diff options
-rw-r--r-- | drivers/misc/lkdtm.c | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index a00a2b11b821..8e00e2e992d1 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -93,6 +93,8 @@ enum ctype { CT_OVERWRITE_ALLOCATION, CT_WRITE_AFTER_FREE, CT_READ_AFTER_FREE, + CT_WRITE_BUDDY_AFTER_FREE, + CT_READ_BUDDY_AFTER_FREE, CT_SOFTLOCKUP, CT_HARDLOCKUP, CT_SPINLOCKUP, @@ -131,6 +133,8 @@ static char* cp_type[] = { "OVERWRITE_ALLOCATION", "WRITE_AFTER_FREE", "READ_AFTER_FREE", + "WRITE_BUDDY_AFTER_FREE", + "READ_BUDDY_AFTER_FREE", "SOFTLOCKUP", "HARDLOCKUP", "SPINLOCKUP", @@ -464,6 +468,47 @@ static void lkdtm_do_action(enum ctype which) kfree(val); break; } + case CT_WRITE_BUDDY_AFTER_FREE: { + unsigned long p = __get_free_page(GFP_KERNEL); + if (!p) + break; + pr_info("Writing to the buddy page before free\n"); + memset((void *)p, 0x3, PAGE_SIZE); + free_page(p); + schedule(); + pr_info("Attempting bad write to the buddy page after free\n"); + memset((void *)p, 0x78, PAGE_SIZE); + break; + } + case CT_READ_BUDDY_AFTER_FREE: { + unsigned long p = __get_free_page(GFP_KERNEL); + int saw, *val = kmalloc(1024, GFP_KERNEL); + int *base; + + if (!p) + break; + + if (!val) + break; + + base = (int *)p; + + *val = 0x12345678; + base[0] = *val; + pr_info("Value in memory before free: %x\n", base[0]); + free_page(p); + pr_info("Attempting to read from freed memory\n"); + saw = base[0]; + if (saw != *val) { + /* Good! Poisoning happened, so declare a win. */ + pr_info("Buddy page correctly poisoned, calling BUG\n"); + BUG(); + } + pr_info("Buddy page was not poisoned\n"); + + kfree(val); + break; + } case CT_SOFTLOCKUP: preempt_disable(); for (;;) |