From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2993262AbcBSTMp (ORCPT ); Fri, 19 Feb 2016 14:12:45 -0500 Received: from mail-ig0-f182.google.com ([209.85.213.182]:33735 "EHLO mail-ig0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030273AbcBSTMn (ORCPT ); Fri, 19 Feb 2016 14:12:43 -0500 MIME-Version: 1.0 In-Reply-To: <1455844533-24787-1-git-send-email-labbott@fedoraproject.org> References: <1455844533-24787-1-git-send-email-labbott@fedoraproject.org> Date: Fri, 19 Feb 2016 11:12:42 -0800 X-Google-Sender-Auth: WInu06M9C1i_1IM6xZkLv4ZeQ9I Message-ID: Subject: Re: [PATCHv2] lkdtm: Add READ_AFTER_FREE test From: Kees Cook To: Laura Abbott Cc: Greg Kroah-Hartman , Arnd Bergmann , "kernel-hardening@lists.openwall.com" , LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 18, 2016 at 5:15 PM, Laura Abbott wrote: > > In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE > test to test free poisoning features. Sample output when > no sanitization is present: > > [ 22.414170] lkdtm: Performing direct entry READ_AFTER_FREE > [ 22.415124] lkdtm: Value in memory before free: 12345678 > [ 22.415900] lkdtm: Attempting to read from freed memory > [ 22.416394] lkdtm: Successfully read value: 12345678 > > with sanitization: > > [ 25.874585] lkdtm: Performing direct entry READ_AFTER_FREE > [ 25.875527] lkdtm: Value in memory before free: 12345678 > [ 25.876382] lkdtm: Attempting to read from freed memory > [ 25.876900] general protection fault: 0000 [#1] SMP > > Signed-off-by: Laura Abbott Excellent! Could you mention in the changelog which CONFIG (or runtime values) will change the lkdtm test? (I thought there was a poisoning style that would result in a zero-read instead of a GP?) -Kees > --- > I split this out from the previous series > (http://article.gmane.org/gmane.linux.kernel.mm/143486) since > that series is going to be going in more incrementally. > Having the test in sooner than later will be helpful I think > > v2: Tweaked the output text to be clearer about what's going on. > Switched to using the middle of an allocated block instead of the beginning. > --- > drivers/misc/lkdtm.c | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c > index 11fdadc..24d0ac7 100644 > --- a/drivers/misc/lkdtm.c > +++ b/drivers/misc/lkdtm.c > @@ -92,6 +92,7 @@ enum ctype { > CT_UNALIGNED_LOAD_STORE_WRITE, > CT_OVERWRITE_ALLOCATION, > CT_WRITE_AFTER_FREE, > + CT_READ_AFTER_FREE, > CT_SOFTLOCKUP, > CT_HARDLOCKUP, > CT_SPINLOCKUP, > @@ -129,6 +130,7 @@ static char* cp_type[] = { > "UNALIGNED_LOAD_STORE_WRITE", > "OVERWRITE_ALLOCATION", > "WRITE_AFTER_FREE", > + "READ_AFTER_FREE", > "SOFTLOCKUP", > "HARDLOCKUP", > "SPINLOCKUP", > @@ -417,6 +419,38 @@ static void lkdtm_do_action(enum ctype which) > memset(data, 0x78, len); > break; > } > + case CT_READ_AFTER_FREE: { > + int **base; > + int *val, *tmp; > + size_t len = 1024; > + /* > + * The slub allocator uses the first word to store the free > + * pointer in some configurations. Use the middle of the > + * allocation to avoid running into the freelist > + */ > + size_t offset = (len/sizeof(int *))/2; > + > + base = kmalloc(len, GFP_KERNEL); > + if (!base) > + return; > + > + val = kmalloc(len, GFP_KERNEL); > + if (!val) > + return; > + > + *val = 0x12345678; > + pr_info("Value in memory before free: %x\n", *val); > + > + base[offset] = val; > + kfree(base); > + > + tmp = base[offset]; > + pr_info("Attempting to read from freed memory"); > + pr_info("Successfully read value: %x\n", *tmp); > + > + kfree(val); > + break; > + } > case CT_SOFTLOCKUP: > preempt_disable(); > for (;;) > -- > 2.5.0 > -- Kees Cook Chrome OS & Brillo Security