xref: /linux/drivers/misc/lkdtm/heap.c (revision 8e07e0e3964ca4e23ce7b68e2096fe660a888942) 
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This is for all the tests relating directly to heap memory, including
4  * page allocation and slab allocations.
5  */
6 #include "lkdtm.h"
7 #include <linux/slab.h>
8 #include <linux/vmalloc.h>
9 #include <linux/sched.h>
10 
11 static struct kmem_cache *double_free_cache;
12 static struct kmem_cache *a_cache;
13 static struct kmem_cache *b_cache;
14 
15 /*
16  * Using volatile here means the compiler cannot ever make assumptions
17  * about this value. This means compile-time length checks involving
18  * this variable cannot be performed; only run-time checks.
19  */
20 static volatile int __offset = 1;
21 
22 /*
23  * If there aren't guard pages, it's likely that a consecutive allocation will
24  * let us overflow into the second allocation without overwriting something real.
25  *
26  * This should always be caught because there is an unconditional unmapped
27  * page after vmap allocations.
28  */
29 static void lkdtm_VMALLOC_LINEAR_OVERFLOW(void)
30 {
31 	char *one, *two;
32 
33 	one = vzalloc(PAGE_SIZE);
34 	OPTIMIZER_HIDE_VAR(one);
35 	two = vzalloc(PAGE_SIZE);
36 
37 	pr_info("Attempting vmalloc linear overflow ...\n");
38 	memset(one, 0xAA, PAGE_SIZE + __offset);
39 
40 	vfree(two);
41 	vfree(one);
42 }
43 
44 /*
45  * This tries to stay within the next largest power-of-2 kmalloc cache
46  * to avoid actually overwriting anything important if it's not detected
47  * correctly.
48  *
49  * This should get caught by either memory tagging, KASan, or by using
50  * CONFIG_SLUB_DEBUG=y and slub_debug=ZF (or CONFIG_SLUB_DEBUG_ON=y).
51  */
52 static void lkdtm_SLAB_LINEAR_OVERFLOW(void)
53 {
54 	size_t len = 1020;
55 	u32 *data = kmalloc(len, GFP_KERNEL);
56 	if (!data)
57 		return;
58 
59 	pr_info("Attempting slab linear overflow ...\n");
60 	OPTIMIZER_HIDE_VAR(data);
61 	data[1024 / sizeof(u32)] = 0x12345678;
62 	kfree(data);
63 }
64 
65 static void lkdtm_WRITE_AFTER_FREE(void)
66 {
67 	int *base, *again;
68 	size_t len = 1024;
69 	/*
70 	 * The slub allocator uses the first word to store the free
71 	 * pointer in some configurations. Use the middle of the
72 	 * allocation to avoid running into the freelist
73 	 */
74 	size_t offset = (len / sizeof(*base)) / 2;
75 
76 	base = kmalloc(len, GFP_KERNEL);
77 	if (!base)
78 		return;
79 	pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
80 	pr_info("Attempting bad write to freed memory at %p\n",
81 		&base[offset]);
82 	kfree(base);
83 	base[offset] = 0x0abcdef0;
84 	/* Attempt to notice the overwrite. */
85 	again = kmalloc(len, GFP_KERNEL);
86 	kfree(again);
87 	if (again != base)
88 		pr_info("Hmm, didn't get the same memory range.\n");
89 }
90 
91 static void lkdtm_READ_AFTER_FREE(void)
92 {
93 	int *base, *val, saw;
94 	size_t len = 1024;
95 	/*
96 	 * The slub allocator will use the either the first word or
97 	 * the middle of the allocation to store the free pointer,
98 	 * depending on configurations. Store in the second word to
99 	 * avoid running into the freelist.
100 	 */
101 	size_t offset = sizeof(*base);
102 
103 	base = kmalloc(len, GFP_KERNEL);
104 	if (!base) {
105 		pr_info("Unable to allocate base memory.\n");
106 		return;
107 	}
108 
109 	val = kmalloc(len, GFP_KERNEL);
110 	if (!val) {
111 		pr_info("Unable to allocate val memory.\n");
112 		kfree(base);
113 		return;
114 	}
115 
116 	*val = 0x12345678;
117 	base[offset] = *val;
118 	pr_info("Value in memory before free: %x\n", base[offset]);
119 
120 	kfree(base);
121 
122 	pr_info("Attempting bad read from freed memory\n");
123 	saw = base[offset];
124 	if (saw != *val) {
125 		/* Good! Poisoning happened, so declare a win. */
126 		pr_info("Memory correctly poisoned (%x)\n", saw);
127 	} else {
128 		pr_err("FAIL: Memory was not poisoned!\n");
129 		pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
130 	}
131 
132 	kfree(val);
133 }
134 
135 static void lkdtm_WRITE_BUDDY_AFTER_FREE(void)
136 {
137 	unsigned long p = __get_free_page(GFP_KERNEL);
138 	if (!p) {
139 		pr_info("Unable to allocate free page\n");
140 		return;
141 	}
142 
143 	pr_info("Writing to the buddy page before free\n");
144 	memset((void *)p, 0x3, PAGE_SIZE);
145 	free_page(p);
146 	schedule();
147 	pr_info("Attempting bad write to the buddy page after free\n");
148 	memset((void *)p, 0x78, PAGE_SIZE);
149 	/* Attempt to notice the overwrite. */
150 	p = __get_free_page(GFP_KERNEL);
151 	free_page(p);
152 	schedule();
153 }
154 
155 static void lkdtm_READ_BUDDY_AFTER_FREE(void)
156 {
157 	unsigned long p = __get_free_page(GFP_KERNEL);
158 	int saw, *val;
159 	int *base;
160 
161 	if (!p) {
162 		pr_info("Unable to allocate free page\n");
163 		return;
164 	}
165 
166 	val = kmalloc(1024, GFP_KERNEL);
167 	if (!val) {
168 		pr_info("Unable to allocate val memory.\n");
169 		free_page(p);
170 		return;
171 	}
172 
173 	base = (int *)p;
174 
175 	*val = 0x12345678;
176 	base[0] = *val;
177 	pr_info("Value in memory before free: %x\n", base[0]);
178 	free_page(p);
179 	pr_info("Attempting to read from freed memory\n");
180 	saw = base[0];
181 	if (saw != *val) {
182 		/* Good! Poisoning happened, so declare a win. */
183 		pr_info("Memory correctly poisoned (%x)\n", saw);
184 	} else {
185 		pr_err("FAIL: Buddy page was not poisoned!\n");
186 		pr_expected_config_param(CONFIG_INIT_ON_FREE_DEFAULT_ON, "init_on_free");
187 	}
188 
189 	kfree(val);
190 }
191 
192 static void lkdtm_SLAB_INIT_ON_ALLOC(void)
193 {
194 	u8 *first;
195 	u8 *val;
196 
197 	first = kmalloc(512, GFP_KERNEL);
198 	if (!first) {
199 		pr_info("Unable to allocate 512 bytes the first time.\n");
200 		return;
201 	}
202 
203 	memset(first, 0xAB, 512);
204 	kfree(first);
205 
206 	val = kmalloc(512, GFP_KERNEL);
207 	if (!val) {
208 		pr_info("Unable to allocate 512 bytes the second time.\n");
209 		return;
210 	}
211 	if (val != first) {
212 		pr_warn("Reallocation missed clobbered memory.\n");
213 	}
214 
215 	if (memchr(val, 0xAB, 512) == NULL) {
216 		pr_info("Memory appears initialized (%x, no earlier values)\n", *val);
217 	} else {
218 		pr_err("FAIL: Slab was not initialized\n");
219 		pr_expected_config_param(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, "init_on_alloc");
220 	}
221 	kfree(val);
222 }
223 
224 static void lkdtm_BUDDY_INIT_ON_ALLOC(void)
225 {
226 	u8 *first;
227 	u8 *val;
228 
229 	first = (u8 *)__get_free_page(GFP_KERNEL);
230 	if (!first) {
231 		pr_info("Unable to allocate first free page\n");
232 		return;
233 	}
234 
235 	memset(first, 0xAB, PAGE_SIZE);
236 	free_page((unsigned long)first);
237 
238 	val = (u8 *)__get_free_page(GFP_KERNEL);
239 	if (!val) {
240 		pr_info("Unable to allocate second free page\n");
241 		return;
242 	}
243 
244 	if (val != first) {
245 		pr_warn("Reallocation missed clobbered memory.\n");
246 	}
247 
248 	if (memchr(val, 0xAB, PAGE_SIZE) == NULL) {
249 		pr_info("Memory appears initialized (%x, no earlier values)\n", *val);
250 	} else {
251 		pr_err("FAIL: Slab was not initialized\n");
252 		pr_expected_config_param(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, "init_on_alloc");
253 	}
254 	free_page((unsigned long)val);
255 }
256 
257 static void lkdtm_SLAB_FREE_DOUBLE(void)
258 {
259 	int *val;
260 
261 	val = kmem_cache_alloc(double_free_cache, GFP_KERNEL);
262 	if (!val) {
263 		pr_info("Unable to allocate double_free_cache memory.\n");
264 		return;
265 	}
266 
267 	/* Just make sure we got real memory. */
268 	*val = 0x12345678;
269 	pr_info("Attempting double slab free ...\n");
270 	kmem_cache_free(double_free_cache, val);
271 	kmem_cache_free(double_free_cache, val);
272 }
273 
274 static void lkdtm_SLAB_FREE_CROSS(void)
275 {
276 	int *val;
277 
278 	val = kmem_cache_alloc(a_cache, GFP_KERNEL);
279 	if (!val) {
280 		pr_info("Unable to allocate a_cache memory.\n");
281 		return;
282 	}
283 
284 	/* Just make sure we got real memory. */
285 	*val = 0x12345679;
286 	pr_info("Attempting cross-cache slab free ...\n");
287 	kmem_cache_free(b_cache, val);
288 }
289 
290 static void lkdtm_SLAB_FREE_PAGE(void)
291 {
292 	unsigned long p = __get_free_page(GFP_KERNEL);
293 
294 	pr_info("Attempting non-Slab slab free ...\n");
295 	kmem_cache_free(NULL, (void *)p);
296 	free_page(p);
297 }
298 
299 /*
300  * We have constructors to keep the caches distinctly separated without
301  * needing to boot with "slab_nomerge".
302  */
303 static void ctor_double_free(void *region)
304 { }
305 static void ctor_a(void *region)
306 { }
307 static void ctor_b(void *region)
308 { }
309 
310 void __init lkdtm_heap_init(void)
311 {
312 	double_free_cache = kmem_cache_create("lkdtm-heap-double_free",
313 					      64, 0, 0, ctor_double_free);
314 	a_cache = kmem_cache_create("lkdtm-heap-a", 64, 0, 0, ctor_a);
315 	b_cache = kmem_cache_create("lkdtm-heap-b", 64, 0, 0, ctor_b);
316 }
317 
318 void __exit lkdtm_heap_exit(void)
319 {
320 	kmem_cache_destroy(double_free_cache);
321 	kmem_cache_destroy(a_cache);
322 	kmem_cache_destroy(b_cache);
323 }
324 
325 static struct crashtype crashtypes[] = {
326 	CRASHTYPE(SLAB_LINEAR_OVERFLOW),
327 	CRASHTYPE(VMALLOC_LINEAR_OVERFLOW),
328 	CRASHTYPE(WRITE_AFTER_FREE),
329 	CRASHTYPE(READ_AFTER_FREE),
330 	CRASHTYPE(WRITE_BUDDY_AFTER_FREE),
331 	CRASHTYPE(READ_BUDDY_AFTER_FREE),
332 	CRASHTYPE(SLAB_INIT_ON_ALLOC),
333 	CRASHTYPE(BUDDY_INIT_ON_ALLOC),
334 	CRASHTYPE(SLAB_FREE_DOUBLE),
335 	CRASHTYPE(SLAB_FREE_CROSS),
336 	CRASHTYPE(SLAB_FREE_PAGE),
337 };
338 
339 struct crashtype_category heap_crashtypes = {
340 	.crashtypes = crashtypes,
341 	.len	    = ARRAY_SIZE(crashtypes),
342 };
343