Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Wed, 24 Apr 2019 13:24:51 +0100
From:   Mark Rutland <mark.rutland@arm.com>
To:     Weikang shi <swkhack@gmail.com>
Cc:     keescook@chromium.org, arnd@arndb.de, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] lkdtm: fix potential use after free
Message-ID: <20190424122451.GC24502@lakrids.cambridge.arm.com>
References: <20190424102103.11816-1-swkhack@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190424102103.11816-1-swkhack@gmail.com>
User-Agent: Mutt/1.11.1+11 (2f07cb52) (2018-12-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Wed, Apr 24, 2019 at 06:21:03PM +0800, Weikang shi wrote:
> From: swkhack <swkhack@gmail.com>
> 
> The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
> of base. However, following kfree(base),
> it write the memory which base point to via base[offset] = 0x0abcdef0. This may result in a
> use-after-free bug. This patch moves kfree(base) after the write.

As with lkdtm_READ_AFTER_FREE, this is deliberate, and we should not
make this change.

Thanks,
Mark.

> 
> Signed-off-by: swkhack <swkhack@gmail.com>
> ---
>  drivers/misc/lkdtm/heap.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
> index 65026d7de..0b9141525 100644
> --- a/drivers/misc/lkdtm/heap.c
> +++ b/drivers/misc/lkdtm/heap.c
> @@ -40,8 +40,8 @@ void lkdtm_WRITE_AFTER_FREE(void)
>  	pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
>  	pr_info("Attempting bad write to freed memory at %p\n",
>  		&base[offset]);
> -	kfree(base);
>  	base[offset] = 0x0abcdef0;
> +	kfree(base);
>  	/* Attempt to notice the overwrite. */
>  	again = kmalloc(len, GFP_KERNEL);
>  	kfree(again);
> -- 
> 2.17.1
>