Kernel buffer/heap overflow

1. #include <linux/module.h>
2. #include <linux/kernel.h>
3. #include <linux/init.h>
4. #include <linux/slab.h>
5. #include <linux/string.h>
6.  
7. // Module parameters for user input
8. static char *payload = NULL;
9. static int buffer_size = 16; // Configurable buffer size
10. module_param(payload, charp, 0644);
11. MODULE_PARM_DESC(payload, "Input payload to trigger heap overflow");
12. module_param(buffer_size, int, 0644);
13. MODULE_PARM_DESC(buffer_size, "Size of allocated buffer");
14.  
15. // Structures to demonstrate overflow impact
16. struct vulnerable_struct {
17. char buffer[16]; // Main buffer
18. int canary; // Canary to detect overflow
19. char next_buffer[16]; // Adjacent buffer to show corruption
20. };
21.  
22. // Vulnerable function demonstrating heap overflow
23. static void trigger_heap_overflow(void)
24. {
25. // Allocate a structure on the heap
26. struct vulnerable_struct *heap_data = kmalloc(sizeof(struct vulnerable_struct), GFP_KERNEL);
27.  
28. if (!heap_data) {
29. printk(KERN_ALERT "Memory allocation failed\n");
30. return;
31. }
32.  
33. // Initialize canary with a known value
34. heap_data->canary = 0xDEADBEEF;
35.  
36. // Initialize buffers with known patterns
37. memset(heap_data->buffer, 'A', sizeof(heap_data->buffer));
38. memset(heap_data->next_buffer, 'B', sizeof(heap_data->next_buffer));
39.  
40. // Print initial state
41. printk(KERN_INFO "Initial Canary Value: 0x%x\n", heap_data->canary);
42. printk(KERN_INFO "Initial Buffer Content: %.*s\n", (int)sizeof(heap_data->buffer), heap_data->buffer);
43. printk(KERN_INFO "Initial Next Buffer Content: %.*s\n", (int)sizeof(heap_data->next_buffer), heap_data->next_buffer);
44.  
45. // VULNERABILITY: Overflow with user-supplied payload
46. if (payload) {
47. size_t payload_len = strlen(payload);
48.  
49. // Print payload length and buffer size for debugging
50. printk(KERN_INFO "Payload Length: %zu\n", payload_len);
51. printk(KERN_INFO "Buffer Size: %d\n", buffer_size);
52.  
53. // Deliberately overflow the buffer by copying the payload
54. // If payload length exceeds buffer size, overflow occurs here
55. memcpy(heap_data->buffer, payload, payload_len);
56.  
57. // Print buffer after the overflow attempt
58. printk(KERN_INFO "After Overflow Buffer Content: %.*s\n", (int)sizeof(heap_data->buffer), heap_data->buffer);
59. }
60.  
61. // Check the state of the canary and next buffer to see overflow effect
62. printk(KERN_INFO "After Overflow Canary Value: 0x%x\n", heap_data->canary);
63. printk(KERN_INFO "After Overflow Next Buffer Content: %.*s\n", (int)sizeof(heap_data->next_buffer), heap_data->next_buffer);
64.  
65. // Free the allocated memory
66. kfree(heap_data);
67. }
68.  
69. // Module initialization function
70. static int __init heap_overflow_init(void)
71. {
72. printk(KERN_INFO "Heap Overflow Vulnerability Module Loaded\n");
73.  
74. // Trigger the vulnerable function
75. trigger_heap_overflow();
76.  
77. return 0;
78. }
79.  
80. // Module cleanup function
81. static void __exit heap_overflow_exit(void)
82. {
83. printk(KERN_INFO "Heap Overflow Module Unloaded\n");
84. }
85.  
86. // Macro declarations for kernel module
87. module_init(heap_overflow_init);
88. module_exit(heap_overflow_exit);
89.  
90. MODULE_LICENSE("GPL");
91. MODULE_AUTHOR("Security Research");
92. MODULE_DESCRIPTION("Kernel Module Demonstrating Heap Overflow Vulnerability");