lkdtm/heap: Avoid edge and middle of slabs

Har har, after I moved the slab freelist pointer into the middle of the
slab, now it looks like the contents are getting poisoned. Adjust the
test to avoid the freelist pointer again.

Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20200625203704.317097-3-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
index 3c5cec85edce22448cc1fc5394f75ba467ae0161..1323bc16f1136091d3f27cee3abf53dd8e7528fd 100644 (file)
--- a/drivers/misc/lkdtm/heap.c
+++ b/drivers/misc/lkdtm/heap.c
@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void)
        int *base, *val, saw;
        size_t len = 1024;
        /*
-        * The slub allocator uses the first word to store the free
-        * pointer in some configurations. Use the middle of the
-        * allocation to avoid running into the freelist
+        * The slub allocator will use the either the first word or
+        * the middle of the allocation to store the free pointer,
+        * depending on configurations. Store in the second word to
+        * avoid running into the freelist.
         */
-       size_t offset = (len / sizeof(*base)) / 2;
+       size_t offset = sizeof(*base);
 
        base = kmalloc(len, GFP_KERNEL);
        if (!base) {