http://thinkiii.blogspot.jp/2014/02/debug-with-slub-allocator.html

The slub allocator in Linux has useful debug features. Such as poisoning, readzone checking, and allocate/free traces with timestamps. It's very useful during product developing stage. Let's create a kernel module and test the debug features.

Make sure slub allocator is built in your kernel.

CONFIG_SLUB_DEBUG=y

CONFIG_SLUB=y

The slub allocator creates additional meta data to store allocate/free traces and timestamps. Everytime slub allocator allocate/free an object, it do poison check (data area) and redzone check  (boundry).

The module shows how it happens. It allocates 32 bytes from kernel and we overwrite the redzone by memset 36 bytes.

void try_to_corrupt_redzone(void)

{

        void *p = kmalloc(32, GFP_KERNEL);

        if (p) {

                pr_alert("p: 0x%p\n", p);

                memset(p, 0x12, 36);    /* write too much */

                print_hex_dump(KERN_ALERT, "mem: ", DUMP_PREFIX_ADDRESS,

                                16, 1, p, 512, 1);

                kfree(p);       /* slub.c should catch this error */

        }

}

static int mymodule_init(void)

{

        pr_alert("%s init\n", __FUNCTION__);

        try_to_corrupt_redzone();

        return 0;

}

static void mymodule_exit(void)

{

        pr_alert("%s exit\n", __FUNCTION__);

}

module_init(mymodule_init);

module_exit(mymodule_exit);

After freeing the object, the kernel checks the object and find that the redzone is overwritten and says:

[ 2050.630002] mymodule_init init

[ 2050.630565] p: 0xddc86680

[ 2050.630653] mem: ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630779] mem: ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.630897] mem: ddc866a0: 12 12 12 12 60 6b c8 dd 16 80 99 e0 fa 8e 2a c1  ....`k........*.

[ 2050.631014] mem: ddc866b0: 16 80 99 e0 ce 92 2a c1 16 80 99 e0 f2 c1 1b c1  ......*.........

[ 2050.631130] mem: ddc866c0: 16 80 99 e0 4c 8b 0a c1 4c 8b 0a c1 61 80 99 e0  ....L...L...a...

[ 2050.631248] mem: ddc866d0: 16 80 99 e0 61 80 99 e0 16 80 99 e0 61 80 99 e0  ....a.......a...

[ 2050.631365] mem: ddc866e0: 75 80 99 e0 48 01 00 c1 2b 36 05 c1 00 00 00 00  u...H...+6......

[ 2050.631483] mem: ddc866f0: 4a 0c 00 00 99 ad 06 00 6d 35 05 c1 9e 8b 2a c1  J.......m5....*.

[ 2050.631599] mem: ddc86700: 6d 35 05 c1 48 8c 2a c1 6d 35 05 c1 ee 89 0a c1  m5..H.*.m5......

[ 2050.631716] mem: ddc86710: ee 89 0a c1 e4 0a 14 c1 e4 0a 14 c1 ee 89 0a c1  ................

[ 2050.631832] mem: ddc86720: ee 89 0a c1 6d 35 05 c1 6d 35 05 c1 6d 35 05 c1  ....m5..m5..m5..

[ 2050.631948] mem: ddc86730: a7 39 05 c1 ef b8 2a c1 00 00 00 00 00 00 00 00  .9....*.........

[ 2050.633948] mem: ddc86740: 4a 0c 00 00 97 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  J.......ZZZZZZZZ

[ 2050.634095] mem: ddc86750: 14 dc 46 dd 14 dc 46 dd 00 00 00 00 6b 6b 6b 6b  ..F...F.....kkkk

[ 2050.634236] mem: ddc86760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.

[ 2050.634378] mem: ddc86770: cc cc cc cc c0 69 c8 dd a0 83 20 c1 fa 8e 2a c1  .....i.... ...*.

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a

[ 2050.637581]  syscall_call+0x7/0xb

[ 2050.637649] INFO: Slab 0xdffa90c0 objects=19 used=8 fp=0xddc86000 flags=0x40000080

[ 2050.637749] INFO: Object 0xddc86680 @offset=1664 fp=0xddc86b60

[ 2050.637749]

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

[ 2050.637875] CPU: 0 PID: 3146 Comm: insmod Tainted: P    B      O 3.10.17 #1

[ 2050.637875] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006

[ 2050.637875]  00000000 c10a7b59 c10941c5 dffa90c0 ddc86680 de8012cc de801280 ddc86680

[ 2050.637875]  dffa90c0 c10a7bd3 c13689a5 ddc866a0 000000cc 00000004 de801280 ddc86680

[ 2050.637875]  dffa90c0 de800e00 c12a8b2f 000000cc ddc86680 de801280 dffa90c0 dd407e50

[ 2050.637875] Call Trace:

[ 2050.637875]  [&ltc10a7b59&gt] ? check_bytes_and_report+0x6d/0xb0

[ 2050.637875]  [&ltc10941c5&gt] ? page_address+0x1a/0x79

[ 2050.637875]  [&ltc10a7bd3&gt] ? check_object+0x37/0x149

[ 2050.637875]  [&ltc12a8b2f&gt] ? free_debug_processing+0x67/0x142

[ 2050.637875]  [&ltc12a8c48&gt] ? __slab_free+0x3e/0x28d

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc102063d&gt] ? wake_up_klogd+0x1d/0x1e

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&ltc10a89ee&gt] ? kfree+0xe4/0x102

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&lte0998061&gt] ? try_to_corrupt_redzone+0x61/0x61 [mymodule]

[ 2050.637875]  [&lte0998075&gt] ? mymodule_init+0x14/0x19 [mymodule]

[ 2050.637875]  [&ltc1000148&gt] ? do_one_initcall+0x6c/0xf4

[ 2050.637875]  [&ltc105362b&gt] ? load_module+0x1690/0x199a

[ 2050.637875]  [&ltc10539a7&gt] ? SyS_init_module+0x72/0x8a

[ 2050.637875]  [&ltc12ab8ef&gt] ? syscall_call+0x7/0xb

[ 2050.637875] FIX kmalloc-32: Restoring 0xddc866a0-0xddc866a3=0xcc

[ 2050.637875]

[ 2051.232817] mymodule_exit exit

First the slub allocator print the error type "redzone overwritten"

[ 2050.634629] =============================================================================

[ 2050.634750] BUG kmalloc-32 (Tainted: P    B      O): Redzone overwritten

[ 2050.634828] -----------------------------------------------------------------------------

[ 2050.634828]

[ 2050.634967] INFO: 0xddc866a0-0xddc866a3. First byte 0x12 instead of 0xcc

To understand what readzone is, take a look at the memory content around the object:

[ 2050.637875] Bytes b4 ddc86670: 14 01 00 00 95 ad 06 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ

[ 2050.637875] Object ddc86680: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Object ddc86690: 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12  ................

[ 2050.637875] Redzone ddc866a0: 12 12 12 12                                      ....

[ 2050.637875] Padding ddc86748: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ

We fill 38 bytes of 0x12 from the start of the 36-bytes object (0xddc86680 - 0xddc8669f) and 4 more 0x12 on the redzone (normal 0xbb or 0xcc). When the object is returned to the kernel, kernel finds that the redzone is neither 0xcc or 0xbb and reports this as a BUG.

The slub allocator reports the latest allocate/free history of this object. You can see the object is just allocated by our kernel module function 'try_to_corrup_redzone'.

Sometime the traces of the object are more useful than function backtrace. For example, if there exists an use-after-free case:  function A allocates an object and writes if after freeing the object. If the object is allocated by another function B. In this case, function B has a corrupted object, and if we have the free trace of this object, we can trace back to the previous owner of the object, function A.

[ 2050.635123] INFO: Allocated in try_to_corrupt_redzone+0x16/0x61 [mymodule] age=1 cpu=0 pid=3146

[ 2050.635255]  alloc_debug_processing+0x63/0xd1

[ 2050.635337]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635423]  __slab_alloc.constprop.73+0x366/0x384

[ 2050.635506]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635594]  vt_console_print+0x21e/0x226

[ 2050.635672]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.635758]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635832]  kmem_cache_alloc_trace+0x43/0xd7

[ 2050.635909]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.635992]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636003]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636092]  try_to_corrupt_redzone+0x16/0x61 [mymodule]

[ 2050.636179]  mymodule_init+0x0/0x19 [mymodule]

[ 2050.636261]  mymodule_init+0x14/0x19 [mymodule]

[ 2050.636343]  do_one_initcall+0x6c/0xf4

[ 2050.636428]  load_module+0x1690/0x199a

[ 2050.636508] INFO: Freed in load_module+0x15d2/0x199a age=3 cpu=0 pid=3146

[ 2050.636598]  free_debug_processing+0xd6/0x142

[ 2050.636676]  load_module+0x15d2/0x199a

[ 2050.636749]  __slab_free+0x3e/0x28d

[ 2050.636819]  load_module+0x15d2/0x199a

[ 2050.636888]  kfree+0xe4/0x102

[ 2050.636953]  kfree+0xe4/0x102

[ 2050.637020]  kobject_uevent_env+0x361/0x39a

[ 2050.637091]  kobject_uevent_env+0x361/0x39a

[ 2050.637163]  kfree+0xe4/0x102

[ 2050.637227]  kfree+0xe4/0x102

[ 2050.637294]  load_module+0x15d2/0x199a

[ 2050.637366]  load_module+0x15d2/0x199a

[ 2050.637438]  load_module+0x15d2/0x199a

[ 2050.637509]  SyS_init_module+0x72/0x8a
 
Posted by Miles MH Chen at 7:34 AM 
Labels: linux

debug with Linux slub allocator的更多相关文章

  1. (转)Linux SLUB 分配器详解

    原文网址:https://www.ibm.com/developerworks/cn/linux/l-cn-slub/ 多年以来,Linux 内核使用一种称为 SLAB 的内核对象缓冲区分配器.但是, ...

  2. Linux Kernel - Debug Guide (Linux内核调试指南 )

    http://blog.csdn.net/blizmax6/article/details/6747601 linux内核调试指南 一些前言 作者前言 知识从哪里来 为什么撰写本文档 为什么需要汇编级 ...

  3. 【debug】 Linux中top的使用

    在我们日常的开发中,我们经常需要查看每个线程的cpu使用情况.其实,在linux中,top也是我们查看cpu使用状况的一个好帮手 top:先查看每一个进程的使用状况 我们可以发现PID:3800这个经 ...

  4. gdb pretty printer for STL debug in Linux

    Check your gcc version. If it is less than 4.7, you need use another printer.py file. Get the file f ...

  5. [轉]Exploit Linux Kernel Slub Overflow

    Exploit Linux Kernel Slub Overflow By wzt 一.前言 最近几年关于kernel exploit的研究比较热门,常见的内核提权漏洞大致可以分为几类: 空指针引用, ...

  6. 现在的 Linux 内核和 Linux 2.6 的内核有多大区别?

    作者:larmbr宇链接:https://www.zhihu.com/question/35484429/answer/62964898来源:知乎著作权归作者所有.商业转载请联系作者获得授权,非商业转 ...

  7. linux进程用户内存空间和内核空间

    When a process running in user mode requests additional memory, pages are allocated from the list of ...

  8. Linux内存描述之内存页面page--Linux内存管理(四)

    1 Linux如何描述物理内存 Linux把物理内存划分为三个层次来管理 层次 描述 存储节点(Node) CPU被划分为多个节点(node), 内存则被分簇, 每个CPU对应一个本地物理内存, 即一 ...

  9. 转 Linux内存管理原理

    Linux内存管理原理 在用户态,内核态逻辑地址专指下文说的线性偏移前的地址Linux内核虚拟3.伙伴算法和slab分配器 16个页面RAM因为最大连续内存大小为16个页面 页面最多16个页面,所以1 ...

随机推荐

  1. A Neural Algorithm of Artistic Style

    本系列文章由 @yhl_leo 出品,转载请注明出处. 文章链接: http://blog.csdn.net/yhl_leo/article/details/53931536 1. 资源 Paper: ...

  2. 【bzoj4884】[Lydsy2017年5月月赛]太空猫 dp

    原文地址:http://www.cnblogs.com/GXZlegend/p/6825431.html 题目描述 太空猫(SpaceCat)是一款画面精致.玩法有趣的休闲游戏,你需要控制一只坐在迷你 ...

  3. C#类和类成员初始化顺序

    1.不带静态成员的普通类,首先通过构造函数初始化. 2.带静态属性的类,无论是普通类还是静态类,都会先初始化静态字段,再执行构造函数. 3.类初始化时,不会执行类中方法,无论是否是静态.若想执行方法, ...

  4. hdu 6126 Give out candies

    hdu 6126 Give out candies(最小割) 题意: 有\(n\)个小朋友,标号为\(1\)到\(n\),你要给每个小朋友至少\(1\)个且至多\(m\)个的糖果.小朋友们共提出\(k ...

  5. UVA 11478(差分约束 + 二分)

    题意: 给定一个有向图,每条边都有一个权值,每次你可以选择一个结点和一个整数的,把所有以v为终点的边的权值减去d, 把所有以v为起点的边的权值加上d 最后要让所有边的权的最小值非负且尽量大 代码 #i ...

  6. mvvm实现

    https://segmentfault.com/a/1190000006599500 http://blog.csdn.net/pur_e/article/details/53066275

  7. c#后的完整cookie

    http://www.cnblogs.com/top5/archive/2010/04/11/1709457.html c#设置 webbrowser的请求cookie,可以通过fiddler分析co ...

  8. CANO入门(三)

    最好的学习方式是什么?模仿.有人会问,那不是山寨么?但是我认为,那是模仿的初级阶段,当把别人最好的设计已经融化到自己的血液里,变成自己的东西,而灵活运用的时候,才是真正高级阶段.正所谓画虎画皮难画骨. ...

  9. pip3 快速安装

    https://www.cnblogs.com/wenchengxiaopenyou/p/5709218.html

  10. 資料視覺化:使用Python與JavaScript 简介和目录

    內容簡介 學習如何運用Python與JavaScript這組對超級強大的組合,處理手中的原始資料,建構出功能強大的互動式視覺化網站.在這一本以實務為主的書中,將告訴您如何善用Python和JavaSc ...