xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lkdtm: improve use-after-free tests

Browse Source 
This improves the order of operations on the use-after-free tests to
try to make sure we've executed any available sanity-checking code,
and to report the poisoning that was found.

Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook
2016-02-26 15:27:35 -08:00
parent 5fd9e48084
commit 7c0ae5be82
1 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/misc/lkdtm.c
View File

@@ -417,7 +417,7 @@ static void lkdtm_do_action(enum ctype which)
break; break;
} }
case CT_WRITE_AFTER_FREE: { case CT_WRITE_AFTER_FREE: {
int *base; int *base, *again;
size_t len = 1024; size_t len = 1024;
/* /*
* The slub allocator uses the first word to store the free * The slub allocator uses the first word to store the free
@@ -428,10 +428,16 @@ static void lkdtm_do_action(enum ctype which)
base = kmalloc(len, GFP_KERNEL); base = kmalloc(len, GFP_KERNEL);
pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]); pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
kfree(base);
pr_info("Attempting bad write to freed memory at %p\n", pr_info("Attempting bad write to freed memory at %p\n",
&base[offset]); &base[offset]);
kfree(base);
base[offset] = 0x0abcdef0; base[offset] = 0x0abcdef0;
/* Attempt to notice the overwrite. */
again = kmalloc(len, GFP_KERNEL);
kfree(again);
if (again != base)
pr_info("Hmm, didn't get the same memory range.\n");
break; break;
} }
case CT_READ_AFTER_FREE: { case CT_READ_AFTER_FREE: {
@@ -462,7 +468,7 @@ static void lkdtm_do_action(enum ctype which)
saw = base[offset]; saw = base[offset];
if (saw != *val) { if (saw != *val) {
/* Good! Poisoning happened, so declare a win. */ /* Good! Poisoning happened, so declare a win. */
pr_info("Memory correctly poisoned, calling BUG\n"); pr_info("Memory correctly poisoned (%x)\n", saw);
BUG(); BUG();
} }
pr_info("Memory was not poisoned\n"); pr_info("Memory was not poisoned\n");
@@ -480,6 +486,11 @@ static void lkdtm_do_action(enum ctype which)
schedule(); schedule();
pr_info("Attempting bad write to the buddy page after free\n"); pr_info("Attempting bad write to the buddy page after free\n");
memset((void *)p, 0x78, PAGE_SIZE); memset((void *)p, 0x78, PAGE_SIZE);
/* Attempt to notice the overwrite. */
p = __get_free_page(GFP_KERNEL);
free_page(p);
schedule();
break; break;
} }
case CT_READ_BUDDY_AFTER_FREE: { case CT_READ_BUDDY_AFTER_FREE: {
@@ -503,7 +514,7 @@ static void lkdtm_do_action(enum ctype which)
saw = base[0]; saw = base[0];
if (saw != *val) { if (saw != *val) {
/* Good! Poisoning happened, so declare a win. */ /* Good! Poisoning happened, so declare a win. */
pr_info("Buddy page correctly poisoned, calling BUG\n"); pr_info("Memory correctly poisoned (%x)\n", saw);
BUG(); BUG();
} }
pr_info("Buddy page was not poisoned\n"); pr_info("Buddy page was not poisoned\n");