/*kfree.c test kernel kfree parameter corruption
 *                      --- alert7 < alert7@xfocus.org >
 *gcc -O3 -c -I/usr/src/linux/include kfree.c
 *如果能利用的话，请写出exploit
 *如果不能利用的话，请分析原因
 *欢迎来信探讨
 */

#define MODULE
#define __KERNEL__
#include <linux/kernel.h>
#include <linux/module.h>
#include <asm/unistd.h>
#include <asm/uaccess.h>
#include <sys/syscall.h>
#include <linux/slab.h>

#define __NR_function   240     //linux not use

extern void* sys_call_table[];

int (*old_function) (void );


asmlinkage int new_function(unsigned int len, char * buf) {
        char * volatile  p;//为了不让GCC把P优化到寄存器中
        char   code[256] ;
        int i;

        len=((int)&p  - (int)code)+4;

        printk("len %d\n",len);

        p = kmalloc(len, GFP_KERNEL);

        printk("kmalloc 0x%p \n",p);

        if (p ==0) {
                printk("kmalloc: no memory\n");
                goto out;
        }
        i=strncpy_from_user(code, buf, len);

        printk("strncpy_from_user size %d\n",i);

        printk("<1>p addr %p\n",p);

        kfree(p);

out:
        return 0; 
}

int init_module(void) {
  old_function = sys_call_table[__NR_function];
  sys_call_table[__NR_function] = new_function;
  printk("<1>kfree test loaded...\n");
  return 0;
}

void cleanup_module(void) {
  sys_call_table[__NR_function] = old_function;
  printk("<1>kfree test unloaded...\n");
}