On Wed, Apr 24, 2019 at 06:21:03PM +0800, Weikang shi wrote: > From: swkhack <swkh...@gmail.com> > > The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory > of base. However, following kfree(base), > it write the memory which base point to via base[offset] = 0x0abcdef0. This > may result in a > use-after-free bug. This patch moves kfree(base) after the write.
As with lkdtm_READ_AFTER_FREE, this is deliberate, and we should not make this change. Thanks, Mark. > > Signed-off-by: swkhack <swkh...@gmail.com> > --- > drivers/misc/lkdtm/heap.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c > index 65026d7de..0b9141525 100644 > --- a/drivers/misc/lkdtm/heap.c > +++ b/drivers/misc/lkdtm/heap.c > @@ -40,8 +40,8 @@ void lkdtm_WRITE_AFTER_FREE(void) > pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]); > pr_info("Attempting bad write to freed memory at %p\n", > &base[offset]); > - kfree(base); > base[offset] = 0x0abcdef0; > + kfree(base); > /* Attempt to notice the overwrite. */ > again = kmalloc(len, GFP_KERNEL); > kfree(again); > -- > 2.17.1 >