From: Kees Cook Date: Fri, 26 Feb 2016 23:27:35 +0000 (-0800) Subject: lkdtm: improve use-after-free tests X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=7c0ae5be821c1b6a700c5506de9b62e95f60df3c;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git lkdtm: improve use-after-free tests This improves the order of operations on the use-after-free tests to try to make sure we've executed any available sanity-checking code, and to report the poisoning that was found. Signed-off-by: Kees Cook --- diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index c333e813ed34..9345999f5673 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -417,7 +417,7 @@ static void lkdtm_do_action(enum ctype which) break; } case CT_WRITE_AFTER_FREE: { - int *base; + int *base, *again; size_t len = 1024; /* * The slub allocator uses the first word to store the free @@ -428,10 +428,16 @@ static void lkdtm_do_action(enum ctype which) base = kmalloc(len, GFP_KERNEL); pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]); - kfree(base); pr_info("Attempting bad write to freed memory at %p\n", &base[offset]); + kfree(base); base[offset] = 0x0abcdef0; + /* Attempt to notice the overwrite. */ + again = kmalloc(len, GFP_KERNEL); + kfree(again); + if (again != base) + pr_info("Hmm, didn't get the same memory range.\n"); + break; } case CT_READ_AFTER_FREE: { @@ -462,7 +468,7 @@ static void lkdtm_do_action(enum ctype which) saw = base[offset]; if (saw != *val) { /* Good! Poisoning happened, so declare a win. */ - pr_info("Memory correctly poisoned, calling BUG\n"); + pr_info("Memory correctly poisoned (%x)\n", saw); BUG(); } pr_info("Memory was not poisoned\n"); @@ -480,6 +486,11 @@ static void lkdtm_do_action(enum ctype which) schedule(); pr_info("Attempting bad write to the buddy page after free\n"); memset((void *)p, 0x78, PAGE_SIZE); + /* Attempt to notice the overwrite. */ + p = __get_free_page(GFP_KERNEL); + free_page(p); + schedule(); + break; } case CT_READ_BUDDY_AFTER_FREE: { @@ -503,7 +514,7 @@ static void lkdtm_do_action(enum ctype which) saw = base[0]; if (saw != *val) { /* Good! Poisoning happened, so declare a win. */ - pr_info("Buddy page correctly poisoned, calling BUG\n"); + pr_info("Memory correctly poisoned (%x)\n", saw); BUG(); } pr_info("Buddy page was not poisoned\n");