diff options
author | Kees Cook <keescook@chromium.org> | 2016-06-26 21:45:23 -0700 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-07-07 11:09:22 -0700 |
commit | ffc514f3fcac4aa76735ada55228c814153943e6 (patch) | |
tree | 15dd5a13d7a068dca8671751170768e603e9d633 /drivers/misc/lkdtm_core.c | |
parent | 0d9eb29b13f0e326c4e19b85d3a4ac46e335e6d2 (diff) | |
download | linux-ffc514f3fcac4aa76735ada55228c814153943e6.tar.bz2 |
lkdtm: split heap corruption tests to separate file
This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c
file to help separate things better for readability.
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'drivers/misc/lkdtm_core.c')
-rw-r--r-- | drivers/misc/lkdtm_core.c | 124 |
1 files changed, 10 insertions, 114 deletions
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 0b3e3770068a..1c5056c286c5 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -384,125 +384,21 @@ static void lkdtm_do_action(enum ctype which) *p = val; break; } - case CT_OVERWRITE_ALLOCATION: { - size_t len = 1020; - u32 *data = kmalloc(len, GFP_KERNEL); - - data[1024 / sizeof(u32)] = 0x12345678; - kfree(data); + case CT_OVERWRITE_ALLOCATION: + lkdtm_OVERWRITE_ALLOCATION(); break; - } - case CT_WRITE_AFTER_FREE: { - int *base, *again; - size_t len = 1024; - /* - * The slub allocator uses the first word to store the free - * pointer in some configurations. Use the middle of the - * allocation to avoid running into the freelist - */ - size_t offset = (len / sizeof(*base)) / 2; - - base = kmalloc(len, GFP_KERNEL); - pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]); - pr_info("Attempting bad write to freed memory at %p\n", - &base[offset]); - kfree(base); - base[offset] = 0x0abcdef0; - /* Attempt to notice the overwrite. */ - again = kmalloc(len, GFP_KERNEL); - kfree(again); - if (again != base) - pr_info("Hmm, didn't get the same memory range.\n"); - + case CT_WRITE_AFTER_FREE: + lkdtm_WRITE_AFTER_FREE(); break; - } - case CT_READ_AFTER_FREE: { - int *base, *val, saw; - size_t len = 1024; - /* - * The slub allocator uses the first word to store the free - * pointer in some configurations. Use the middle of the - * allocation to avoid running into the freelist - */ - size_t offset = (len / sizeof(*base)) / 2; - - base = kmalloc(len, GFP_KERNEL); - if (!base) - break; - - val = kmalloc(len, GFP_KERNEL); - if (!val) { - kfree(base); - break; - } - - *val = 0x12345678; - base[offset] = *val; - pr_info("Value in memory before free: %x\n", base[offset]); - - kfree(base); - - pr_info("Attempting bad read from freed memory\n"); - saw = base[offset]; - if (saw != *val) { - /* Good! Poisoning happened, so declare a win. */ - pr_info("Memory correctly poisoned (%x)\n", saw); - BUG(); - } - pr_info("Memory was not poisoned\n"); - - kfree(val); + case CT_READ_AFTER_FREE: + lkdtm_READ_AFTER_FREE(); break; - } - case CT_WRITE_BUDDY_AFTER_FREE: { - unsigned long p = __get_free_page(GFP_KERNEL); - if (!p) - break; - pr_info("Writing to the buddy page before free\n"); - memset((void *)p, 0x3, PAGE_SIZE); - free_page(p); - schedule(); - pr_info("Attempting bad write to the buddy page after free\n"); - memset((void *)p, 0x78, PAGE_SIZE); - /* Attempt to notice the overwrite. */ - p = __get_free_page(GFP_KERNEL); - free_page(p); - schedule(); - + case CT_WRITE_BUDDY_AFTER_FREE: + lkdtm_WRITE_BUDDY_AFTER_FREE(); break; - } - case CT_READ_BUDDY_AFTER_FREE: { - unsigned long p = __get_free_page(GFP_KERNEL); - int saw, *val; - int *base; - - if (!p) - break; - - val = kmalloc(1024, GFP_KERNEL); - if (!val) { - free_page(p); - break; - } - - base = (int *)p; - - *val = 0x12345678; - base[0] = *val; - pr_info("Value in memory before free: %x\n", base[0]); - free_page(p); - pr_info("Attempting to read from freed memory\n"); - saw = base[0]; - if (saw != *val) { - /* Good! Poisoning happened, so declare a win. */ - pr_info("Memory correctly poisoned (%x)\n", saw); - BUG(); - } - pr_info("Buddy page was not poisoned\n"); - - kfree(val); + case CT_READ_BUDDY_AFTER_FREE: + lkdtm_READ_BUDDY_AFTER_FREE(); break; - } case CT_SOFTLOCKUP: preempt_disable(); for (;;) |