| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190424122451.GC24502@lakrids.cambridge.arm.com>
Date: Wed, 24 Apr 2019 13:24:51 +0100
From: Mark Rutland <mark.rutland@....com>
To: Weikang shi <swkhack@...il.com>
Cc: keescook@...omium.org, arnd@...db.de, gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] lkdtm: fix potential use after free
On Wed, Apr 24, 2019 at 06:21:03PM +0800, Weikang shi wrote:
> From: swkhack <swkhack@...il.com>
>
> The function lkdtm_WRITE_AFTER_FREE calls kfree(base) to free the memory
> of base. However, following kfree(base),
> it write the memory which base point to via base[offset] = 0x0abcdef0. This may result in a
> use-after-free bug. This patch moves kfree(base) after the write.
As with lkdtm_READ_AFTER_FREE, this is deliberate, and we should not
make this change.
Thanks,
Mark.
>
> Signed-off-by: swkhack <swkhack@...il.com>
> ---
> drivers/misc/lkdtm/heap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
> index 65026d7de..0b9141525 100644
> --- a/drivers/misc/lkdtm/heap.c
> +++ b/drivers/misc/lkdtm/heap.c
> @@ -40,8 +40,8 @@ void lkdtm_WRITE_AFTER_FREE(void)
> pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
> pr_info("Attempting bad write to freed memory at %p\n",
> &base[offset]);
> - kfree(base);
> base[offset] = 0x0abcdef0;
> + kfree(base);
> /* Attempt to notice the overwrite. */
> again = kmalloc(len, GFP_KERNEL);
> kfree(again);
> --
> 2.17.1
>
Powered by blists - more mailing lists