*/; i++) {
+    b1[i] = inp[i];
+  }
+  Debug::log(b1);
+  Debug::log(b2);
+}
+
+void __cheri_compartment("buffer_overflow") entry() {
+  local_function("PPPPQQQQR");
+}

diff --git a/sw/device/cheriot/buffer_overflow/xmake.lua b/sw/device/cheriot/buffer_overflow/xmake.lua
new file mode 100644
index 0000000..bd8b6ab
--- /dev/null
+++ b/sw/device/cheriot/buffer_overflow/xmake.lua

@@ -0,0 +1,56 @@
+--
+-- Copyright 2023 Google LLC
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+set_project("CHERIoT buffer overflow avoidance demo")
+
+local shodan_dir = os.getenv("ROOTDIR")
+if shodan_dir == nil or shodan_dir == '' then
+  raise("ROOTDIR not set")
+end
+
+local sdkdir = path.join(shodan_dir, "sw/cheriot-rtos/sdk")
+includes(sdkdir)
+set_toolchains("cheriot-clang")
+
+option("board")
+    set_default("sail")
+
+-- Support libraries
+includes(path.join(sdkdir, "lib"))
+includes(path.join(sdkdir, "lib/freestanding"))
+
+-- Application.
+compartment("buffer_overflow")
+    add_files("buffer_overflow.cc")
+    add_deps("debug")
+    add_defines("CHERIOT_NO_AMBIENT_MALLOC")
+
+-- Firmware image.
+firmware("buffer_overflow-firmware")
+    add_deps("buffer_overflow")
+    add_deps("freestanding")
+    on_load(function(target)
+        target:values_set("board", "$(board)")
+        local threads = {
+            {
+                compartment = "buffer_overflow",
+                priority = 1,
+                entry_point = "entry",
+                stack_size = 0x1000, -- 4KB
+                trusted_stack_frames = 1
+            },
+        }
+        target:values_set("threads", threads, {expand = false})
+    end)