heap.c source code [linux/drivers/misc/lkdtm/heap.c]

1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* This is for all the tests relating directly to heap memory, including
4	* page allocation and slab allocations.
5	*/
6	#include "lkdtm.h"
7	#include <linux/kfence.h>
8	#include <linux/slab.h>
9	#include <linux/vmalloc.h>
10	#include <linux/sched.h>
11
12	static struct kmem_cache *double_free_cache;
13	static struct kmem_cache *a_cache;
14	static struct kmem_cache *b_cache;
15
16	/*
17	* Using volatile here means the compiler cannot ever make assumptions
18	* about this value. This means compile-time length checks involving
19	* this variable cannot be performed; only run-time checks.
20	*/
21	static volatile int __offset = `1`;
22
23	/*
24	* If there aren't guard pages, it's likely that a consecutive allocation will
25	* let us overflow into the second allocation without overwriting something real.
26	*
27	* This should always be caught because there is an unconditional unmapped
28	* page after vmap allocations.
29	*/
30	static void lkdtm_VMALLOC_LINEAR_OVERFLOW(void)
31	{
32	char one, two;
33
34	one = vzalloc(PAGE_SIZE);
35	OPTIMIZER_HIDE_VAR(one);
36	two = vzalloc(PAGE_SIZE);
37
38	pr_info("Attempting vmalloc linear overflow ...\n");
39	memset(one, `0xAA`, PAGE_SIZE + __offset);
40
41	vfree(addr: two);
42	vfree(addr: one);
43	}
44
45	/*
46	* This tries to stay within the next largest power-of-2 kmalloc cache
47	* to avoid actually overwriting anything important if it's not detected
48	* correctly.
49	*
50	* This should get caught by either memory tagging, KASan, or by using
51	* CONFIG_SLUB_DEBUG=y and slab_debug=ZF (or CONFIG_SLUB_DEBUG_ON=y).
52	*/
53	static void lkdtm_SLAB_LINEAR_OVERFLOW(void)
54	{
55	size_t len = `1020`;
56	u32 *data = kmalloc(size: len, GFP_KERNEL);
57	if (!data)
58	return;
59
60	pr_info("Attempting slab linear overflow ...\n");
61	OPTIMIZER_HIDE_VAR(data);
62	data[`1024` / sizeof(u32)] = `0x12345678`;
63	kfree(objp: data);
64	}
65
66	static void lkdtm_WRITE_AFTER_FREE(void)
67	{
68	int base, again;
69	size_t len = `1024`;
70	/*
71	* The slub allocator uses the first word to store the free
72	* pointer in some configurations. Use the middle of the
73	* allocation to avoid running into the freelist
74	*/
75	size_t offset = (len / sizeof(*base)) / `2`;
76
77	base = kmalloc(size: len, GFP_KERNEL);
78	if (!base)
79	return;
80	pr_info("Allocated memory %p-%p\n", base, &base[offset * `2`]);
81	pr_info("Attempting bad write to freed memory at %p\n",
82	&base[offset]);
83	kfree(objp: base);
84	base[offset] = `0x0abcdef0`;
85	/ Attempt to notice the overwrite. /
86	again = kmalloc(size: len, GFP_KERNEL);
87	kfree(objp: again);
88	if (again != base)
89	pr_info("Hmm, didn't get the same memory range.\n");
90	}
91
92	static void lkdtm_READ_AFTER_FREE(void)
93	{
94	int base, val, saw;
95	size_t len = `1024`;
96	/*
97	* The slub allocator will use the either the first word or
98	* the middle of the allocation to store the free pointer,
99	* depending on configurations. Store in the second word to
100	* avoid running into the freelist.
101	*/
102	size_t offset = sizeof(*base);
103
104	base = kmalloc(size: len, GFP_KERNEL);
105	if (!base) {
106	pr_info("Unable to allocate base memory.\n");
107	return;
108	}
109
110	val = kmalloc(size: len, GFP_KERNEL);
111	if (!val) {
112	pr_info("Unable to allocate val memory.\n");
113	kfree(objp: base);
114	return;
115	}
116
117	*val = `0x12345678`;
118	base[offset] = *val;
119	pr_info("Value in memory before free: %x\n", base[offset]);
120
121	kfree(objp: base);
122
123	pr_info("Attempting bad read from freed memory\n");
124	saw = base[offset];
125	if (saw != *val) {
126	/ Good! Poisoning happened, so declare a win. /
127	pr_info("Memory correctly poisoned (%x)\n", saw);
128	} else {
129	pr_err("FAIL: Memory was not poisoned!\n");
130	pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
131	}
132
133	kfree(objp: val);
134	}
135
136	static void lkdtm_KFENCE_READ_AFTER_FREE(void)
137	{
138	int *base, val, saw;
139	unsigned long timeout, resched_after;
140	size_t len = `1024`;
141	/*
142	* The slub allocator will use the either the first word or
143	* the middle of the allocation to store the free pointer,
144	* depending on configurations. Store in the second word to
145	* avoid running into the freelist.
146	*/
147	size_t offset = sizeof(*base);
148
149	/*
150	* 100x the sample interval should be more than enough to ensure we get
151	* a KFENCE allocation eventually.
152	*/
153	timeout = jiffies + msecs_to_jiffies(m: `100` * kfence_sample_interval);
154	/*
155	* Especially for non-preemption kernels, ensure the allocation-gate
156	* timer can catch up: after @resched_after, every failed allocation
157	* attempt yields, to ensure the allocation-gate timer is scheduled.
158	*/
159	resched_after = jiffies + msecs_to_jiffies(m: kfence_sample_interval);
160	do {
161	base = kmalloc(size: len, GFP_KERNEL);
162	if (!base) {
163	pr_err("FAIL: Unable to allocate kfence memory!\n");
164	return;
165	}
166
167	if (is_kfence_address(addr: base)) {
168	val = `0x12345678`;
169	base[offset] = val;
170	pr_info("Value in memory before free: %x\n", base[offset]);
171
172	kfree(objp: base);
173
174	pr_info("Attempting bad read from freed memory\n");
175	saw = base[offset];
176	if (saw != val) {
177	/ Good! Poisoning happened, so declare a win. /
178	pr_info("Memory correctly poisoned (%x)\n", saw);
179	} else {
180	pr_err("FAIL: Memory was not poisoned!\n");
181	pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
182	}
183	return;
184	}
185
186	kfree(objp: base);
187	if (time_after(jiffies, resched_after))
188	cond_resched();
189	} while (time_before(jiffies, timeout));
190
191	pr_err("FAIL: kfence memory never allocated!\n");
192	}
193
194	static void lkdtm_WRITE_BUDDY_AFTER_FREE(void)
195	{
196	unsigned long p = __get_free_page(GFP_KERNEL);
197	if (!p) {
198	pr_info("Unable to allocate free page\n");
199	return;
200	}
201
202	pr_info("Writing to the buddy page before free\n");
203	memset((void *)p, `0x3`, PAGE_SIZE);
204	free_page(p);
205	schedule();
206	pr_info("Attempting bad write to the buddy page after free\n");
207	memset((void *)p, `0x78`, PAGE_SIZE);
208	/ Attempt to notice the overwrite. /
209	p = __get_free_page(GFP_KERNEL);
210	free_page(p);
211	schedule();
212	}
213
214	static void lkdtm_READ_BUDDY_AFTER_FREE(void)
215	{
216	unsigned long p = __get_free_page(GFP_KERNEL);
217	int saw, *val;
218	int *base;
219
220	if (!p) {
221	pr_info("Unable to allocate free page\n");
222	return;
223	}
224
225	val = kmalloc(size: `1024`, GFP_KERNEL);
226	if (!val) {
227	pr_info("Unable to allocate val memory.\n");
228	free_page(p);
229	return;
230	}
231
232	base = (int *)p;
233
234	*val = `0x12345678`;
235	base[`0`] = *val;
236	pr_info("Value in memory before free: %x\n", base[`0`]);
237	free_page(p);
238	pr_info("Attempting to read from freed memory\n");
239	saw = base[`0`];
240	if (saw != *val) {
241	/ Good! Poisoning happened, so declare a win. /
242	pr_info("Memory correctly poisoned (%x)\n", saw);
243	} else {
244	pr_err("FAIL: Buddy page was not poisoned!\n");
245	pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
246	}
247
248	kfree(objp: val);
249	}
250
251	static void lkdtm_SLAB_INIT_ON_ALLOC(void)
252	{
253	u8 *first;
254	u8 *val;
255
256	first = kmalloc(size: `512`, GFP_KERNEL);
257	if (!first) {
258	pr_info("Unable to allocate 512 bytes the first time.\n");
259	return;
260	}
261
262	memset(first, `0xAB`, `512`);
263	kfree(objp: first);
264
265	val = kmalloc(size: `512`, GFP_KERNEL);
266	if (!val) {
267	pr_info("Unable to allocate 512 bytes the second time.\n");
268	return;
269	}
270	if (val != first) {
271	pr_warn("Reallocation missed clobbered memory.\n");
272	}
273
274	if (memchr(p: val, c: `0xAB`, size: `512`) == NULL) {
275	pr_info("Memory appears initialized (%x, no earlier values)\n", *val);
276	} else {
277	pr_err("FAIL: Slab was not initialized\n");
278	pr_expected_config_param(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, "init_on_alloc");
279	}
280	kfree(objp: val);
281	}
282
283	static void lkdtm_BUDDY_INIT_ON_ALLOC(void)
284	{
285	u8 *first;
286	u8 *val;
287
288	first = (u8 *)__get_free_page(GFP_KERNEL);
289	if (!first) {
290	pr_info("Unable to allocate first free page\n");
291	return;
292	}
293
294	memset(first, `0xAB`, PAGE_SIZE);
295	free_page((unsigned long)first);
296
297	val = (u8 *)__get_free_page(GFP_KERNEL);
298	if (!val) {
299	pr_info("Unable to allocate second free page\n");
300	return;
301	}
302
303	if (val != first) {
304	pr_warn("Reallocation missed clobbered memory.\n");
305	}
306
307	if (memchr(p: val, c: `0xAB`, PAGE_SIZE) == NULL) {
308	pr_info("Memory appears initialized (%x, no earlier values)\n", *val);
309	} else {
310	pr_err("FAIL: Slab was not initialized\n");
311	pr_expected_config_param(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, "init_on_alloc");
312	}
313	free_page((unsigned long)val);
314	}
315
316	static void lkdtm_SLAB_FREE_DOUBLE(void)
317	{
318	int *val;
319
320	val = kmem_cache_alloc(cachep: double_free_cache, GFP_KERNEL);
321	if (!val) {
322	pr_info("Unable to allocate double_free_cache memory.\n");
323	return;
324	}
325
326	/ Just make sure we got real memory. /
327	*val = `0x12345678`;
328	pr_info("Attempting double slab free ...\n");
329	kmem_cache_free(s: double_free_cache, objp: val);
330	kmem_cache_free(s: double_free_cache, objp: val);
331	}
332
333	static void lkdtm_SLAB_FREE_CROSS(void)
334	{
335	int *val;
336
337	val = kmem_cache_alloc(cachep: a_cache, GFP_KERNEL);
338	if (!val) {
339	pr_info("Unable to allocate a_cache memory.\n");
340	return;
341	}
342
343	/ Just make sure we got real memory. /
344	*val = `0x12345679`;
345	pr_info("Attempting cross-cache slab free ...\n");
346	kmem_cache_free(s: b_cache, objp: val);
347	}
348
349	static void lkdtm_SLAB_FREE_PAGE(void)
350	{
351	unsigned long p = __get_free_page(GFP_KERNEL);
352
353	pr_info("Attempting non-Slab slab free ...\n");
354	kmem_cache_free(NULL, objp: (void *)p);
355	free_page(p);
356	}
357
358	/*
359	* We have constructors to keep the caches distinctly separated without
360	* needing to boot with "slab_nomerge".
361	*/
362	static void ctor_double_free(void *region)
363	{ }
364	static void ctor_a(void *region)
365	{ }
366	static void ctor_b(void *region)
367	{ }
368
369	void __init lkdtm_heap_init(void)
370	{
371	double_free_cache = kmem_cache_create(name: "lkdtm-heap-double_free",
372	size: `64`, align: `0`, flags: `0`, ctor: ctor_double_free);
373	a_cache = kmem_cache_create(name: "lkdtm-heap-a", size: `64`, align: `0`, flags: `0`, ctor: ctor_a);
374	b_cache = kmem_cache_create(name: "lkdtm-heap-b", size: `64`, align: `0`, flags: `0`, ctor: ctor_b);
375	}
376
377	void __exit lkdtm_heap_exit(void)
378	{
379	kmem_cache_destroy(s: double_free_cache);
380	kmem_cache_destroy(s: a_cache);
381	kmem_cache_destroy(s: b_cache);
382	}
383
384	static struct crashtype crashtypes[] = {
385	CRASHTYPE(SLAB_LINEAR_OVERFLOW),
386	CRASHTYPE(VMALLOC_LINEAR_OVERFLOW),
387	CRASHTYPE(WRITE_AFTER_FREE),
388	CRASHTYPE(READ_AFTER_FREE),
389	CRASHTYPE(KFENCE_READ_AFTER_FREE),
390	CRASHTYPE(WRITE_BUDDY_AFTER_FREE),
391	CRASHTYPE(READ_BUDDY_AFTER_FREE),
392	CRASHTYPE(SLAB_INIT_ON_ALLOC),
393	CRASHTYPE(BUDDY_INIT_ON_ALLOC),
394	CRASHTYPE(SLAB_FREE_DOUBLE),
395	CRASHTYPE(SLAB_FREE_CROSS),
396	CRASHTYPE(SLAB_FREE_PAGE),
397	};
398
399	struct crashtype_category heap_crashtypes = {
400	.crashtypes = crashtypes,
401	.len = ARRAY_SIZE(crashtypes),
402	};
403

source code of linux/drivers/misc/lkdtm/heap.c