lkdtm/heap: Avoid edge and middle of slabs

Har har, after I moved the slab freelist pointer into the middle of the slab, now it looks like the contents are getting poisoned. Adjust the test to avoid the freelist pointer again. Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20200625203704.317097-3-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kees Cook <keescook@chromium.org> 2020-06-25 13:37:02 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-29 18:41:39 +0200
commit: e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc (patch)
tree: 76020d7c0b5da911be0fa25896002c89579325b7 /drivers/misc/lkdtm
parent: 464e86b4abadfc490f426954b431e2ec6a9d7bd2 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 3c5cec85edce..1323bc16f113 100644
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void)
 	int *base, *val, saw;
 	size_t len = 1024;
 	/*
-	 * The slub allocator uses the first word to store the free
-	 * pointer in some configurations. Use the middle of the
-	 * allocation to avoid running into the freelist
+	 * The slub allocator will use the either the first word or
+	 * the middle of the allocation to store the free pointer,
+	 * depending on configurations. Store in the second word to
+	 * avoid running into the freelist.
 	 */
-	size_t offset = (len / sizeof(*base)) / 2;
+	size_t offset = sizeof(*base);
 
 	base = kmalloc(len, GFP_KERNEL);
 	if (!base) {
author	Kees Cook <keescook@chromium.org>	2020-06-25 13:37:02 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-06-29 18:41:39 +0200
commit	e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc (patch)
tree	76020d7c0b5da911be0fa25896002c89579325b7 /drivers/misc/lkdtm
parent	464e86b4abadfc490f426954b431e2ec6a9d7bd2 (diff)