| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Nov 2007 19:06:23 +0300 From: Pavel Emelyanov <xemul@...nvz.org> To: Roel Kluin <12o3l@...cali.nl> CC: netdev@...r.kernel.org, linux-net@...r.kernel.org Subject: Re: [BUG] in inet6_create Roel Kluin wrote: > Pavel Emelyanov wrote: >> Roel Kluin wrote: >>> Pavel Emelyanov wrote: >>>> Roel Kluin wrote: >>>>> Roel Kluin wrote: >>>>>> I got this bug recently, I am not sure whether this is related to any previously >>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently >>>>>> running kernel. >>>>>> >>>>>> FYI: my network card was not running (module not loaded, and I just started >>>>>> thunderbird) >>>>>> >>>>>> More information needed? >>>> Yes, please. >>>> >>>> Can you send us the disasm (objdump -dr) of your ipv6 module. >>>> More precisely - I need the disassembled inet6_create() function to >>>> figure out where exactly this thing happened. >>> I was very lucky to still be able to produce this: When the bug hit me, I had just >>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet >>> compiled) the old module was not overwritten. >>> >>> to answer the question in your other mail - whether I hacked this kernel - I am not >>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes >>> to net code were very trivial oneliner changes that I have previously posted, and >>> were generally accepted as fixes. >>> -- >>> 000002f0 <inet6_create>: >> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is >> (according to this dump) 0x2f0 + 0x5f = 0x34f, but: >> >> 1. there's no instruction at this address (there are 0x34e and 0x355) >> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here >> >> There's something wrong with this oops... > > hmmm, I see my mistake: > I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report Brrr... I'm completely confused. What was the kernel that oops-ed? 2.6.24-rc, net-2.6.24-rc1 or net-2.6.24-rc1-with-your-patches? > Since the module is already overwritten, does it still help to make the objdump? > > Ok, I'll check for the address... yes it exists Yup. My first guess was correct - the inetsw6 list is broken - there's some NULL pointer in it. Looking at the code I see that this list is accessed for modifications under the spinlock and that it is properly initialized in the ->init callback before any code gets the access to this list. No ideas why this can happen... :( > Sorry for my mistake, the objdump for this module is below. note however that the > module has been overwritten previously after kernel compilation. > >> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel. > > I'll try to reproduce it. I'll confirm it when it happens again. Yes, please. > -- > 000002f0 <inet6_create>: > 2f0: 55 push %ebp > 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp > 2f6: 57 push %edi > 2f7: 89 cf mov %ecx,%edi > 2f9: 56 push %esi > 2fa: 53 push %ebx > 2fb: 83 ec 20 sub $0x20,%esp > 2fe: 3d 00 00 00 00 cmp $0x0,%eax > 2ff: R_386_32 init_net > 303: 89 54 24 10 mov %edx,0x10(%esp) > 307: 74 0a je 313 <inet6_create+0x23> > 309: 83 c4 20 add $0x20,%esp > 30c: 89 e8 mov %ebp,%eax > 30e: 5b pop %ebx > 30f: 5e pop %esi > 310: 5f pop %edi > 311: 5d pop %ebp > 312: c3 ret > 313: 8b 72 20 mov 0x20(%edx),%esi > 316: 8d 46 fe lea -0x2(%esi),%eax > 319: 66 83 f8 01 cmp $0x1,%ax > 31d: 76 0e jbe 32d <inet6_create+0x3d> > 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx > 321: R_386_32 inet_ehash_secret > 325: 85 c9 test %ecx,%ecx > 327: 0f 84 12 02 00 00 je 53f <inet6_create+0x24f> > 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) > 334: 00 > 335: 0f bf c6 movswl %si,%eax > 338: c1 e0 03 shl $0x3,%eax > 33b: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx > 33d: R_386_32 .bss > 341: 8d 90 00 00 00 00 lea 0x0(%eax),%edx > 343: R_386_32 .bss > 347: 89 5c 24 1c mov %ebx,0x1c(%esp) > 34b: 8b 44 24 1c mov 0x1c(%esp),%eax > 34f: 8b 00 mov (%eax),%eax > 351: 8d 44 20 00 lea 0x0(%eax),%eax > 355: 39 d3 cmp %edx,%ebx > 357: bd a2 ff ff ff mov $0xffffffa2,%ebp > 35c: 75 36 jne 394 <inet6_create+0xa4> > 35e: e9 f3 01 00 00 jmp 556 <inet6_create+0x266> > 363: 85 ff test %edi,%edi > 365: 0f 84 25 02 00 00 je 590 <inet6_create+0x2a0> > 36b: 66 85 c0 test %ax,%ax > 36e: 66 90 xchg %ax,%ax > 370: 74 31 je 3a3 <inet6_create+0xb3> > 372: 8b 1b mov (%ebx),%ebx > 374: 89 5c 24 1c mov %ebx,0x1c(%esp) > 378: 8b 44 24 1c mov 0x1c(%esp),%eax > 37c: 8b 00 mov (%eax),%eax > 37e: 8d 44 20 00 lea 0x0(%eax),%eax > 382: 0f bf c6 movswl %si,%eax > 385: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax > 388: R_386_32 .bss > 38c: 39 d8 cmp %ebx,%eax > 38e: 0f 84 bd 01 00 00 je 551 <inet6_create+0x261> > 394: 0f b7 43 0a movzwl 0xa(%ebx),%eax > 398: 0f b7 c8 movzwl %ax,%ecx > 39b: 39 cf cmp %ecx,%edi > 39d: 75 c4 jne 363 <inet6_create+0x73> > 39f: 85 ff test %edi,%edi > 3a1: 74 cf je 372 <inet6_create+0x82> > 3a3: 8b 43 14 mov 0x14(%ebx),%eax > 3a6: 85 c0 test %eax,%eax > 3a8: 7e 12 jle 3bc <inet6_create+0xcc> > 3aa: e8 fc ff ff ff call 3ab <inet6_create+0xbb> > 3ab: R_386_PC32 capable > 3af: 85 c0 test %eax,%eax > 3b1: bd ff ff ff ff mov $0xffffffff,%ebp > 3b6: 0f 84 4d ff ff ff je 309 <inet6_create+0x19> > 3bc: 8b 43 10 mov 0x10(%ebx),%eax > 3bf: 8b 54 24 10 mov 0x10(%esp),%edx > 3c3: 89 42 08 mov %eax,0x8(%edx) > 3c6: 0f b6 43 18 movzbl 0x18(%ebx),%eax > 3ca: 8b 73 0c mov 0xc(%ebx),%esi > 3cd: 88 44 24 17 mov %al,0x17(%esp) > 3d1: 0f b6 53 19 movzbl 0x19(%ebx),%edx > 3d5: 88 54 24 16 mov %dl,0x16(%esp) > 3d9: 8b 56 70 mov 0x70(%esi),%edx > 3dc: 85 d2 test %edx,%edx > 3de: 0f 84 17 02 00 00 je 5fb <inet6_create+0x30b> > 3e4: b9 d0 00 00 00 mov $0xd0,%ecx > 3e9: ba 0a 00 00 00 mov $0xa,%edx > 3ee: b8 00 00 00 00 mov $0x0,%eax > 3ef: R_386_32 init_net > 3f3: 89 34 24 mov %esi,(%esp) > 3f6: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) > 3fd: 00 > 3fe: bd 97 ff ff ff mov $0xffffff97,%ebp > 403: e8 fc ff ff ff call 404 <inet6_create+0x114> > 404: R_386_PC32 sk_alloc > 408: 85 c0 test %eax,%eax > 40a: 89 c6 mov %eax,%esi > 40c: 0f 84 f7 fe ff ff je 309 <inet6_create+0x19> > 412: 89 c2 mov %eax,%edx > 414: 8b 44 24 10 mov 0x10(%esp),%eax > 418: e8 fc ff ff ff call 419 <inet6_create+0x129> > 419: R_386_PC32 sock_init_data > 41d: 80 64 24 17 03 andb $0x3,0x17(%esp) > 422: 0f b6 54 24 17 movzbl 0x17(%esp),%edx > 427: 0f b6 46 28 movzbl 0x28(%esi),%eax > 42b: c1 e2 02 shl $0x2,%edx > 42e: 83 e0 f3 and $0xfffffff3,%eax > 431: 09 d0 or %edx,%eax > 433: 88 46 28 mov %al,0x28(%esi) > 436: 0f b6 44 24 16 movzbl 0x16(%esp),%eax > 43b: a8 01 test $0x1,%al > 43d: 74 04 je 443 <inet6_create+0x153> > 43f: c6 46 03 01 movb $0x1,0x3(%esi) > 443: 0f b6 96 5b 01 00 00 movzbl 0x15b(%esi),%edx > 44a: c1 e8 02 shr $0x2,%eax > 44d: 83 e0 01 and $0x1,%eax > 450: 01 c0 add %eax,%eax > 452: 83 e2 fd and $0xfffffffd,%edx > 455: 09 c2 or %eax,%edx > 457: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) > 45d: 8b 44 24 10 mov 0x10(%esp),%eax > 461: 66 83 78 20 03 cmpw $0x3,0x20(%eax) > 466: 0f 84 43 01 00 00 je 5af <inet6_create+0x2bf> > 46c: 89 fa mov %edi,%edx > 46e: c7 86 34 01 00 00 00 movl $0x0,0x134(%esi) > 475: 00 00 00 > 474: R_386_32 inet_sock_destruct > 478: 66 c7 06 0a 00 movw $0xa,(%esi) > 47d: 88 56 29 mov %dl,0x29(%esi) > 480: 8b 43 0c mov 0xc(%ebx),%eax > 483: 8b 40 40 mov 0x40(%eax),%eax > 486: 89 86 30 01 00 00 mov %eax,0x130(%esi) > 48c: 8b 46 20 mov 0x20(%esi),%eax > 48f: 8b 48 74 mov 0x74(%eax),%ecx > 492: 83 e9 70 sub $0x70,%ecx > 495: 8d 0c 0e lea (%esi,%ecx,1),%ecx > 498: 89 8e 38 01 00 00 mov %ecx,0x138(%esi) > 49e: 0f b6 41 46 movzbl 0x46(%ecx),%eax > 4a2: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx) > 4a8: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx) > 4ae: 83 e0 e7 and $0xffffffe7,%eax > 4b1: 83 c8 09 or $0x9,%eax > 4b4: 88 41 46 mov %al,0x46(%ecx) > 4b7: 0f b6 15 00 00 00 00 movzbl 0x0,%edx > 4ba: R_386_32 sysctl_ipv6_bindv6only > 4be: 83 e0 df and $0xffffffdf,%eax > 4c1: 83 e2 01 and $0x1,%edx > 4c4: c1 e2 05 shl $0x5,%edx > 4c7: 09 d0 or %edx,%eax > 4c9: 88 41 46 mov %al,0x46(%ecx) > 4cc: 80 8e 5b 01 00 00 10 orb $0x10,0x15b(%esi) > 4d3: 66 c7 86 4c 01 00 00 movw $0xffff,0x14c(%esi) > 4da: ff ff > 4dc: c6 86 59 01 00 00 01 movb $0x1,0x159(%esi) > 4e3: c7 86 5c 01 00 00 00 movl $0x0,0x15c(%esi) > 4ea: 00 00 00 > 4ed: c7 86 64 01 00 00 00 movl $0x0,0x164(%esi) > 4f4: 00 00 00 > 4f7: a1 04 00 00 00 mov 0x4,%eax > 4f8: R_386_32 ipv4_config > 4fc: 85 c0 test %eax,%eax > 4fe: 0f b7 86 46 01 00 00 movzwl 0x146(%esi),%eax > 505: 0f 94 86 5a 01 00 00 sete 0x15a(%esi) > 50c: 66 85 c0 test %ax,%ax > 50f: 0f 85 82 00 00 00 jne 597 <inet6_create+0x2a7> > 515: 8b 46 20 mov 0x20(%esi),%eax > 518: 31 ed xor %ebp,%ebp > 51a: 8b 50 14 mov 0x14(%eax),%edx > 51d: 85 d2 test %edx,%edx > 51f: 0f 84 e4 fd ff ff je 309 <inet6_create+0x19> > 525: 89 f0 mov %esi,%eax > 527: ff d2 call *%edx > 529: 85 c0 test %eax,%eax > 52b: 89 c5 mov %eax,%ebp > 52d: 0f 84 d6 fd ff ff je 309 <inet6_create+0x19> > 533: 89 f0 mov %esi,%eax > 535: e8 fc ff ff ff call 536 <inet6_create+0x246> > 536: R_386_PC32 sk_common_release > 53a: e9 ca fd ff ff jmp 309 <inet6_create+0x19> > 53f: 90 nop > 540: e8 fc ff ff ff call 541 <inet6_create+0x251> > 541: R_386_PC32 build_ehash_secret > 545: 8b 44 24 10 mov 0x10(%esp),%eax > 549: 8b 70 20 mov 0x20(%eax),%esi > 54c: e9 dc fd ff ff jmp 32d <inet6_create+0x3d> > 551: bd a3 ff ff ff mov $0xffffffa3,%ebp > 556: 83 7c 24 18 02 cmpl $0x2,0x18(%esp) > 55b: 0f 84 a8 fd ff ff je 309 <inet6_create+0x19> > 561: ff 44 24 18 incl 0x18(%esp) > 565: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) > 56a: 74 64 je 5d0 <inet6_create+0x2e0> > 56c: 89 7c 24 08 mov %edi,0x8(%esp) > 570: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 577: 00 > 578: c7 04 24 1b 00 00 00 movl $0x1b,(%esp) > 57b: R_386_32 .rodata.str1.1 > 57f: e8 fc ff ff ff call 580 <inet6_create+0x290> > 580: R_386_PC32 request_module > 584: 8b 44 24 10 mov 0x10(%esp),%eax > 588: 8b 70 20 mov 0x20(%eax),%esi > 58b: e9 a5 fd ff ff jmp 335 <inet6_create+0x45> > 590: 89 cf mov %ecx,%edi > 592: e9 0c fe ff ff jmp 3a3 <inet6_create+0xb3> > 597: 8b 56 20 mov 0x20(%esi),%edx > 59a: 66 c1 c0 08 rol $0x8,%ax > 59e: 66 89 86 54 01 00 00 mov %ax,0x154(%esi) > 5a5: 89 f0 mov %esi,%eax > 5a7: ff 52 44 call *0x44(%edx) > 5aa: e9 66 ff ff ff jmp 515 <inet6_create+0x225> > 5af: 81 ff ff 00 00 00 cmp $0xff,%edi > 5b5: 66 89 be 46 01 00 00 mov %di,0x146(%esi) > 5bc: 0f 85 aa fe ff ff jne 46c <inet6_create+0x17c> > 5c2: 83 ca 08 or $0x8,%edx > 5c5: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) > 5cb: e9 9c fe ff ff jmp 46c <inet6_create+0x17c> > 5d0: 0f bf c6 movswl %si,%eax > 5d3: 89 7c 24 08 mov %edi,0x8(%esp) > 5d7: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 5de: 00 > 5df: 89 44 24 0c mov %eax,0xc(%esp) > 5e3: c7 04 24 00 00 00 00 movl $0x0,(%esp) > 5e6: R_386_32 .rodata.str1.1 > 5ea: e8 fc ff ff ff call 5eb <inet6_create+0x2fb> > 5eb: R_386_PC32 request_module > 5ef: 8b 54 24 10 mov 0x10(%esp),%edx > 5f3: 8b 72 20 mov 0x20(%edx),%esi > 5f6: e9 3a fd ff ff jmp 335 <inet6_create+0x45> > 5fb: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp) > 602: 00 > 603: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp) > 60a: 00 > 607: R_386_32 .rodata.str1.4 > 60b: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp) > 612: 00 > 60f: R_386_32 .rodata.str1.1 > 613: c7 04 24 e0 00 00 00 movl $0xe0,(%esp) > 616: R_386_32 .rodata.str1.4 > 61a: e8 fc ff ff ff call 61b <inet6_create+0x32b> > 61b: R_386_PC32 printk > 61f: e9 c0 fd ff ff jmp 3e4 <inet6_create+0xf4> > 624: 8d b6 00 00 00 00 lea 0x0(%esi),%esi > 62a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi > > 00000630 <inet6_destroy_sock>: > - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists