http://thinkiii.blogspot.jp/2014/02/debug-with-slub-allocator.html

The slub allocator in Linux has useful debug features. Such as poisoning, readzone checking, and allocate/free traces with timestamps. It's very useful during product developing stage. Let's create a kernel module and test the debug features.

Make sure slub allocator is built in your kernel.

CONFIG_SLUB_DEBUG=y

CONFIG_SLUB=y

The slub allocator creates additional meta data to store allocate/free traces and timestamps. Everytime slub allocator allocate/free an object, it do poison check (data area) and redzone check  (boundry).

The module shows how it happens. It allocates 32 bytes from kernel and we overwrite the redzone by memset 36 bytes.

void try_to_corrupt_redzone(void)

{

        void *p = kmalloc(32, GFP_KERNEL);

        if (p) {

                pr_alert("p: 0x%p\n", p);

                memset(p, 0x12, 36);    /* write too much */

                print_hex_dump(KERN_ALERT, "mem: ", DUMP_PREFIX_ADDRESS,

                                16, 1, p, 512, 1);

                kfree(p);       /* slub.c should catch this error */

        }

}

static int mymodule_init(void)

{

        pr_alert("%s init\n", __FUNCTION__);

        try_to_corrupt_redzone();

        return 0;

}

static void mymodule_exit(void)

{

        pr_alert("%s exit\n", __FUNCTION__);

}

module_init(mymodule_init);

module_exit(mymodule_exit);

After freeing the object, the kernel checks the object and find that the redzone is overwritten and says:

[ 2050.630002] mymodule_init init

[ 2050.630565] p: 0xddc86680

[ 2050.630653] mem: ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630779] mem: ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630897] mem: ddc866a0: 12 12 12 12 60 6b c8 dd 16 80 99 e0 fa 8e 2a c1  ....`k........*.

[ 2050.631014] mem: ddc866b0: 16 80 99 e0 ce 92 2a c1 16 80 99 e0 f2 c1 1b c1  ......*.........

[ 2050.631130] mem: ddc866c0: 16 80 99 e0 4c 8b 0a c1 4c 8b 0a c1 61 80 99 e0  ....L...L...a...

[ 2050.631248] mem: ddc866d0: 16 80 99 e0 61 80 99 e0 16 80 99 e0 61 80 99 e0  ....a.......a...

[ 2050.631365] mem: ddc866e0: 75 80 99 e0 48 01 00 c1 2b 36 05 c1 00 00 00 00  u...H...+6......

[ 2050.631483] mem: ddc866f0: 4a 0c 00 00 99 ad 06 00 6d 35 05 c1 9e 8b 2a c1  J.......m5....*.

[ 2050.631599] mem: ddc86700: 6d 35 05 c1 48 8c 2a c1 6d 35 05 c1 ee 89 0a c1  m5..H.*.m5......

[ 2050.631716] mem: ddc86710: ee 89 0a c1 e4 0a 14 c1 e4 0a 14 c1 ee 89 0a c1  ................

[ 2050.631832] mem: ddc86720: ee 89 0a c1 6d 35 05 c1 6d 35 05 c1 6d 35 05 c1  ....m5..m5..m5..

[ 2050.631948] mem: ddc86730: a7 39 05 c1 ef b8 2a c1 00 00 00 00 00 00 00 00  .9....*.........

[ 2050.633948] mem: ddc86740: 4a 0c 00 00 97 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  J.......ZZZZZZZZ

[ 2050.634095] mem: ddc86750: 14 dc 46 dd 14 dc 46 dd 00 00 00 00 6b 6b 6b 6b  ..F...F.....kkkk

[ 2050.634236] mem: ddc86760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.

[ 2050.634378] mem: ddc86770: cc cc cc cc c0 69 c8 dd a0 83 20 c1 fa 8e 2a c1  .....i.... ...*.

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a

[ 2050.637581]  syscall_call+0x7/0xb

[ 2050.637649] INFO: Slab 0xdffa90c0 objects=19 used=8 fp=0xddc86000 flags=0x40000080

[ 2050.637749] INFO: Object 0xddc86680 @offset=1664 fp=0xddc86b60

[ 2050.637749]

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

[ 2050.637875] CPU: 0 PID: 3146 Comm: insmod Tainted: P    B      O 3.10.17 #1

[ 2050.637875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006

[ 2050.637875]  00000000 c10a7b59 c10941c5 dffa90c0 ddc86680 de8012cc de801280 ddc86680

[ 2050.637875]  dffa90c0 c10a7bd3 c13689a5 ddc866a0 000000cc 00000004 de801280 ddc86680

[ 2050.637875]  dffa90c0 de800e00 c12a8b2f 000000cc ddc86680 de801280 dffa90c0 dd407e50

[ 2050.637875] Call Trace:

[ 2050.637875]  [&ltc10a7b59&gt] ? check_bytes_and_report+0x6d/0xb0

[ 2050.637875]  [&ltc10941c5&gt] ? page_address+0x1a/0x79

[ 2050.637875]  [&ltc10a7bd3&gt] ? check_object+0x37/0x149

[ 2050.637875]  [&ltc12a8b2f&gt] ? free_debug_processing+0x67/0x142

[ 2050.637875]  [&ltc12a8c48&gt] ? __slab_free+0x3e/0x28d

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc102063d&gt] ? wake_up_klogd+0x1d/0x1e

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998061&gt] ? try_to_corrupt_redzone+0x61/0x61 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc1000148&gt] ? do_one_initcall+0x6c/0xf4

[ 2050.637875]  [&ltc105362b&gt] ? load_module+0x1690/0x199a

[ 2050.637875]  [&ltc10539a7&gt] ? SyS_init_module+0x72/0x8a

[ 2050.637875]  [&ltc12ab8ef&gt] ? syscall_call+0x7/0xb

[ 2050.637875] FIX kmalloc-32: Restoring 0xddc866a0-0xddc866a3=0xcc

[ 2050.637875]

[ 2051.232817] mymodule_exit exit

First the slub allocator print the error type "redzone overwritten"

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

To understand what readzone is, take a look at the memory content around the object:

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

We fill 38 bytes of 0x12 from the start of the 36-bytes object (0xddc86680 - 0xddc8669f) and 4 more 0x12 on the redzone (normal 0xbb or 0xcc). When the object is returned to the kernel, kernel finds that the redzone is neither 0xcc or 0xbb and reports this as a BUG.

The slub allocator reports the latest allocate/free history of this object. You can see the object is just allocated by our kernel module function 'try_to_corrup_redzone'.

Sometime the traces of the object are more useful than function backtrace. For example, if there exists an use-after-free case:  function A allocates an object and writes if after freeing the object. If the object is allocated by another function B. In this case, function B has a corrupted object, and if we have the free trace of this object, we can trace back to the previous owner of the object, function A.

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a
 
Posted by Miles MH Chen at 7:34 AM 
Labels: linux

debug with Linux slub allocator的更多相关文章

  1. (转)Linux SLUB 分配器详解

    原文网址:https://www.ibm.com/developerworks/cn/linux/l-cn-slub/ 多年以来,Linux 内核使用一种称为 SLAB 的内核对象缓冲区分配器.但是, ...

  2. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

  3. 【debug】 Linux中top的使用

    在我们日常的开发中,我们经常需要查看每个线程的cpu使用情况.其实,在linux中,top也是我们查看cpu使用状况的一个好帮手 top:先查看每一个进程的使用状况 我们可以发现PID:3800这个经 ...

  4. gdb pretty printer for STL debug in Linux

    Check your gcc version. If it is less than 4.7, you need use another printer.py file. Get the file f ...

  5. [轉]Exploit Linux Kernel Slub Overflow

    Exploit Linux Kernel Slub Overflow By wzt 一.前言 最近几年关于kernel exploit的研究比较热门,常见的内核提权漏洞大致可以分为几类: 空指针引用, ...

  6. 现在的 Linux 内核和 Linux 2.6 的内核有多大区别?

    作者:larmbr宇链接:https://www.zhihu.com/question/35484429/answer/62964898来源:知乎著作权归作者所有.商业转载请联系作者获得授权,非商业转 ...

  7. linux进程用户内存空间和内核空间

    When a process running in user mode requests additional memory, pages are allocated from the list of ...

  8. Linux内存描述之内存页面page--Linux内存管理(四)

    1 Linux如何描述物理内存 Linux把物理内存划分为三个层次来管理 层次 描述 存储节点(Node) CPU被划分为多个节点(node), 内存则被分簇, 每个CPU对应一个本地物理内存, 即一 ...

  9. 转 Linux内存管理原理

    Linux内存管理原理 在用户态,内核态逻辑地址专指下文说的线性偏移前的地址Linux内核虚拟3.伙伴算法和slab分配器 16个页面RAM因为最大连续内存大小为16个页面 页面最多16个页面,所以1 ...

随机推荐

  1. python XlsxWriter创建Excel 表格

    文档(英文) https://xlsxwriter.readthedocs.io/index.html 常用模块说明(中文) https://blog.csdn.net/sinat_35930259/ ...

  2. json字符串数组判断其中

    嘴挺笨的描述不清,直接看图,console.log(data1)是下图 获取的table中的数据组成的json对象(这里我不明白json对象啊json字符串啊json数组啊.我只会- 需要啥就转换成啥 ...

  3. VB.NET视频总结——基础篇

    VB.NET视频是台湾讲师曹祖胜和林煌章共同带来的经典视频,视频中老师的台湾腔特别重,听起来有些别扭.而且对于计算机方面的术语翻译的与大陆有很大差异,所以刚开始看视频的时候总是进入不了状态,一头雾水的 ...

  4. 如何实现自己的Android MVP框架?

    相信熟悉android开发的童鞋对MVP框架应该都不陌生吧,网上很多关于android中实现MVP的文章,大家可以直接搜索学习.这些文章中,MVP的实现思路基本都是把Activity.Fragment ...

  5. 洛谷 P3224 [HNOI2012]永无乡 解题报告

    P3224 [HNOI2012]永无乡 题目描述 永无乡包含 \(n\) 座岛,编号从 \(1\) 到 \(n\) ,每座岛都有自己的独一无二的重要度,按照重要度可以将这 \(n\) 座岛排名,名次用 ...

  6. 洛谷 P1606 [USACO07FEB]荷叶塘Lilypad Pond 解题报告

    P1606 [USACO07FEB]荷叶塘Lilypad Pond 题目描述 FJ has installed a beautiful pond for his cows' aesthetic enj ...

  7. 启动、停止、删除Windows服务

    启动: @echo.服务启动...... @echo off @sc create Service_SMS binPath= "D:\公司制度等文件\项目\河北劳动力市场检测系统\Windo ...

  8. MAP的get与containskey

    前提是:Map可以出现在k与v的映射中,v为null的情况, 所以containsKey出现更加必要. map.get(key)是得到的key所对应的value值. map.contains(key) ...

  9. spring in action 学习笔记十三:SpEL语言(Spring Expression Language)

    SpEl语言的目的之一是防止注入外部属性的代码硬代码化.如@Value("#{student.name}")这个注解的意思是把Student类的name的属性值注入进去.其中stu ...

  10. template.js 模板引擎

    例子: html代码: <div id="box"></div> css代码: table{ border-collapse: collapse; text ...