lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Nov 2015 23:18:36 -0500
From:	Dave Jones <davej@...emonkey.org.uk>
To:	Linux Kernel <linux-kernel@...r.kernel.org>
Cc:	Tejun Heo <tj@...nel.org>
Subject: pids_free double free.

One of my debian boxes got a systemd update. After rebooting,
I started seeing a use-after-free trace, followed by a lockup.

I have two slightly different traces from separate boots,
which may give some clue as to how it's getting free'd in two ways..

http://codemonkey.org.uk/junk/IMG_0474.jpg
http://codemonkey.org.uk/junk/IMG_0476.jpg

This isn't new, I booted back to 4.3, and hit slab debugging warnings
from the same code.  (At the least it was broken differently)

The WARN_ON referenced in the 2nd trace is this..

static void pids_cancel(struct pids_cgroup *pids, int num)
{
        /*  
         * A negative count (or overflow for that matter) is invalid,
         * and indicates a bug in the `pids` controller proper.
         */
        WARN_ON_ONCE(atomic64_add_negative(-num, &pids->counter));
}


	Dave
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ