| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 May 2012 14:31:00 +0200 From: Lluís Batlle i Rossell <viric@...ic.name> To: Jan Kara <jack@...e.cz> Cc: linux-kernel@...r.kernel.org Subject: Re: BUG on fs/inode.c:1442 (linux 3.3.1 and 3.3.2) On Wed, Apr 18, 2012 at 01:48:44PM +0200, Jan Kara wrote: > Hello, > > On Sun 15-04-12 23:56:01, Lluís Batlle i Rossell wrote: > > destroying my openvpn client connection (SIGINT to openvp), in linux 3.3.1 and > > now also in 3.3.2, I noticed this BUG in dmesg (attached). > > > > It's a vanilla 3.3.2, at this shot. > > > > I know it never happened to me in any 3.2, but I did not try 3.3.0. > > > > I attach the .config. And I have the debug info for this kernel too, if this > > helps someone find a fix. But I imagine it's easy to reproduce. > From the first look it would seem as use after free bug but can you > please post disassembly of iput() function from your kernel? I.e. you load > vmlinux in gdb and run 'disass iput'. Thanks. Sorry for the delay. Here it is, for 3.3.2: ffffffff8113b340 <iput>: ffffffff8113b340: 55 push %rbp ffffffff8113b341: 48 89 e5 mov %rsp,%rbp ffffffff8113b344: 48 83 ec 20 sub $0x20,%rsp ffffffff8113b348: 48 89 5d e8 mov %rbx,-0x18(%rbp) ffffffff8113b34c: 4c 89 65 f0 mov %r12,-0x10(%rbp) ffffffff8113b350: 4c 89 6d f8 mov %r13,-0x8(%rbp) ffffffff8113b354: e8 a7 3d 24 00 callq ffffffff8137f100 <mcount> ffffffff8113b359: 48 85 ff test %rdi,%rdi ffffffff8113b35c: 48 89 fb mov %rdi,%rbx ffffffff8113b35f: 74 24 je ffffffff8113b385 <iput+0x45> ffffffff8113b361: f6 87 98 00 00 00 40 testb $0x40,0x98(%rdi) ffffffff8113b368: 0f 85 89 01 00 00 jne ffffffff8113b4f7 <iput+0x1b7> ffffffff8113b36e: 48 8d b7 80 00 00 00 lea 0x80(%rdi),%rsi ffffffff8113b375: 48 8d bf 10 01 00 00 lea 0x110(%rdi),%rdi ffffffff8113b37c: e8 2f b4 0a 00 callq ffffffff811e67b0 <_atomic_dec_and_lock> ffffffff8113b381: 85 c0 test %eax,%eax ffffffff8113b383: 75 13 jne ffffffff8113b398 <iput+0x58> ffffffff8113b385: 48 8b 5d e8 mov -0x18(%rbp),%rbx ffffffff8113b389: 4c 8b 65 f0 mov -0x10(%rbp),%r12 ffffffff8113b38d: 4c 8b 6d f8 mov -0x8(%rbp),%r13 ffffffff8113b391: c9 leaveq ffffffff8113b392: c3 retq ffffffff8113b393: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) ffffffff8113b398: f6 83 98 00 00 00 08 testb $0x8,0x98(%rbx) ffffffff8113b39f: 4c 8b 63 28 mov 0x28(%rbx),%r12 ffffffff8113b3a3: 4d 8b 6c 24 30 mov 0x30(%r12),%r13 ffffffff8113b3a8: 0f 85 4b 01 00 00 jne ffffffff8113b4f9 <iput+0x1b9> ffffffff8113b3ae: 49 8b 45 20 mov 0x20(%r13),%rax ffffffff8113b3b2: 48 85 c0 test %rax,%rax ffffffff8113b3b5: 0f 84 a5 00 00 00 je ffffffff8113b460 <iput+0x120> ffffffff8113b3bb: 48 89 df mov %rbx,%rdi ffffffff8113b3be: ff d0 callq *%rax ffffffff8113b3c0: 85 c0 test %eax,%eax ffffffff8113b3c2: 0f 85 b0 00 00 00 jne ffffffff8113b478 <iput+0x138> ffffffff8113b3c8: 41 f6 44 24 53 40 testb $0x40,0x53(%r12) ffffffff8113b3ce: 0f 85 b4 00 00 00 jne ffffffff8113b488 <iput+0x148> ffffffff8113b3d4: 48 83 8b 98 00 00 00 orq $0x10,0x98(%rbx) ffffffff8113b3db: 10 ffffffff8113b3dc: be 01 00 00 00 mov $0x1,%esi ffffffff8113b3e1: 48 89 df mov %rbx,%rdi ffffffff8113b3e4: e8 67 d7 00 00 callq ffffffff81148b50 <write_inode_now> ffffffff8113b3e9: 48 8b 83 98 00 00 00 mov 0x98(%rbx),%rax ffffffff8113b3f0: a8 08 test $0x8,%al ffffffff8113b3f2: 0f 85 17 01 00 00 jne ffffffff8113b50f <iput+0x1cf> ffffffff8113b3f8: 48 83 e0 ef and $0xffffffffffffffef,%rax ffffffff8113b3fc: 48 83 c8 20 or $0x20,%rax ffffffff8113b400: 48 8b 93 e0 00 00 00 mov 0xe0(%rbx),%rdx ffffffff8113b407: 48 89 83 98 00 00 00 mov %rax,0x98(%rbx) ffffffff8113b40e: 48 8d 83 e0 00 00 00 lea 0xe0(%rbx),%rax ffffffff8113b415: 48 39 d0 cmp %rdx,%rax ffffffff8113b418: 74 2e je ffffffff8113b448 <iput+0x108> ffffffff8113b41a: 48 8b 8b e8 00 00 00 mov 0xe8(%rbx),%rcx ffffffff8113b421: 48 89 4a 08 mov %rcx,0x8(%rdx) ffffffff8113b425: 48 89 11 mov %rdx,(%rcx) ffffffff8113b428: 48 89 83 e0 00 00 00 mov %rax,0xe0(%rbx) ffffffff8113b42f: 48 89 83 e8 00 00 00 mov %rax,0xe8(%rbx) ffffffff8113b436: 48 8b 43 28 mov 0x28(%rbx),%rax ffffffff8113b43a: ff 0c 25 84 3c 65 81 decl 0xffffffff81653c84 ffffffff8113b441: 83 a8 10 01 00 00 01 subl $0x1,0x110(%rax) ffffffff8113b448: 48 89 df mov %rbx,%rdi ffffffff8113b44b: e8 50 fd ff ff callq ffffffff8113b1a0 <evict> ffffffff8113b450: 48 8b 5d e8 mov -0x18(%rbp),%rbx ffffffff8113b454: 4c 8b 65 f0 mov -0x10(%rbp),%r12 ffffffff8113b458: 4c 8b 6d f8 mov -0x8(%rbp),%r13 ffffffff8113b45c: c9 leaveq ffffffff8113b45d: c3 retq ffffffff8113b45e: 66 90 xchg %ax,%ax ffffffff8113b460: 8b 43 48 mov 0x48(%rbx),%eax ffffffff8113b463: 85 c0 test %eax,%eax ffffffff8113b465: 74 11 je ffffffff8113b478 <iput+0x138> ffffffff8113b467: 48 83 bb c8 00 00 00 cmpq $0x0,0xc8(%rbx) ffffffff8113b46e: 00 ffffffff8113b46f: 0f 85 53 ff ff ff jne ffffffff8113b3c8 <iput+0x88> ffffffff8113b475: 0f 1f 00 nopl (%rax) ffffffff8113b478: 48 8b 83 98 00 00 00 mov 0x98(%rbx),%rax ffffffff8113b47f: e9 78 ff ff ff jmpq ffffffff8113b3fc <iput+0xbc> ffffffff8113b484: 0f 1f 40 00 nopl 0x0(%rax) ffffffff8113b488: 48 8b 83 98 00 00 00 mov 0x98(%rbx),%rax ffffffff8113b48f: 80 cc 01 or $0x1,%ah ffffffff8113b492: a8 87 test $0x87,%al ffffffff8113b494: 48 89 83 98 00 00 00 mov %rax,0x98(%rbx) ffffffff8113b49b: 0f 85 e4 fe ff ff jne ffffffff8113b385 <iput+0x45> ffffffff8113b4a1: 48 8d 83 e0 00 00 00 lea 0xe0(%rbx),%rax ffffffff8113b4a8: 48 3b 83 e0 00 00 00 cmp 0xe0(%rbx),%rax ffffffff8113b4af: 0f 85 d0 fe ff ff jne ffffffff8113b385 <iput+0x45> ffffffff8113b4b5: 48 8b 53 28 mov 0x28(%rbx),%rdx ffffffff8113b4b9: ff 04 25 84 3c 65 81 incl 0xffffffff81653c84 ffffffff8113b4c0: 48 8b 8a 00 01 00 00 mov 0x100(%rdx),%rcx ffffffff8113b4c7: 48 89 41 08 mov %rax,0x8(%rcx) ffffffff8113b4cb: 48 89 8b e0 00 00 00 mov %rcx,0xe0(%rbx) ffffffff8113b4d2: 48 8d 8a 00 01 00 00 lea 0x100(%rdx),%rcx ffffffff8113b4d9: 48 89 8b e8 00 00 00 mov %rcx,0xe8(%rbx) ffffffff8113b4e0: 48 89 82 00 01 00 00 mov %rax,0x100(%rdx) ffffffff8113b4e7: 48 8b 43 28 mov 0x28(%rbx),%rax ffffffff8113b4eb: 83 80 10 01 00 00 01 addl $0x1,0x110(%rax) ffffffff8113b4f2: e9 8e fe ff ff jmpq ffffffff8113b385 <iput+0x45> ffffffff8113b4f7: 0f 0b ud2 ffffffff8113b4f9: be 76 05 00 00 mov $0x576,%esi ffffffff8113b4fe: 48 c7 c7 fe 3b 55 81 mov $0xffffffff81553bfe,%rdi ffffffff8113b505: e8 b6 7d f0 ff callq ffffffff810432c0 <warn_slowpath_null> ffffffff8113b50a: e9 9f fe ff ff jmpq ffffffff8113b3ae <iput+0x6e> ffffffff8113b50f: be 8a 05 00 00 mov $0x58a,%esi ffffffff8113b514: 48 c7 c7 fe 3b 55 81 mov $0xffffffff81553bfe,%rdi ffffffff8113b51b: e8 a0 7d f0 ff callq ffffffff810432c0 <warn_slowpath_null> ffffffff8113b520: 48 8b 83 98 00 00 00 mov 0x98(%rbx),%rax ffffffff8113b527: e9 cc fe ff ff jmpq ffffffff8113b3f8 <iput+0xb8> ffffffff8113b52c: 0f 1f 40 00 nopl 0x0(%rax) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists