LinuxLists.cc - [PATCH lkdtm] lkdtm: Fix reference preceded by free

2021-10-22 01:33:50

Subject: [PATCH lkdtm] lkdtm: Fix reference preceded by free

From: Yang Guang <[email protected]>

The coccinelle check report:
./drivers/misc/lkdtm/heap.c:115:7-11:
ERROR: reference preceded by free on line 112
Moving the "kfree(base)" after using place to fix it.

Reported-by: Zeal Robot <[email protected]>
Signed-off-by: Yang Guang <[email protected]>
---
drivers/misc/lkdtm/heap.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 8a92f5a800fa..4c6341e7bdca 100644
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -109,8 +109,6 @@ void lkdtm_READ_AFTER_FREE(void)
base[offset] = *val;
pr_info("Value in memory before free: %x\n", base[offset]);

- kfree(base);
-
pr_info("Attempting bad read from freed memory\n");
saw = base[offset];
if (saw != *val) {
@@ -121,6 +119,7 @@ void lkdtm_READ_AFTER_FREE(void)
pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
}

+ kfree(base);
kfree(val);
}

--
2.30.2

2021-10-22 03:41:46

by Kees Cook

[permalink] [raw]

Subject: Re: [PATCH lkdtm] lkdtm: Fix reference preceded by free

On Fri, Oct 22, 2021 at 09:38:59AM +0800, David Yang wrote:
> From: Yang Guang <[email protected]>
> >
> > The coccinelle check report:
> > ./drivers/misc/lkdtm/heap.c:115:7-11:
> > ERROR: reference preceded by free on line 112
> > Moving the "kfree(base)" after using place to fix it.
> >
> > Reported-by: Zeal Robot <[email protected]>
> > Signed-off-by: Yang Guang <[email protected]>
>
> Please ignore this patch. Thanks.

Heh, no worries. It's nice to know that the Coccinelle checks are
finding broken things, though! :) (It's just that LKDTM is intentionally
broken.) ;)

--
Kees Cook

2021-10-22 03:41:57

by He Ying

[permalink] [raw]

Subject: Re: [PATCH lkdtm] lkdtm: Fix reference preceded by free

?? 2021/10/22 9:28, [email protected] д??:
> From: Yang Guang <[email protected]>
>
> The coccinelle check report:
> ./drivers/misc/lkdtm/heap.c:115:7-11:
> ERROR: reference preceded by free on line 112
> Moving the "kfree(base)" after using place to fix it.

Look at the name of the function "lkdtm_READ_AFTER_FREE". It's meant to

use after free to test something.

>
> Reported-by: Zeal Robot <[email protected]>
> Signed-off-by: Yang Guang <[email protected]>
> ---
> drivers/misc/lkdtm/heap.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
> index 8a92f5a800fa..4c6341e7bdca 100644
> --- a/drivers/misc/lkdtm/heap.c
> +++ b/drivers/misc/lkdtm/heap.c
> @@ -109,8 +109,6 @@ void lkdtm_READ_AFTER_FREE(void)
> base[offset] = *val;
> pr_info("Value in memory before free: %x\n", base[offset]);
>
> - kfree(base);
> -
> pr_info("Attempting bad read from freed memory\n");
> saw = base[offset];
> if (saw != *val) {
> @@ -121,6 +119,7 @@ void lkdtm_READ_AFTER_FREE(void)
> pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
> }
>
> + kfree(base);
> kfree(val);
> }
>