http://thinkiii.blogspot.jp/2014/02/debug-with-slub-allocator.html

The slub allocator in Linux has useful debug features. Such as poisoning, readzone checking, and allocate/free traces with timestamps. It's very useful during product developing stage. Let's create a kernel module and test the debug features.

Make sure slub allocator is built in your kernel.

CONFIG_SLUB_DEBUG=y

CONFIG_SLUB=y

The slub allocator creates additional meta data to store allocate/free traces and timestamps. Everytime slub allocator allocate/free an object, it do poison check (data area) and redzone check  (boundry).

The module shows how it happens. It allocates 32 bytes from kernel and we overwrite the redzone by memset 36 bytes.

void try_to_corrupt_redzone(void)

{

        void *p = kmalloc(32, GFP_KERNEL);

        if (p) {

                pr_alert("p: 0x%p\n", p);

                memset(p, 0x12, 36);    /* write too much */

                print_hex_dump(KERN_ALERT, "mem: ", DUMP_PREFIX_ADDRESS,

                                16, 1, p, 512, 1);

                kfree(p);       /* slub.c should catch this error */

        }

}

static int mymodule_init(void)

{

        pr_alert("%s init\n", __FUNCTION__);

        try_to_corrupt_redzone();

        return 0;

}

static void mymodule_exit(void)

{

        pr_alert("%s exit\n", __FUNCTION__);

}

module_init(mymodule_init);

module_exit(mymodule_exit);

After freeing the object, the kernel checks the object and find that the redzone is overwritten and says:

[ 2050.630002] mymodule_init init

[ 2050.630565] p: 0xddc86680

[ 2050.630653] mem: ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630779] mem: ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630897] mem: ddc866a0: 12 12 12 12 60 6b c8 dd 16 80 99 e0 fa 8e 2a c1  ....`k........*.

[ 2050.631014] mem: ddc866b0: 16 80 99 e0 ce 92 2a c1 16 80 99 e0 f2 c1 1b c1  ......*.........

[ 2050.631130] mem: ddc866c0: 16 80 99 e0 4c 8b 0a c1 4c 8b 0a c1 61 80 99 e0  ....L...L...a...

[ 2050.631248] mem: ddc866d0: 16 80 99 e0 61 80 99 e0 16 80 99 e0 61 80 99 e0  ....a.......a...

[ 2050.631365] mem: ddc866e0: 75 80 99 e0 48 01 00 c1 2b 36 05 c1 00 00 00 00  u...H...+6......

[ 2050.631483] mem: ddc866f0: 4a 0c 00 00 99 ad 06 00 6d 35 05 c1 9e 8b 2a c1  J.......m5....*.

[ 2050.631599] mem: ddc86700: 6d 35 05 c1 48 8c 2a c1 6d 35 05 c1 ee 89 0a c1  m5..H.*.m5......

[ 2050.631716] mem: ddc86710: ee 89 0a c1 e4 0a 14 c1 e4 0a 14 c1 ee 89 0a c1  ................

[ 2050.631832] mem: ddc86720: ee 89 0a c1 6d 35 05 c1 6d 35 05 c1 6d 35 05 c1  ....m5..m5..m5..

[ 2050.631948] mem: ddc86730: a7 39 05 c1 ef b8 2a c1 00 00 00 00 00 00 00 00  .9....*.........

[ 2050.633948] mem: ddc86740: 4a 0c 00 00 97 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  J.......ZZZZZZZZ

[ 2050.634095] mem: ddc86750: 14 dc 46 dd 14 dc 46 dd 00 00 00 00 6b 6b 6b 6b  ..F...F.....kkkk

[ 2050.634236] mem: ddc86760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.

[ 2050.634378] mem: ddc86770: cc cc cc cc c0 69 c8 dd a0 83 20 c1 fa 8e 2a c1  .....i.... ...*.

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a

[ 2050.637581]  syscall_call+0x7/0xb

[ 2050.637649] INFO: Slab 0xdffa90c0 objects=19 used=8 fp=0xddc86000 flags=0x40000080

[ 2050.637749] INFO: Object 0xddc86680 @offset=1664 fp=0xddc86b60

[ 2050.637749]

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

[ 2050.637875] CPU: 0 PID: 3146 Comm: insmod Tainted: P    B      O 3.10.17 #1

[ 2050.637875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006

[ 2050.637875]  00000000 c10a7b59 c10941c5 dffa90c0 ddc86680 de8012cc de801280 ddc86680

[ 2050.637875]  dffa90c0 c10a7bd3 c13689a5 ddc866a0 000000cc 00000004 de801280 ddc86680

[ 2050.637875]  dffa90c0 de800e00 c12a8b2f 000000cc ddc86680 de801280 dffa90c0 dd407e50

[ 2050.637875] Call Trace:

[ 2050.637875]  [&ltc10a7b59&gt] ? check_bytes_and_report+0x6d/0xb0

[ 2050.637875]  [&ltc10941c5&gt] ? page_address+0x1a/0x79

[ 2050.637875]  [&ltc10a7bd3&gt] ? check_object+0x37/0x149

[ 2050.637875]  [&ltc12a8b2f&gt] ? free_debug_processing+0x67/0x142

[ 2050.637875]  [&ltc12a8c48&gt] ? __slab_free+0x3e/0x28d

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc102063d&gt] ? wake_up_klogd+0x1d/0x1e

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998061&gt] ? try_to_corrupt_redzone+0x61/0x61 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc1000148&gt] ? do_one_initcall+0x6c/0xf4

[ 2050.637875]  [&ltc105362b&gt] ? load_module+0x1690/0x199a

[ 2050.637875]  [&ltc10539a7&gt] ? SyS_init_module+0x72/0x8a

[ 2050.637875]  [&ltc12ab8ef&gt] ? syscall_call+0x7/0xb

[ 2050.637875] FIX kmalloc-32: Restoring 0xddc866a0-0xddc866a3=0xcc

[ 2050.637875]

[ 2051.232817] mymodule_exit exit

First the slub allocator print the error type "redzone overwritten"

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

To understand what readzone is, take a look at the memory content around the object:

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

We fill 38 bytes of 0x12 from the start of the 36-bytes object (0xddc86680 - 0xddc8669f) and 4 more 0x12 on the redzone (normal 0xbb or 0xcc). When the object is returned to the kernel, kernel finds that the redzone is neither 0xcc or 0xbb and reports this as a BUG.

The slub allocator reports the latest allocate/free history of this object. You can see the object is just allocated by our kernel module function 'try_to_corrup_redzone'.

Sometime the traces of the object are more useful than function backtrace. For example, if there exists an use-after-free case:  function A allocates an object and writes if after freeing the object. If the object is allocated by another function B. In this case, function B has a corrupted object, and if we have the free trace of this object, we can trace back to the previous owner of the object, function A.

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a
 
Posted by Miles MH Chen at 7:34 AM 
Labels: linux

debug with Linux slub allocator的更多相关文章

  1. (转)Linux SLUB 分配器详解

    原文网址:https://www.ibm.com/developerworks/cn/linux/l-cn-slub/ 多年以来,Linux 内核使用一种称为 SLAB 的内核对象缓冲区分配器.但是, ...

  2. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

  3. 【debug】 Linux中top的使用

    在我们日常的开发中,我们经常需要查看每个线程的cpu使用情况.其实,在linux中,top也是我们查看cpu使用状况的一个好帮手 top:先查看每一个进程的使用状况 我们可以发现PID:3800这个经 ...

  4. gdb pretty printer for STL debug in Linux

    Check your gcc version. If it is less than 4.7, you need use another printer.py file. Get the file f ...

  5. [轉]Exploit Linux Kernel Slub Overflow

    Exploit Linux Kernel Slub Overflow By wzt 一.前言 最近几年关于kernel exploit的研究比较热门,常见的内核提权漏洞大致可以分为几类: 空指针引用, ...

  6. 现在的 Linux 内核和 Linux 2.6 的内核有多大区别?

    作者:larmbr宇链接:https://www.zhihu.com/question/35484429/answer/62964898来源:知乎著作权归作者所有.商业转载请联系作者获得授权,非商业转 ...

  7. linux进程用户内存空间和内核空间

    When a process running in user mode requests additional memory, pages are allocated from the list of ...

  8. Linux内存描述之内存页面page--Linux内存管理(四)

    1 Linux如何描述物理内存 Linux把物理内存划分为三个层次来管理 层次 描述 存储节点(Node) CPU被划分为多个节点(node), 内存则被分簇, 每个CPU对应一个本地物理内存, 即一 ...

  9. 转 Linux内存管理原理

    Linux内存管理原理 在用户态,内核态逻辑地址专指下文说的线性偏移前的地址Linux内核虚拟3.伙伴算法和slab分配器 16个页面RAM因为最大连续内存大小为16个页面 页面最多16个页面,所以1 ...

随机推荐

  1. mongodb 部署

    安装mongodb-3.4 1)将安装包上传至服务器 2)对压缩文件进行解压 tar -zxvf mongodb-linux-x86_64-suse12-v3.4-latest.tar.gz 3)把解 ...

  2. poj 2299 归并排序求逆序数 (可做模板)

    Time Limit: 7000MS   Memory Limit: 65536K Total Submissions: 48077   Accepted: 17533 Description In ...

  3. weex & web app & vue

    weex & web app & vue https://weex-project.io/tools/playground.html https://weex.apache.org/ ...

  4. 一文看懂Kafka消息格式的演变

    摘要 对于一个成熟的消息中间件而言,消息格式不仅关系到功能维度的扩展,还牵涉到性能维度的优化.随着Kafka的迅猛发展,其消息格式也在不断的升级改进,从0.8.x版本开始到现在的1.1.x版本,Kaf ...

  5. uoj185 [ZJOI2016]小星星 【dp + 容斥】

    题目链接 uoj185 题解 设\(f[i][j]\)表示\(i\)为根的子树,\(i\)号点对应图上\(j\)号点时的方案数 显然这样\(dp\)会使一些节点使用同一个节点,此时总的节点数就不满\( ...

  6. python下载链接内容

    下面代码下载京东注册码,可接收参数num dir 可以将连接构造成其它网址,比如移动联通网上营业厅的验证码都是固定网址+13位时间戳的结构. #!/usr/bin/python #code utf-8 ...

  7. python列表里的字典元素去重

    去重 def list_dict_duplicate_removal(): data_list = [{"a": "123", "b": & ...

  8. 我们曾经心碎的C#之 第一章.我的第一个C#程序

    第一章.      C#入门 1.1        .NET与C#            001..NET是Microsoft.NET的简称,是基于Windows平台的一种技术            ...

  9. R语言绘制相对性关系图

    准备 第一步就是安装R语言环境以及RStudio 图绘制准备 首先安装库文件,敲入指令,回车 install.packages('corrplot') 然后安装excel导入的插件,点击右上角impo ...

  10. python--enum

    # enum用于枚举,该模块下有一个Enum,我们定义的类要继承它 # 一旦继承,那么我们定义的key(仮),不能有重复值. # 如果要保证value(仮)不重复,那就引入unique,给我们定义的类 ...