On Wed, Apr 24, 2019 at 06:21:03PM +0800, Weikang shi wrote:
> From: swkhack <swkh...@gmail.com>
>
> The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
> of base. However, following kfree(base),
> it write the memory which base point to via base[offset] = 0x0abcdef0. This
> may result in a
> use-after-free bug. This patch moves kfree(base) after the write.
As with lkdtm_READ_AFTER_FREE, this is deliberate, and we should not
make this change.
Thanks,
Mark.
>
> Signed-off-by: swkhack <swkh...@gmail.com>
> ---
> drivers/misc/lkdtm/heap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
> index 65026d7de..0b9141525 100644
> --- a/drivers/misc/lkdtm/heap.c
> +++ b/drivers/misc/lkdtm/heap.c
> @@ -40,8 +40,8 @@ void lkdtm_WRITE_AFTER_FREE(void)
> pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
> pr_info("Attempting bad write to freed memory at %p\n",
> &base[offset]);
> - kfree(base);
> base[offset] = 0x0abcdef0;
> + kfree(base);
> /* Attempt to notice the overwrite. */
> again = kmalloc(len, GFP_KERNEL);
> kfree(again);
> --
> 2.17.1
>
