| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 May 2014 14:35:02 +0200 (CEST) From: Thomas Gleixner <tglx@...utronix.de> To: Peter Zijlstra <peterz@...radead.org> cc: Vince Weaver <vincent.weaver@...ne.edu>, Ingo Molnar <mingo@...nel.org>, linux-kernel@...r.kernel.org, Steven Rostedt <rostedt@...dmis.org> Subject: Re: [perf] more perf_fuzzer memory corruption On Thu, 1 May 2014, Peter Zijlstra wrote: > On Thu, May 01, 2014 at 12:26:02PM +0200, Peter Zijlstra wrote: > > On Thu, May 01, 2014 at 12:51:33AM +0200, Thomas Gleixner wrote: > > > And that's the issue which puzzles us. Let's look at what we expect: > > > > > > Now the trace shows a different story: > > > > > > perf_fuzzer-4387 [001] 1802.628659: sys_enter: NR 298 (69bb58, 0, ffffffff, 12, 0, 0) > > > > That's a per-cpu event (.pid = -1, .cpu = 12), they don't get inherited, > > so the only thing keeping it alive is the fd the child got. So > > exit_files() killing this thing makes perfect sense. Duh, right. Should have noticed :( > > grep ptr=0xffff880118fda000 bug.out | less > > We find lovely bits such as: > > perf_fuzzer-4387 [001] 1773.427175: kmalloc: (perf_event_alloc+0x5a) call_site=ffffffff8113a8fa ptr=0xffff880118fda000 bytes_req=1272 bytes_alloc=2048 gfp_flags=GFP_KERNEL|GFP_ZERO > ksoftirqd/6-38 [006] 1773.457770: kfree: (free_event_rcu+0x2f) call_site=ffffffff8113177f ptr=0xffff880118fda000 > <idle>-0 [007] 1774.020378: kfree: (free_event_rcu+0x2f) call_site=ffffffff8113177f ptr=0xffff880118fda000 > perf_fuzzer-4387 [000] 1774.096354: kmalloc: (perf_event_alloc+0x5a) call_site=ffffffff8113a8fa ptr=0xffff880118fda000 bytes_req=1272 bytes_alloc=2048 gfp_flags=GFP_KERNEL|GFP_ZERO > > > That's almost half a second between the double free, Vince, is your TSC > solid? grep DROPPED bug.out Now align that with the double malloc/free sites and you have an explanation ... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists