lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060929143806.0d6a9162@localhost>
Date:	Fri, 29 Sep 2006 14:38:06 +0200
From:	Paolo Ornati <ornati@...twebnet.it>
To:	Arkadiusz JaƂowiec <ajalowiec@...eria.pl>
Cc:	linux-kernel@...r.kernel.org, linux-usb-users@...ts.sourceforge.net
Subject: Re: PROBLEM: Kernel 2.6.x freeze

On Thu, 28 Sep 2006 07:33:30 +0000
Arkadiusz Jalowiec <ajalowiec@...eria.pl> wrote:

> OOps:
> 
> ivalid opcode: 0000 [#1]
> Modules linked in ppp_deflate zlib_deflate bsd_comp pppoatm ipv6 
> partport_pc partport snd_pcm_oss snd_mixer oss via_agp agpgart 
> ueagle_atm usbatm uhci_hcd ehci_hcd usbcore i2c_viapro 12c_core 
> snd_via82xx snd_ac97_code snd_mpu401_uart snd_rawmidi opt_LOG 
> snd_seq_device xt limit snd soundcore via_rhine mill xt_tcpudp xt_state 
> iptables_filter nls_iso8859-2 nls_cp852 ip_contract_irc ip_contract_ftp 
> xt_contract ip_contract ip_tables x_tables
> 
> CPU: 0
> EIP: 0060: [<d0d184dc>] Not tainted VLI
> EFLAGS: 00010003 (2.6.18#1)
> EIP is at uhci_giveback_urb+0x59/0x126 [uhci_hcd]
> eax: cefeeed1 ebx: cf3935a0 ecx: ce2a9bc0 edx: cf3935a0
> esi: ce2a9bc0 edi: 00000000 epb: ce4933bc esp: c6b79f00
> ds: 007b es: 007b ss:0068
> 
> Process removepkg (pid: 11084, ti=c6b78000 task=c126e560 task.ti=c6b78000)
> 
> Stack:    00000046 c9936060 cf3935a0 ce4933bc d0d17e17 00000000 cefeeed0 
> cf3935a0
>     ce2a9bc0 00000000 cefeeed0 d0d18627 c6b79fbc c6b79fbc cefeeed0 cf3935a0
>     00000009 c6b79fbc d0d18846 00000246 00000000 00000000 cefeed00 d0d192ad
> 
> Call Trace:
> 
> [<d0d17e17>] uhci_result_common+0xb7/0x146 [uhci_hcd]
> [<d0d18627>] uhci_scan_qh+0x7e/0x174 [uhci_hcd]
> [<d0d18846>] uhci_scan_schedule+0x72/0xec [uhci_hcd]
> [<d0d192ad>] uhci_irq+0xe8/0xf8 [uhci_hcd]
> [<d0d365f8>] udb_hcd_irq+0x27/0x4e [usbcore]
> [<c012c4c4>] handle_IRQ_event+0x21/0x47
> [<c012c545>] do_IRQ+0x5b/0xa2
> [<c0104106>] do_IRQ+0x40/0x4d
> [<c0102c4a>] common_interrupt+0x1a/0x20
> 
> Code:     5c 89 57 2c 8b 40 44 c7 47 40 00 00 00 00 89
>                 47 3c 8b 45 00 8b 55 04 89 02 89 50 04 89
>                 6d 00 8d 47 18 89 6d 04 39 47 18 75
>                 4b 0f <b6> 47 50 a8 02 88 44 24 08 74 3f 0f b6
>                 46 20 8b 4e 20 ba fe ff
> 
> EIP:    [<d0d184dc>] uhci_giveback_urb+0x59/0x126
>     [uhci_hcd] SS: ESP 0068: c6b79f00
> <0> Kernel panic - not syncing: Fatal exception in interrupt


Do you have copied the Oops by hand, right?

Can you send the ".config" for this 2.6.18?


I'm not an expert but...

This is how the code should look like (I've compiled 2.6.18 with gcc
3.3.6 + gentoo patches):

c02dd6a2:       74 5c                   je     c02dd700 <uhci_giveback_urb+0xa0>
c02dd6a4:       0f b6 46 20             movzbl 0x20(%esi),%eax
c02dd6a8:       8b 4e 20                mov    0x20(%esi),%ecx
c02dd6ab:       c7 04 24 fe ff ff ff    movl   $0xfffffffe,(%esp)


But we have:

  500894:       74 3f                   je     5008d5 <_end+0x2d>
  500896:       0f b6 46 20             movzbl 0x20(%rsi),%eax
  50089a:       8b 4e 20                mov    0x20(%rsi),%ecx
  50089d:       ba                      .byte 0xba
  50089e:       fe                      (bad)
  50089f:       ff                      .byte 0xff


So "c7 04 24" turned into
   "ba fe ff"


The funny thing is that "fe ff" comes just after "24" in the original
code...


Questions for LKML:

1) Isn't the kernel code write-protected at page level?
   Or maybe is it only protected when "CONFIG_DEBUG_RODATA=y"?

2) In this case the "corrupted" memory is in a module, is/can also this
code be write-protected?

-- 
	Paolo Ornati
	Linux 2.6.18 on x86_64
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ