// SPDX-License-Identifier: GPL-2.0 /* * This is for all the tests relating directly to heap memory, including * page allocation and slab allocations. */ #include "lkdtm.h" #include <linux/kfence.h> #include <linux/slab.h> #include <linux/vmalloc.h> #include <linux/sched.h> static struct kmem_cache *double_free_cache; static struct kmem_cache *a_cache; static struct kmem_cache *b_cache; /* * Using volatile here means the compiler cannot ever make assumptions * about this value. This means compile-time length checks involving * this variable cannot be performed; only run-time checks. */ static volatile int __offset = …; /* * If there aren't guard pages, it's likely that a consecutive allocation will * let us overflow into the second allocation without overwriting something real. * * This should always be caught because there is an unconditional unmapped * page after vmap allocations. */ static void lkdtm_VMALLOC_LINEAR_OVERFLOW(void) { … } /* * This tries to stay within the next largest power-of-2 kmalloc cache * to avoid actually overwriting anything important if it's not detected * correctly. * * This should get caught by either memory tagging, KASan, or by using * CONFIG_SLUB_DEBUG=y and slab_debug=ZF (or CONFIG_SLUB_DEBUG_ON=y). */ static void lkdtm_SLAB_LINEAR_OVERFLOW(void) { … } static void lkdtm_WRITE_AFTER_FREE(void) { … } static void lkdtm_READ_AFTER_FREE(void) { … } static void lkdtm_KFENCE_READ_AFTER_FREE(void) { … } static void lkdtm_WRITE_BUDDY_AFTER_FREE(void) { … } static void lkdtm_READ_BUDDY_AFTER_FREE(void) { … } static void lkdtm_SLAB_INIT_ON_ALLOC(void) { … } static void lkdtm_BUDDY_INIT_ON_ALLOC(void) { … } static void lkdtm_SLAB_FREE_DOUBLE(void) { … } static void lkdtm_SLAB_FREE_CROSS(void) { … } static void lkdtm_SLAB_FREE_PAGE(void) { … } /* * We have constructors to keep the caches distinctly separated without * needing to boot with "slab_nomerge". */ static void ctor_double_free(void *region) { … } static void ctor_a(void *region) { … } static void ctor_b(void *region) { … } void __init lkdtm_heap_init(void) { … } void __exit lkdtm_heap_exit(void) { … } static struct crashtype crashtypes[] = …; struct crashtype_category heap_crashtypes = …;
Codebase Browser
linux