diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2016-02-25 16:36:43 -0800 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-03-01 14:29:13 -0800 |
commit | 250a8988ef4071d8b7cdbb27388f09f33402293a (patch) | |
tree | 44943637efcbf5405da8308fd5effe77a4e740de | |
parent | bc0b8cc6cb26a209fa1679d5c063b47bc0afe964 (diff) | |
download | op-kernel-dev-250a8988ef4071d8b7cdbb27388f09f33402293a.zip op-kernel-dev-250a8988ef4071d8b7cdbb27388f09f33402293a.tar.gz |
lkdtm: Update WRITE_AFTER_FREE test
The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
-rw-r--r-- | drivers/misc/lkdtm.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 8de4746..a00a2b1 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -411,12 +411,21 @@ static void lkdtm_do_action(enum ctype which) break; } case CT_WRITE_AFTER_FREE: { + int *base; size_t len = 1024; - u32 *data = kmalloc(len, GFP_KERNEL); + /* + * The slub allocator uses the first word to store the free + * pointer in some configurations. Use the middle of the + * allocation to avoid running into the freelist + */ + size_t offset = (len / sizeof(*base)) / 2; - kfree(data); - schedule(); - memset(data, 0x78, len); + base = kmalloc(len, GFP_KERNEL); + pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]); + kfree(base); + pr_info("Attempting bad write to freed memory at %p\n", + &base[offset]); + base[offset] = 0x0abcdef0; break; } case CT_READ_AFTER_FREE: { |