http://docs.google.com/Doc?docid=0AVjbrJHtHYMlZGM2ZG1tZDJfM2N4cTQ1Mmdr&hl=en

下载文本，uudecode解码出压缩文件，然后解压编译即可。非严格测试之程序，无产品级文档，有问题欢迎反馈。

下载地址：

gfuzz 0.2.1

http://docs.google.com/Doc?id=dc6dmmd2_1dx9x3thh

对比Linux内核2.4.x和2.6.x版本，我们可以发现SAVE_ALL宏中一个有趣的变化，代码如下：

kernel 2.4.x:
  87#define SAVE_ALL \
  88        cld; \
  89        pushl %es; \
  90        pushl %ds; \
  91        pushl %eax; \
  92        pushl %ebp; \
  93        pushl %edi; \
  94        pushl %esi; \
  95        pushl %edx; \
  96        pushl %ecx; \
  97        pushl %ebx; \
  98        movl $(__KERNEL_DS),%edx; \
  99        movl %edx,%ds; \
 100        movl %edx,%es;

kernel 2.6.x:
  84#define SAVE_ALL \
  85        cld; \
  86        pushl %es; \
  87        pushl %ds; \
  88        pushl %eax; \
  89        pushl %ebp; \
  90        pushl %edi; \
  91        pushl %esi; \
  92        pushl %edx; \
  93        pushl %ecx; \
  94        pushl %ebx; \
  95        movl $(__USER_DS), %edx; \
  96        movl %edx, %ds; \
  97        movl %edx, %es;

可以看到__KERNEL_DS被__USER_DS替换。

WHY ?!

在看答案之前，尝试自己解释一下……

[separator]

关于这个问题，我就不多说了，我们看Linus在内核邮件列表中的解释：

http://www.spinics.net/lists/kernel/old/2002-q4/msg23132.html

Re: Intel P6 vs P7 system call performance

    * To: Ingo Molnar <mingo@elte.hu>
    * Subject: Re: Intel P6 vs P7 system call performance
    * From: Linus Torvalds <torvalds@transmeta.com>
    * Date: Tue, 24 Dec 2002 11:36:55 -0800 (PST)
    * Cc: Jamie Lokier <lk@tantalophile.demon.co.uk>, Ulrich Drepper <drepper@redhat.com>, <bart@etpmod.phys.tue.nl>, <davej@codemonkey.org.uk>, <hpa@transmeta.com>, <terje.eggestad@scali.com>, <matti.aarnio@zmailer.org>, <hugh@veritas.com>, <linux-kernel@vger.kernel.org>
    * In-reply-to: <Pine.LNX.4.44.0212221111080.31068-100000@localhost.localdomain>
    * Sender: linux-kernel-owner@vger.kernel.org

Ok, one final optimization.

We have traditionally held ES/DS constant at __KERNEL_DS in the kernel,
and we've used that to avoid saving unnecessary segment registers over
context switches etc.

I realized that there is really no reason to use __KERNEL_DS for this, and
that as far as the kernel is concerned, the only thing that matters is
that it's a flat 32-bit segment. So we might as well make the kernel
always load ES/DS with __USER_DS instead, which has the advantage that we
can avoid one set of segment loads for the "sysenter/sysexit" case.

(We still need to load ES/DS at entry to the kernel, since we cannot rely
on user space not trying to do strange things. But once we load them with
__USER_DS, we at least don't need to restore them on return to user mode
any more, since "sysenter" only works in a flat 32-bit user mode anyway
(*)).

This doesn't matter much for a P4 (surprisingly, a P4 does very well
indeed on segment loads), but it does make a difference on PIII-class
CPU's.

This makes a PIII do a "getpid()" system call in something like 160
cycles (a P4 is at 430 cycles, oh well).

Ingo, would you mind taking a look at the patch, to see if you see any
paths where we don't follow the new segment register rules. It looks like
swsuspend isn't properly saving and restoring segment register contents.
so that will need double-checking (it wasn't correct before either, so
this doesn't make it any worse, at least).

            Linus

(*) We could avoid even that initial load by instead _testing_ that the
values are the correct ones and jumping out if not, but I worry about vm86
mode being able to fool us with segments that have the right selectors but
the wrong segment caches. I disabled sysenter for vm86 mode, but it's so
subtle that I prefer just doing the segment loads rather than doing two
moves and comparisons.

###########################################
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 02/12/24    torvalds@home.transmeta.com    1.953
# Make the default values for DS/ES be the _user_ segment descriptors
# on x86 - the kernel doesn't really care (as long as it's all flat 32-bit),
# and it means that the return path for sysenter/sysexit can avoid re-loading
# the segment registers.
#
# NOTE! This means that _all_ kernel code (not just the sysenter path) must
# be appropriately changed, since the kernel knows the conventions and doesn't
# save/restore DS/ES internally on context switches etc.
# --------------------------------------------
#
diff -Nru a/arch/i386/kernel/entry.S b/arch/i386/kernel/entry.S
--- a/arch/i386/kernel/entry.S    Tue Dec 24 11:34:28 2002
+++ b/arch/i386/kernel/entry.S    Tue Dec 24 11:34:28 2002
@@ -91,18 +91,21 @@
     pushl %edx; \
     pushl %ecx; \
     pushl %ebx; \
-    movl $(__KERNEL_DS), %edx; \
+    movl $(__USER_DS), %edx; \
     movl %edx, %ds; \
     movl %edx, %es;

-#define RESTORE_REGS    \
+#define RESTORE_INT_REGS \
     popl %ebx;    \
     popl %ecx;    \
     popl %edx;    \
     popl %esi;    \
     popl %edi;    \
     popl %ebp;    \
-    popl %eax;    \
+    popl %eax
+
+#define RESTORE_REGS    \
+    RESTORE_INT_REGS; \
 1:    popl %ds;    \
 2:    popl %es;    \
 .section .fixup,"ax";    \
@@ -271,9 +274,9 @@
     movl TI_FLAGS(%ebx), %ecx
     testw $_TIF_ALLWORK_MASK, %cx
     jne syscall_exit_work
-    RESTORE_REGS
-    movl 4(%esp),%edx
-    movl 16(%esp),%ecx
+    RESTORE_INT_REGS
+    movl 12(%esp),%edx
+    movl 24(%esp),%ecx
     sti
     sysexit

@@ -428,7 +431,7 @@
     movl %esp, %edx
     pushl %esi            # push the error code
     pushl %edx            # push the pt_regs pointer
-    movl $(__KERNEL_DS), %edx
+    movl $(__USER_DS), %edx
     movl %edx, %ds
     movl %edx, %es
     call *%edi
diff -Nru a/arch/i386/kernel/head.S b/arch/i386/kernel/head.S
--- a/arch/i386/kernel/head.S    Tue Dec 24 11:34:28 2002
+++ b/arch/i386/kernel/head.S    Tue Dec 24 11:34:28 2002
@@ -235,12 +235,15 @@
     lidt idt_descr
     ljmp $(__KERNEL_CS),$1f
 1:    movl $(__KERNEL_DS),%eax    # reload all the segment registers
-    movl %eax,%ds        # after changing gdt.
+    movl %eax,%ss            # after changing gdt.
+
+    movl $(__USER_DS),%eax        # DS/ES contains default USER segment
+    movl %eax,%ds
     movl %eax,%es
+
+    xorl %eax,%eax            # Clear FS/GS and LDT
     movl %eax,%fs
     movl %eax,%gs
-    movl %eax,%ss
-    xorl %eax,%eax
     lldt %ax
     cld            # gcc2 wants the direction flag cleared at all times
 #ifdef CONFIG_SMP
diff -Nru a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
--- a/arch/i386/kernel/process.c    Tue Dec 24 11:34:28 2002
+++ b/arch/i386/kernel/process.c    Tue Dec 24 11:34:28 2002
@@ -219,8 +219,8 @@
     regs.ebx = (unsigned long) fn;
     regs.edx = (unsigned long) arg;

-    regs.xds = __KERNEL_DS;
-    regs.xes = __KERNEL_DS;
+    regs.xds = __USER_DS;
+    regs.xes = __USER_DS;
     regs.orig_eax = -1;
     regs.eip = (unsigned long) kernel_thread_helper;
     regs.xcs = __KERNEL_CS;

-

MODE=-DGHC_CRASH_MODE

下面是代码：

--------------------------------------------------------

#!/bin/bash
##
# Heap overflow Checker
# Version: 0.2.0
# Written by grip2 <gript2@hotmail.com>
##

mkdir heapof_check
cd heapof_check

## README
cat << __EOF__ > README
grip2@debian:~/heapof_check$ ls
Makefile  README  ghc.c  test.c

[separator]

grip2@debian:~/heapof_check$ make
gcc -shared -o ghc.so -fPIC ghc.c -nostdlib -ldl -Wall
ghc.c:30: warning: integer constant is too large for 'long' type

grip2@debian:~/heapof_check$ export LD_PRELOAD=/home/grip2/heapof_check/ghc.so

grip2@debian:~/heapof_check$ ./test
[** warning **]  head overflow at 0x80496d0
[** warning **]  tail overflow at 0x80496f0
[** error **]    free NULL pointer

grip2@debian:~/heapof_check$ export LD_PRELOAD=
grip2@debian:~/heapof_check$
__EOF__

## ghc.c
cat << __EOF__ > ghc.c
/**
 * ghc.c -- Heap overflow Check
 * version: 0.2.0
 * Written by grip2 <gript2@hotmail.com> <chenyu@venustech.com.cn>
 */

#define _GNU_SOURCE    /* for RTLD_NEXT */
#include <dlfcn.h>

#include <malloc.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <sys/mman.h>

#include <asm/page.h>    /* for PAGE_SIZE */

enum { /* memory Alloc MODE */
    AMODE_MALLOC = 0,
#define AMDOE_MALLOC AMODE_MALLOC
    AMODE_SBRK,
#define AMDOE_SBRK AMODE_SBRK
};

#define hc_log(...)     do { printf(__VA_ARGS__); printf("\n");    } while (0)

void *malloc(size_t size);
void free(void *ptr);
void *realloc(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);

static void __hc_init(void);

typedef void *malloc_t(size_t size);
static malloc_t *pmalloc;
typedef void free_t(void *);
static free_t *pfree;

#ifndef GHC_CRASH_MODE
typedef long long magic_stamp_t;
static magic_stamp_t magic_stamp = 0x1976112619770116;
#endif

static volatile int init_flag = 0;    /* for pmalloc, pfree, etc. */
int hc_lock = 0;

#if 0
int main(void)
{
    char *banner = "** ghc.so - Heap overflow Check.\n"
        "** Version 0.2.0\n"
        "Written by grip2 <gript2@hotmail.com> <chenyu@venustech.com.cn>\n";
    return 0;
}
#endif

static void __hc_init(void)
{
    char *error;

#ifdef GHC_DEBUG
    printf("** Heap overflow Checker init ...\n");
#endif   

    dlerror(); /* see man dlsym */
    pmalloc = (malloc_t *) dlsym(RTLD_NEXT, "malloc");
    if ((error = dlerror()) != NULL) {    /* JFF: man dlerror */
        fprintf(stderr, "in %s line %d: %s\n", __FILE__, __LINE__,
            error);
        goto err;
    }

    pfree = (free_t *) dlsym(RTLD_NEXT, "free");
    if ((error = dlerror()) != NULL) {
        fprintf(stderr, "in %s line %d: %s\n", __FILE__, __LINE__, error);
        goto err;
    }

    return;
err:
    exit(-1);    /* kill program is better than continue */
}

static void safe_hc_init(void)
{
    int val;

    val = 1;
    __asm__ volatile (
        "xchgl %1,%0"
        :"=r" (hc_lock)
        :"m" (val), "0" (hc_lock)
        :"memory");

    if (!val) {
        __hc_init();
        init_flag = 1;
    } else {
        while (init_flag == 0);
    }
}

#ifndef GHC_CRASH_MODE
static inline void *get_head_from_user(void *ptr)
{
    void *pmem;

    pmem = (char *) ptr - sizeof(magic_stamp) - 2*sizeof(int);
    return pmem;
}

static inline void *get_user_from_head(void *pmem)
{
    void *ptr;

    ptr = (char *) pmem + sizeof(magic_stamp) + 2*sizeof(int);
    return ptr;
}

static int memcheck(void *pmem)
{
    magic_stamp_t tail_stamp, head_stamp;
    int size, size2; /* don't use size_t or unsigned type */
    int res = 0;
    void *ptr;

    /* get head stamp */
    memcpy(&head_stamp, pmem, sizeof(head_stamp));
    if (memcmp(&head_stamp, &magic_stamp, sizeof(magic_stamp)) != 0) {
        hc_log("[** warning **]\t head overflow at %p (stamp)", pmem);
        res = -1;
    }
    /* check length section */
    size = *(int *) ((char *) pmem + sizeof(head_stamp));
    size2 = *(int *) ((char *) pmem + sizeof(head_stamp) + sizeof(int));
    if (size != size2 || size < 0) {
        hc_log("[** warning **]\t head overflow at %p (user length)", (char *) pmem + sizeof(head_stamp));
        return -1;
    }

    /* get tail stamp */
    ptr = get_user_from_head(pmem);
    memcpy(&tail_stamp, ptr + size, sizeof(tail_stamp));
    if (memcmp(&tail_stamp, &magic_stamp, sizeof(magic_stamp)) != 0) {
        hc_log("[** warning **]\t tail overflow at %p", (char *) pmem + size);
        return -1;
    }

    return res;
}
#endif /* ifndef GHC_CRASH_MODE */

static inline size_t get_user_size(void *ptr)
{
    size_t size;

#ifdef GHC_CRASH_MODE
    size = *(int *) (ptr - sizeof(unsigned long) - sizeof(unsigned int));
#else
    void *pmem;
    pmem = get_head_from_user(ptr);
    if (memcheck(pmem) != 0)
        return -1;
   
    size = *(int *) ((char *) pmem + sizeof(magic_stamp));
#endif
    return size;
}

static void *__ghc_alloc(size_t size, int mode)
{
    void *pmem, *ptr = NULL;
    size_t realsize;

#ifdef GHC_DEBUG
    printf("** __ghc_alloc -- mode [%d]\n", mode);
#endif

#ifdef GHC_CRASH_MODE
    /**
     * memory map: | stuff1  | user_length | real start_addr | user chunk | memory trap | stuff2 | */
    realsize = sizeof(unsigned int)     /* user_length */
            + sizeof(unsigned long)    /* start_addr */
            + size            /* user chunk */
            + PAGE_SIZE         /* trap */
            + (PAGE_SIZE-1);    /* padding (stuff1 + stuff2)*/
#else /* !GHC_CRASH_MODE */
    /**
     * memory map: | magic | user length | user length | user space | magic | */
    realsize = size + 2*sizeof(magic_stamp) + 2*sizeof(int);
#endif

    switch (mode) {
    case AMODE_MALLOC:
        assert(init_flag);
        pmem = pmalloc(realsize);
        break;
    case AMODE_SBRK:
        pmem = sbrk(realsize);
        if (pmem == (void *) -1)
            pmem = NULL;
        break;
    default:
        fprintf(stderr, "Unkonwn ALLOC_MODE [%d]\n", mode);
        exit(-1);
    }
#ifdef GHC_DEBUG
    printf(" ** GHC real malloc: %p\n", pmem);
#endif

    if (pmem) {
#ifdef GHC_CRASH_MODE
        void *trap;

        trap = (void *) ((unsigned long)(pmem + realsize - PAGE_SIZE) & ~(PAGE_SIZE-1));
        ptr = trap - size;
        *(unsigned long *)(ptr-sizeof(unsigned long)) = (unsigned long) pmem;
        *(unsigned int *)(ptr-sizeof(unsigned long)-sizeof(unsigned int)) = size;

        if (mprotect(trap, PAGE_SIZE, PROT_NONE)) {
            perror("mprotect");
            exit(-1);
        }
#else /* !GHC_CRASH_MODE */
        /* set head stamp */
        memcpy(pmem, &magic_stamp, sizeof(magic_stamp));
        *(int *) ((char *) pmem + sizeof(magic_stamp)) = (int) size;
        *(int *) ((char *) pmem + sizeof(magic_stamp) + sizeof(int)) = (int) size;

        /* get user chunk pointer */
        ptr = get_user_from_head(pmem);

        /* set tail stamp */
        memcpy((char *) ptr + size, &magic_stamp, sizeof(magic_stamp));
#endif
    }

    return ptr;
}

void *malloc(size_t size)
{
#ifdef GHC_DEBUG
    printf("** GHC malloc\n");
#endif
    if (init_flag == 0) {
        safe_hc_init();   
    }

    return __ghc_alloc(size, AMODE_MALLOC);
}

static void __ghc_free(void *ptr)
{
    void *pmem;

#ifdef GHC_DEBUG
    printf("** __ghc_free\n");
#endif
    if (!ptr) {
        hc_log("[** warning **]\t free NULL pointer");
        return;
    }

#ifdef GHC_CRASH_MODE
    void *trap;
    int size = get_user_size(ptr);

    trap = ptr + size;
    if (mprotect(trap, PAGE_SIZE, PROT_READ|PROT_WRITE)) {
        perror("mprotect");
        exit(-1);
    }

    pmem = *(void **) (ptr - sizeof(unsigned long));
#else
    /* get head pointer */
    pmem = get_head_from_user(ptr);
    if (memcheck(pmem) != 0)
        return;
#endif

#ifdef GHC_DEBUG
    printf(" ** GHC real free: %p\n", pmem);
#endif
    pfree(pmem);
}

void free(void *ptr)
{
#ifdef GHC_DEBUG
    printf("** GHC free\n");
#endif
    if (init_flag == 0) {
        if (!hc_lock) {
            fprintf(stderr, "** PANIC PRELOAD - free **\n");
#ifdef GHC_DEBUG
            exit(-1);
#endif
        }
        return;
    }

    __ghc_free(ptr);
}

void *realloc(void *ptr, size_t size)
{
    void *new;
    size_t oldsize;

#ifdef GHC_DEBUG
    printf("** GHC realloc\n");
#endif
    if (init_flag == 0) {
        fprintf(stderr, "** PANIC PRELOAD - realloc **\n");
        return NULL;
    }

    if (!ptr) /* see man realloc */
        return __ghc_alloc(size, AMODE_MALLOC);    
    if (!size) { /* see man realloc */
        __ghc_free(ptr);
        return NULL;
    }

    new = __ghc_alloc(size, AMODE_MALLOC);
    if (new) {
        oldsize = get_user_size(ptr);
        memcpy(new, ptr, (oldsize<size)?oldsize:size);   
        __ghc_free(ptr);
    }

    return new;
}

void *calloc(size_t nmemb, size_t size)
{
    void *p;
    size_t len;
    int mode;

#ifdef GHC_DEBUG
    printf("** GHC calloc\n");
#endif
    len = nmemb*size;
    mode = (!init_flag && hc_lock)? AMODE_SBRK : AMODE_MALLOC;

    if (mode == AMODE_MALLOC) {
        safe_hc_init();   
    }

    p = __ghc_alloc(len, mode);
    if (p)
        bzero(p, len); /* see man calloc */

    return p;
}

/* wait a moment ... */
/*
void hc_log(...)
{

}
*/
__EOF__

## test.c
cat << __EOF__ > test.c

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

int main(void)
{
    void *p = malloc(16);
    void *q = malloc(16);

    bzero(p, 16);
    bzero(p, 18);
#ifndef GHC_CRASH_MODE
    *(char *) (p - 9) = 2;
#endif

    q = realloc(q, 32);

    free(q);
    free(p);
    free(NULL);
    return 0;
}
__EOF__

## Makefile
cat << __EOF__ > Makefile
#MODE=-DGHC_CRASH_MODE
CFLAG= -Wall -O2 -DNDEBUG \$(MODE)
#CFLAG= -DGHC_DEBUG -ggdb \$(MODE)
CC=gcc

all: test so
test: test.c
    \$(CC) \$< -o test \$(CFLAG)
so: ghc.c
    \$(CC) -shared -o ghc.so -fPIC \$< -nostdlib -ldl \$(CFLAG)

clean:
    rm -f *.o ghc.so test
__EOF__

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

asmlinkage unsigned long sys_brk(unsigned long brk)

 {

         unsigned long rlim, retval;

         unsigned long newbrk, oldbrk;

         struct mm_struct *mm = current->mm;

 

         down_write(&mm->mmap_sem);

 

         if (brk < mm->end_code)     <------------- 这里        

                 goto out;               <------------- 这里    

         newbrk = PAGE_ALIGN(brk);

         oldbrk = PAGE_ALIGN(mm->brk);

         if (oldbrk == newbrk)

                 goto set_brk;

 

         /* Always allow shrinking brk. */

         if (brk <= mm->brk) {

                 if (!do_munmap(mm, newbrk, oldbrk-newbrk))

                         goto set_brk;

                 goto out;

         }

 

         /* Check against rlimit.. */

         rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;

         if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)

                 goto out;

 

         /* Check against existing mmap mappings. */

         if (find_vma_intersection(mm, oldbrk, newbrk+PAGE_SIZE))

                 goto out;

 

         /* Ok, looks good - let it rip. */

         if (do_brk(oldbrk, newbrk-oldbrk) != oldbrk)

                 goto out;

 set_brk:

         mm->brk = brk;

 out:                       <------------- 这里    

         retval = mm->brk;  <------------- 这里

         up_write(&mm->mmap_sem);

         return retval;

 }

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]

[separator]