From da73b28162ca38ef14d563ab3088b4aa4fc9ef9e Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Sat, 1 Jan 2022 22:23:09 +0100
Subject: [PATCH] Add a test for slab canaries

---
 test/simple-memory-corruption/Makefile      |  3 ++-
 test/simple-memory-corruption/canary_leak.c | 24 +++++++++++++++++++++
 test/simple-memory-corruption/test_smc.py   |  5 +++++
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 test/simple-memory-corruption/canary_leak.c

diff --git a/test/simple-memory-corruption/Makefile b/test/simple-memory-corruption/Makefile
index 2135f7e..b912c87 100644
--- a/test/simple-memory-corruption/Makefile
+++ b/test/simple-memory-corruption/Makefile
@@ -46,7 +46,8 @@ EXECUTABLES := \
     malloc_object_size_offset \
     invalid_malloc_object_size_small \
     invalid_malloc_object_size_small_quarantine \
-    impossibly_large_malloc
+    impossibly_large_malloc \
+    canary_leak
 
 all: $(EXECUTABLES)
 
diff --git a/test/simple-memory-corruption/canary_leak.c b/test/simple-memory-corruption/canary_leak.c
new file mode 100644
index 0000000..7d62444
--- /dev/null
+++ b/test/simple-memory-corruption/canary_leak.c
@@ -0,0 +1,24 @@
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_util.h"
+
+#define CANARY_SIZE 8
+
+// Check that the slab canary can't be leaked with a C-string function.
+OPTNONE int main(void) {
+    char leaked_str_canary[CANARY_SIZE] = {0};
+    char leaked_canary[CANARY_SIZE] = {0};
+    char *p = malloc(8);
+    if (!p) {
+        return 1;
+    }
+    strncpy(leaked_str_canary, p + 8, CANARY_SIZE);
+    memcpy(leaked_canary, p + 8, CANARY_SIZE);
+    if (!memcmp(leaked_canary, leaked_str_canary, CANARY_SIZE)) {
+        free(p);
+        return 1;
+    }
+    free(p);
+    return 0;
+}
diff --git a/test/simple-memory-corruption/test_smc.py b/test/simple-memory-corruption/test_smc.py
index f57690e..361b814 100644
--- a/test/simple-memory-corruption/test_smc.py
+++ b/test/simple-memory-corruption/test_smc.py
@@ -211,6 +211,11 @@ class TestSimpleMemoryCorruption(unittest.TestCase):
             "impossibly_large_malloc")
         self.assertEqual(returncode, 0)
 
+    def test_canary_leak(self):
+        _stdout, stderr, returncode = self.run_test(
+            "canary_leak")
+        self.assertEqual(returncode, 0)
+
 
 
 if __name__ == '__main__':