Heap overflow

1. #include <linux/module.h>
2. #include <linux/kernel.h>
3. #include <linux/init.h>
4. #include <linux/slab.h>
5. #include <linux/string.h>
6.  
7. // Module parameters for user input
8. static char *payload = NULL;
9. static int buffer_size = 16; // Configurable buffer size
10. module_param(payload, charp, 0644);
11. MODULE_PARM_DESC(payload, "Input payload to trigger heap overflow");
12. module_param(buffer_size, int, 0644);
13. MODULE_PARM_DESC(buffer_size, "Size of allocated buffer");
14.  
15. // Structures to demonstrate overflow impact
16. struct vulnerable_struct {
17. char buffer[16]; // Main buffer
18. int canary; // Canary to detect overflow
19. char next_buffer[16]; // Adjacent buffer to show corruption
20. };
21.  
22. // Vulnerable function demonstrating heap overflow
23. static void trigger_heap_overflow(void)
24. {
25. // Allocate a structure on the heap
26. struct vulnerable_struct *heap_data = kmalloc(sizeof(struct vulnerable_struct), GFP_KERNEL);
27.  
28. if (!heap_data) {
29. printk(KERN_ALERT "Memory allocation failed\n");
30. return;
31. }
32.  
33. // Initialize canary with a known value
34. heap_data->canary = 0xDEADBEEF;
35.  
36. // Initialize buffers with known patterns
37. memset(heap_data->buffer, 'A', sizeof(heap_data->buffer));
38. memset(heap_data->next_buffer, 'B', sizeof(heap_data->next_buffer));
39.  
40. // Print initial state
41. printk(KERN_ALERT "Initial Canary Value: 0x%x\n", heap_data->canary);
42. printk(KERN_ALERT "Initial Buffer Content: %.*s\n",
43. (int)sizeof(heap_data->buffer), heap_data->buffer);
44. printk(KERN_ALERT "Initial Next Buffer Content: %.*s\n",
45. (int)sizeof(heap_data->next_buffer), heap_data->next_buffer);
46.  
47. // VULNERABILITY: Overflow with user-supplied payload
48. if (payload) {
49. size_t payload_len = strlen(payload);
50. printk(KERN_ALERT "Payload Length: %lu\n", payload_len);
51. printk(KERN_ALERT "Buffer Size: %d\n", buffer_size);
52.  
53. // Deliberately overflow the buffer with careful length calculation
54. // Ensure we do not copy more than the buffer size
55. size_t copy_len = (payload_len > buffer_size) ? buffer_size : payload_len;
56. memcpy(heap_data->buffer, payload, copy_len);
57. }
58.  
59. // Check for overflow
60. printk(KERN_ALERT "After Overflow Canary Value: 0x%x\n", heap_data->canary);
61. printk(KERN_ALERT "After Overflow Buffer Content: %.*s\n",
62. (int)sizeof(heap_data->buffer), heap_data->buffer);
63. printk(KERN_ALERT "After Overflow Next Buffer Content: %.*s\n",
64. (int)sizeof(heap_data->next_buffer), heap_data->next_buffer);
65.  
66. // Free the allocated memory
67. kfree(heap_data);
68. }
69.  
70. // Module initialization function
71. static int __init heap_overflow_init(void)
72. {
73. printk(KERN_INFO "Detailed Heap Overflow Vulnerability Module Loaded\n");
74.  
75. // Trigger the vulnerable function
76. trigger_heap_overflow();
77.  
78. return 0;
79. }
80.  
81. // Module cleanup function
82. static void __exit heap_overflow_exit(void)
83. {
84. printk(KERN_INFO "Heap Overflow Module Unloaded\n");
85. }
86.  
87. // Macro declarations for kernel module
88. module_init(heap_overflow_init);
89. module_exit(heap_overflow_exit);
90.  
91. MODULE_LICENSE("GPL");
92. MODULE_AUTHOR("Security Research");
93. MODULE_DESCRIPTION("Detailed Kernel Module Demonstrating Heap Overflow Vulnerability");