lkdtm: Update WRITE_AFTER_FREE test

The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.

Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

1 files changed, 13 insertions, 4 deletions

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 8de47462638a..a00a2b11b821 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -411,12 +411,21 @@ static void lkdtm_do_action(enum ctype which)
                 break;
         }
         case CT_WRITE_AFTER_FREE: {
+                int *base;
                 size_t len = 1024;
-                u32 *data = kmalloc(len, GFP_KERNEL);
+                /*
+                 * The slub allocator uses the first word to store the free
+                 * pointer in some configurations. Use the middle of the
+                 * allocation to avoid running into the freelist
+                 */
+                size_t offset = (len / sizeof(*base)) / 2;
 
-                kfree(data);
-                schedule();
-                memset(data, 0x78, len);
+                base = kmalloc(len, GFP_KERNEL);
+                pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
+                kfree(base);
+                pr_info("Attempting bad write to freed memory at %p\n",
+                        &base[offset]);
+                base[offset] = 0x0abcdef0;
                 break;
         }
         case CT_READ_AFTER_FREE: {