In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE test to test free poisoning features. Sample output when no poison is present:
[ 20.222501] lkdtm: Performing direct entry READ_AFTER_FREE [ 20.226163] lkdtm: Freed val: 12345678 with poison: [ 24.203748] lkdtm: Performing direct entry READ_AFTER_FREE [ 24.207261] general protection fault: 0000 [#1] SMP [ 24.208193] Modules linked in: [ 24.208193] CPU: 0 PID: 866 Comm: sh Not tainted 4.4.0-rc5-work+ #108 Cc: Arnd Bergmann <[email protected]> Cc: Greg Kroah-Hartman <[email protected]> Signed-off-by: Laura Abbott <[email protected]> --- drivers/misc/lkdtm.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 11fdadc..c641fb7 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -92,6 +92,7 @@ enum ctype { CT_UNALIGNED_LOAD_STORE_WRITE, CT_OVERWRITE_ALLOCATION, CT_WRITE_AFTER_FREE, + CT_READ_AFTER_FREE, CT_SOFTLOCKUP, CT_HARDLOCKUP, CT_SPINLOCKUP, @@ -129,6 +130,7 @@ static char* cp_type[] = { "UNALIGNED_LOAD_STORE_WRITE", "OVERWRITE_ALLOCATION", "WRITE_AFTER_FREE", + "READ_AFTER_FREE", "SOFTLOCKUP", "HARDLOCKUP", "SPINLOCKUP", @@ -417,6 +419,33 @@ static void lkdtm_do_action(enum ctype which) memset(data, 0x78, len); break; } + case CT_READ_AFTER_FREE: { + int **base; + int *val, *tmp; + + base = kmalloc(1024, GFP_KERNEL); + if (!base) + return; + + val = kmalloc(1024, GFP_KERNEL); + if (!val) + return; + + *val = 0x12345678; + + /* + * Don't just use the first entry since that's where the + * freelist goes for the slab allocator + */ + base[1] = val; + kfree(base); + + tmp = base[1]; + pr_info("Freed val: %x\n", *tmp); + + kfree(val); + break; + } case CT_SOFTLOCKUP: preempt_disable(); for (;;) -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
