| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Apr 2019 18:21:03 +0800
From: Weikang shi <swkhack@...il.com>
To: keescook@...omium.org
Cc: arnd@...db.de, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org, swkhack <swkhack@...il.com>
Subject: [PATCH] lkdtm: fix potential use after free
From: swkhack <swkhack@...il.com>
The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
of base. However, following kfree(base),
it write the memory which base point to via base[offset] = 0x0abcdef0. This may result in a
use-after-free bug. This patch moves kfree(base) after the write.
Signed-off-by: swkhack <swkhack@...il.com>
---
drivers/misc/lkdtm/heap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 65026d7de..0b9141525 100644
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -40,8 +40,8 @@ void lkdtm_WRITE_AFTER_FREE(void)
pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
pr_info("Attempting bad write to freed memory at %p\n",
&base[offset]);
- kfree(base);
base[offset] = 0x0abcdef0;
+ kfree(base);
/* Attempt to notice the overwrite. */
again = kmalloc(len, GFP_KERNEL);
kfree(again);
--
2.17.1
Powered by blists - more mailing lists