hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lkdtm: improve use-after-free tests 

This improves the order of operations on the use-after-free tests to
try to make sure we've executed any available sanity-checking code,
and to report the poisoning that was found.

Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook 2016-02-26 15:27:35 -08:00
parent 5fd9e48084
commit 7c0ae5be82
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/misc/lkdtm.c
View File

@ -417,7 +417,7 @@ static void lkdtm_do_action(enum ctype which)
break;
}
case CT_WRITE_AFTER_FREE: {
int *base;
int *base, *again;
size_t len = 1024;
/*
* The slub allocator uses the first word to store the free
@ -428,10 +428,16 @@ static void lkdtm_do_action(enum ctype which)
base = kmalloc(len, GFP_KERNEL);
pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
kfree(base);
pr_info("Attempting bad write to freed memory at %p\n",
&base[offset]);
kfree(base);
base[offset] = 0x0abcdef0;
/* Attempt to notice the overwrite. */
again = kmalloc(len, GFP_KERNEL);
kfree(again);
if (again != base)
pr_info("Hmm, didn't get the same memory range.\n");
break;
}
case CT_READ_AFTER_FREE: {
@ -462,7 +468,7 @@ static void lkdtm_do_action(enum ctype which)
saw = base[offset];
if (saw != *val) {
/* Good! Poisoning happened, so declare a win. */
pr_info("Memory correctly poisoned, calling BUG\n");
pr_info("Memory correctly poisoned (%x)\n", saw);
BUG();
}
pr_info("Memory was not poisoned\n");
@ -480,6 +486,11 @@ static void lkdtm_do_action(enum ctype which)
schedule();
pr_info("Attempting bad write to the buddy page after free\n");
memset((void *)p, 0x78, PAGE_SIZE);
/* Attempt to notice the overwrite. */
p = __get_free_page(GFP_KERNEL);
free_page(p);
schedule();
break;
}
case CT_READ_BUDDY_AFTER_FREE: {
@ -503,7 +514,7 @@ static void lkdtm_do_action(enum ctype which)
saw = base[0];
if (saw != *val) {
/* Good! Poisoning happened, so declare a win. */
pr_info("Buddy page correctly poisoned, calling BUG\n");
pr_info("Memory correctly poisoned (%x)\n", saw);
BUG();
}
pr_info("Buddy page was not poisoned\n");