| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Sep 2008 18:02:24 +0200 From: Jan Kara <jack@...e.cz> To: Marcin Slusarz <marcin.slusarz@...il.com> Cc: LKML <linux-kernel@...r.kernel.org>, linux-ext4@...r.kernel.org, bugme-daemon@...zilla.kernel.org Subject: Re: [Bug 11506] oops during unmount - ext3? (2.6.27-rc5) > On Sun, Sep 07, 2008 at 01:27:40PM +0200, Marcin Slusarz wrote: > > Code: 8b 06 a8 01 75 04 0f 0b eb fe f6 c4 08 0f 84 2f 03 00 00 48 8b 45 b8 48 8b 40 10 c7 45 c8 01 00 00 00 48 89 45 d0 48 89 c3 31 c0 <8b> 53 20 01 c2 89 c0 48 39 45 b0 89 55 cc 48 9b 53 08 48 89 55 > Little correction (at the end): > Code: 8b 06 a8 01 75 04 0f 0b eb fe f6 c4 08 0f 84 2f 03 00 00 48 8b 45 b8 48 8b 40 10 c7 45 c8 01 00 00 00 48 89 45 d0 48 89 c3 31 c0 <8b> 53 20 01 c2 89 c0 48 39 45 b0 89 55 cc 48 8b 53 08 48 89 55 > > > Output of decodecode: > After correction: > /tmp/tmp.W6DvY3Lbtg.o: file format elf64-x86-64 > > Disassembly of section .text: > > 0000000000000000 <.text>: > 0: 8b 06 mov (%rsi),%eax > 2: a8 01 test $0x1,%al > 4: 75 04 jne 0xa > 6: 0f 0b ud2a > 8: eb fe jmp 0x8 > a: f6 c4 08 test $0x8,%ah > d: 0f 84 2f 03 00 00 je 0x342 > 13: 48 8b 45 b8 mov -0x48(%rbp),%rax > 17: 48 8b 40 10 mov 0x10(%rax),%rax > 1b: c7 45 c8 01 00 00 00 movl $0x1,-0x38(%rbp) > 22: 48 89 45 d0 mov %rax,-0x30(%rbp) > 26: 48 89 c3 mov %rax,%rbx > 29: 31 c0 xor %eax,%eax > > /tmp/tmp.W6DvY3Lbtg.o: file format elf64-x86-64 > > Disassembly of section .text: > > 0000000000000000 <.text>: > 0: 8b 53 20 mov 0x20(%rbx),%edx > 3: 01 c2 add %eax,%edx > 5: 89 c0 mov %eax,%eax > 7: 48 39 45 b0 cmp %rax,-0x50(%rbp) > b: 89 55 cc mov %edx,-0x34(%rbp) > e: 48 8b 53 08 mov 0x8(%rbx),%rdx > 12: 48 rex.W > 13: 89 .byte 0x89 > 14: 55 push %rbp Hmm, from this disassembly it seems that somebody has overwritten our page->private pointer to 1000c20d02020000 and then we obviously failed to get bh->b_size. But I don't really see how this can happen. What also puzzles me a bit is that I don't see BUG_ON(!PagePrivate(page)) in the disassembly but it should be there because of page_buffers() implementation... Anyone has an idea? Honza -- Jan Kara <jack@...e.cz> SuSE CR Labs -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists