From: swkhack <swkh...@gmail.com>
The function lkdtm_READ_AFTER_FREE calls kfree(base) to free the memory
of base. However, following kfree(base),
it access the memory which base point to via base[offset]. This may result in a
use-after-free bug. This patch moves kfree(base) after the dereference.
Signed-off-by: swkhack <swkh...@gmail.com>
---
drivers/misc/lkdtm/heap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 65026d7de..3e2f1580a 100644
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -77,7 +77,6 @@ void lkdtm_READ_AFTER_FREE(void)
base[offset] = *val;
pr_info("Value in memory before free: %x\n", base[offset]);
- kfree(base);
pr_info("Attempting bad read from freed memory\n");
saw = base[offset];
@@ -88,6 +87,7 @@ void lkdtm_READ_AFTER_FREE(void)
}
pr_info("Memory was not poisoned\n");
+ kfree(base);
kfree(val);
}
--
2.17.1
