diff options
author | Laura Abbott <labbott@fedoraproject.org> | 2016-02-26 03:36:42 +0300 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-03-02 01:29:13 +0300 |
commit | bc0b8cc6cb26a209fa1679d5c063b47bc0afe964 (patch) | |
tree | 6edbd0fa562a4505d21906d1db3feae7fea16841 | |
parent | ea861d73a9aa97a5e0c7cef6a26ce01786e0c58d (diff) | |
download | linux-bc0b8cc6cb26a209fa1679d5c063b47bc0afe964.tar.xz |
lkdtm: Add READ_AFTER_FREE test
In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
test to test free poisoning features. Sample output when
no sanitization is present:
# echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
[ 17.543866] lkdtm: Value in memory before free: 12345678
[ 17.545212] lkdtm: Attempting bad read from freed memory
[ 17.546542] lkdtm: Memory was not poisoned
with slub_debug=P:
# echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
[ 22.416366] lkdtm: Value in memory before free: 12345678
[ 22.417137] lkdtm: Attempting bad read from freed memory
[ 22.417897] lkdtm: Memory correctly poisoned, calling BUG
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
-rw-r--r-- | drivers/misc/lkdtm.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 11fdadc68e53..8de47462638a 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -92,6 +92,7 @@ enum ctype { CT_UNALIGNED_LOAD_STORE_WRITE, CT_OVERWRITE_ALLOCATION, CT_WRITE_AFTER_FREE, + CT_READ_AFTER_FREE, CT_SOFTLOCKUP, CT_HARDLOCKUP, CT_SPINLOCKUP, @@ -129,6 +130,7 @@ static char* cp_type[] = { "UNALIGNED_LOAD_STORE_WRITE", "OVERWRITE_ALLOCATION", "WRITE_AFTER_FREE", + "READ_AFTER_FREE", "SOFTLOCKUP", "HARDLOCKUP", "SPINLOCKUP", @@ -417,6 +419,42 @@ static void lkdtm_do_action(enum ctype which) memset(data, 0x78, len); break; } + case CT_READ_AFTER_FREE: { + int *base, *val, saw; + size_t len = 1024; + /* + * The slub allocator uses the first word to store the free + * pointer in some configurations. Use the middle of the + * allocation to avoid running into the freelist + */ + size_t offset = (len / sizeof(*base)) / 2; + + base = kmalloc(len, GFP_KERNEL); + if (!base) + break; + + val = kmalloc(len, GFP_KERNEL); + if (!val) + break; + + *val = 0x12345678; + base[offset] = *val; + pr_info("Value in memory before free: %x\n", base[offset]); + + kfree(base); + + pr_info("Attempting bad read from freed memory\n"); + saw = base[offset]; + if (saw != *val) { + /* Good! Poisoning happened, so declare a win. */ + pr_info("Memory correctly poisoned, calling BUG\n"); + BUG(); + } + pr_info("Memory was not poisoned\n"); + + kfree(val); + break; + } case CT_SOFTLOCKUP: preempt_disable(); for (;;) |