lkdtm: Add READ_AFTER_FREE test

author Laura Abbott <labbott@fedoraproject.org>

Fri, 26 Feb 2016 00:36:42 +0000 (16:36 -0800)

committer Kees Cook <keescook@chromium.org>

Tue, 1 Mar 2016 22:29:13 +0000 (14:29 -0800)
author Laura Abbott <labbott@fedoraproject.org>
Fri, 26 Feb 2016 00:36:42 +0000 (16:36 -0800)
committer Kees Cook <keescook@chromium.org>
Tue, 1 Mar 2016 22:29:13 +0000 (14:29 -0800)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c

index 11fdadc..8de4746 100644 (file)
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -92,6 +92,7 @@ enum ctype {
         CT_UNALIGNED_LOAD_STORE_WRITE,
         CT_OVERWRITE_ALLOCATION,
         CT_WRITE_AFTER_FREE,
+       CT_READ_AFTER_FREE,
         CT_SOFTLOCKUP,
         CT_HARDLOCKUP,
         CT_SPINLOCKUP,
@@ -129,6 +130,7 @@ static char* cp_type[] = {
         "UNALIGNED_LOAD_STORE_WRITE",
         "OVERWRITE_ALLOCATION",
         "WRITE_AFTER_FREE",
+       "READ_AFTER_FREE",
         "SOFTLOCKUP",
         "HARDLOCKUP",
         "SPINLOCKUP",
@@ -417,6 +419,42 @@ static void lkdtm_do_action(enum ctype which)
                 memset(data, 0x78, len);
                 break;
         }
+       case CT_READ_AFTER_FREE: {
+               int *base, *val, saw;
+               size_t len = 1024;
+               /*
+                * The slub allocator uses the first word to store the free
+                * pointer in some configurations. Use the middle of the
+                * allocation to avoid running into the freelist
+                */
+               size_t offset = (len / sizeof(*base)) / 2;
+
+               base = kmalloc(len, GFP_KERNEL);
+               if (!base)
+                       break;
+
+               val = kmalloc(len, GFP_KERNEL);
+               if (!val)
+                       break;
+
+               *val = 0x12345678;
+               base[offset] = *val;
+               pr_info("Value in memory before free: %x\n", base[offset]);
+
+               kfree(base);
+
+               pr_info("Attempting bad read from freed memory\n");
+               saw = base[offset];
+               if (saw != *val) {
+                       /* Good! Poisoning happened, so declare a win. */
+                       pr_info("Memory correctly poisoned, calling BUG\n");
+                       BUG();
+               }
+               pr_info("Memory was not poisoned\n");
+
+               kfree(val);
+               break;
+       }
         case CT_SOFTLOCKUP:
                 preempt_disable();
                 for (;;)
author	Laura Abbott <labbott@fedoraproject.org>
	Fri, 26 Feb 2016 00:36:42 +0000 (16:36 -0800)
committer	Kees Cook <keescook@chromium.org>
	Tue, 1 Mar 2016 22:29:13 +0000 (14:29 -0800)