| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 May 2007 21:58:09 -0300
From: Kevin Winchester <kjwinchester@...il.com>
To: Christoph Lameter <clameter@....com>
CC: Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, herbert@...dor.apana.org.au
Subject: Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot - crypto?
Christoph Lameter wrote:
> On Tue, 8 May 2007, Kevin Winchester wrote:
>
>
>> Here's the dmesg of the slub_debug run, I'll try the patch next:
>>
>
> Ok someone wrote to an object after it was freed. Not slubs problem.
>
>
>> [ 1.367129] Object 0xffff810001bdecd0: 80 b7 b1 01 00 81 ff ff 6b 6b
>> 6b 6b 6b 6b 6b 6b .·±...kkkkkkkk
>>
>
> The first 8 bytes of the freed object were overwritten.
>
>
>> [ 1.374455] Last alloc: cryptomgr_notify+0x28/0x190 jiffies_ago=0 cpu=0
>> pid=1
>> [ 1.374611] Last free : cryptomgr_probe+0x85/0xb0 jiffies_ago=0 cpu=0
>> pid=405
>>
>
> Here are some potential candidates that have recently handled the object.
> That was less than a jiffy ago. So very recent.
>
>
Not having any idea what I'm doing, I looked at cryptomgr_probe and
cryptomgr_notify, and can't seem to see much, except for the following
odd lines.
From cryptomgr_schedule_probe, which is almost certainly inlined into
crypto_notify:
-----
param = kzalloc(sizeof(*param), GFP_KERNEL);
...
param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
if (IS_ERR(param->thread))
goto err_free_param;
return NOTIFY_STOP;
err_free_param:
kfree(param);
err_put_module:
module_put(THIS_MODULE);
err:
return NOTIFY_OK;
-----
while cryptomgr_probe does (with a local variable param that points to
the same data):
-----
...
if (err)
goto err;
out:
kfree(param);
module_put_and_exit(0);
-----
Now perhaps I am wrong, but would it be possible for the kthread_run()
call to cause cryptomgr_probe to run before the return result is stored
into param->thread? That would mean that param would be accessed after
freeing.
<changes thread to a local variable in the cryptomgr_schedule_probe
method...compile...test...still fails>
I guess that's not it.
Any thoughts on what might be the cause of this (I've added Herbert Xu
to the CC list since he seems to be the crypto maintainer)?
I'll try to add some printk's in there to see if that enlightens me.
Kevin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists