| 1 | #ifndef _LINUX_POISON_H
|
|---|
| 2 | #define _LINUX_POISON_H
|
|---|
| 3 |
|
|---|
| 4 | /********** include/linux/list.h **********/
|
|---|
| 5 |
|
|---|
| 6 | /*
|
|---|
| 7 | * Architectures might want to move the poison pointer offset
|
|---|
| 8 | * into some well-recognized area such as 0xdead000000000000,
|
|---|
| 9 | * that is also not mappable by user-space exploits:
|
|---|
| 10 | */
|
|---|
| 11 | #ifdef CONFIG_ILLEGAL_POINTER_VALUE
|
|---|
| 12 | # define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL)
|
|---|
| 13 | #else
|
|---|
| 14 | # define POISON_POINTER_DELTA 0
|
|---|
| 15 | #endif
|
|---|
| 16 |
|
|---|
| 17 | /*
|
|---|
| 18 | * These are non-NULL pointers that will result in page faults
|
|---|
| 19 | * under normal circumstances, used to verify that nobody uses
|
|---|
| 20 | * non-initialized list entries.
|
|---|
| 21 | */
|
|---|
| 22 | #define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
|
|---|
| 23 | #define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
|
|---|
| 24 |
|
|---|
| 25 | /********** include/linux/timer.h **********/
|
|---|
| 26 | /*
|
|---|
| 27 | * Magic number "tsta" to indicate a static timer initializer
|
|---|
| 28 | * for the object debugging code.
|
|---|
| 29 | */
|
|---|
| 30 | #define TIMER_ENTRY_STATIC ((void *) 0x74737461)
|
|---|
| 31 |
|
|---|
| 32 | /********** mm/debug-pagealloc.c **********/
|
|---|
| 33 | #define PAGE_POISON 0xaa
|
|---|
| 34 |
|
|---|
| 35 | /********** mm/slab.c **********/
|
|---|
| 36 | /*
|
|---|
| 37 | * Magic nums for obj red zoning.
|
|---|
| 38 | * Placed in the first word before and the first word after an obj.
|
|---|
| 39 | */
|
|---|
| 40 | #define RED_INACTIVE 0x09F911029D74E35BULL /* when obj is inactive */
|
|---|
| 41 | #define RED_ACTIVE 0xD84156C5635688C0ULL /* when obj is active */
|
|---|
| 42 |
|
|---|
| 43 | #define SLUB_RED_INACTIVE 0xbb
|
|---|
| 44 | #define SLUB_RED_ACTIVE 0xcc
|
|---|
| 45 |
|
|---|
| 46 | /* ...and for poisoning */
|
|---|
| 47 | #define POISON_INUSE 0x5a /* for use-uninitialised poisoning */
|
|---|
| 48 | #define POISON_FREE 0x6b /* for use-after-free poisoning */
|
|---|
| 49 | #define POISON_END 0xa5 /* end-byte of poisoning */
|
|---|
| 50 |
|
|---|
| 51 | /********** arch/$ARCH/mm/init.c **********/
|
|---|
| 52 | #define POISON_FREE_INITMEM 0xcc
|
|---|
| 53 |
|
|---|
| 54 | /********** arch/ia64/hp/common/sba_iommu.c **********/
|
|---|
| 55 | /*
|
|---|
| 56 | * arch/ia64/hp/common/sba_iommu.c uses a 16-byte poison string with a
|
|---|
| 57 | * value of "SBAIOMMU POISON\0" for spill-over poisoning.
|
|---|
| 58 | */
|
|---|
| 59 |
|
|---|
| 60 | /********** fs/jbd/journal.c **********/
|
|---|
| 61 | #define JBD_POISON_FREE 0x5b
|
|---|
| 62 | #define JBD2_POISON_FREE 0x5c
|
|---|
| 63 |
|
|---|
| 64 | /********** drivers/base/dmapool.c **********/
|
|---|
| 65 | #define POOL_POISON_FREED 0xa7 /* !inuse */
|
|---|
| 66 | #define POOL_POISON_ALLOCATED 0xa9 /* !initted */
|
|---|
| 67 |
|
|---|
| 68 | /********** drivers/atm/ **********/
|
|---|
| 69 | #define ATM_POISON_FREE 0x12
|
|---|
| 70 | #define ATM_POISON 0xdeadbeef
|
|---|
| 71 |
|
|---|
| 72 | /********** net/ **********/
|
|---|
| 73 | #define NEIGHBOR_DEAD 0xdeadbeef
|
|---|
| 74 | #define NETFILTER_LINK_POISON 0xdead57ac
|
|---|
| 75 |
|
|---|
| 76 | /********** kernel/mutexes **********/
|
|---|
| 77 | #define MUTEX_DEBUG_INIT 0x11
|
|---|
| 78 | #define MUTEX_DEBUG_FREE 0x22
|
|---|
| 79 |
|
|---|
| 80 | /********** lib/flex_array.c **********/
|
|---|
| 81 | #define FLEX_ARRAY_FREE 0x6c /* for use-after-free poisoning */
|
|---|
| 82 |
|
|---|
| 83 | /********** security/ **********/
|
|---|
| 84 | #define KEY_DESTROY 0xbd
|
|---|
| 85 |
|
|---|
| 86 | /********** sound/oss/ **********/
|
|---|
| 87 | #define OSS_POISON_FREE 0xAB
|
|---|
| 88 |
|
|---|
| 89 | #endif
|
|---|
