lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070530083953.9909bcef.akpm@linux-foundation.org>
Date:	Wed, 30 May 2007 08:39:53 -0700
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Tero Roponen <teanropo@....fi>
Cc:	Pekka Enberg <penberg@...helsinki.fi>,
	linux-kernel@...r.kernel.org, Alan Cox <alan@...rguk.ukuu.org.uk>,
	Andy Whitcroft <apw@...dowen.org>
Subject: Re: tty-related oops in latest kernel(s)?

On Wed, 30 May 2007 15:02:49 +0300 (EEST) Tero Roponen <teanropo@....fi> wrote:

> On Wed, 30 May 2007, Pekka Enberg wrote:
> 
> > On 5/30/07, Tero Roponen <teanropo@....fi> wrote:
> > > Hmmm, I just found something interesting. In 2.6.21.3 the /sbin/init
> > > gets corrupted when I watch the video!
> > >
> > > $ cp /sbin/init init.before
> > > $ mplayer kiwi.flv
> > > $ cp /sbin/init init.after
> > >
> > > The sha1sums are here:
> > >
> > > 52c8d643057619cbe137b8e69d4709ce3bdd832d  init.after
> > > 8efc7864a5b535a9e336fa82e9d7f112f3d956c1  init.before
> > >
> > > It seems that something corrupts memory somewhere...
> > 
> > To debug this a bit further:
> > 
> > $ od -a -t x1 -v init.after > init.after.dump
> > $ od -a -t x1 -v init.before > init.before.dump
> > $ diff -u init.before.dump init.after.dump | less
> > 
> > -0011340  nul nul nul  e9  f0  fe  ff  ff  ff   %   < soh enq  bs   h  80
> > -           00  00  00  e9  f0  fe  ff  ff  ff  25  3c  01  05  08  68  80
> > +0010000    y ack nul nul   y ack nul nul   y ack nul nul   y ack nul nul
> > +           79  06  00  00  79  06  00  00  79  06  00  00  79  06  00  00
> > +0010020    y ack nul nul   y ack nul nul   y ack nul nul   y ack nul nul
> > +           79  06  00  00  79  06  00  00  79  06  00  00  79  06  00  00
> > +0011340    y ack nul nul   y ack nul nul  ff   %   < soh enq  bs   h  80
> > +           79  06  00  00  79  06  00  00  ff  25  3c  01  05  08  68  80
> > 
> > The file at offset 0010000 - 0011348 is overwritten with the byte
> > pattern 79 06 00 00.
> > 
> > Do you see anything in the logs or is this a silent corruption? Did
> > you see this corruption with 2.6.19 or 2.6.22-rc3?
> > 
> 
> I recompiled 2.6.22-rc3 and booted it with slub_debug. Now I can't oops
> the kernel, but ./slab_info -v gives me a warning:
> 
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> neofb: no support for 32bpp
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1024x768) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1152x864) larger than the LCD panel (800x600)
> Mode (1024x1024) larger than the LCD panel (800x600)
> Mode (1024x1024) larger than the LCD panel (800x600)
> Mode (1024x1024) larger than the LCD panel (800x600)
> Mode (1024x1024) larger than the LCD panel (800x600)
> Mode (1280x1024) larger than the LCD panel (800x600)
> Mode (1280x1024) larger than the LCD panel (800x600)
> Mode (1280x1024) larger than the LCD panel (800x600)
> Mode (1280x1024) larger than the LCD panel (800x600)
> *** SLUB kmalloc-1024: Redzone Active@...10be860 slab 0xc10217c0
>     offset=2144 flags=0x80004082 inuse=7 freelist=0x00000000
>   Bytes b4 0xc10be850:  00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
>     Object 0xc10be860:  00 00 00 00 00 20 00 00 20 03 00 00 58 02 00 00 ............X...
>     Object 0xc10be870:  20 03 00 00 58 02 00 00 00 00 00 00 00 00 00 00 ....X...........
>     Object 0xc10be880:  10 00 00 00 00 00 00 00 0b 00 00 00 05 00 00 00 ................
>     Object 0xc10be890:  00 00 00 00 05 00 00 00 06 00 00 00 00 00 00 00 ................
>     Object 0xc10be8a0:  00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 ................
>     Object 0xc10be8b0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>     Object 0xc10be8c0:  ff ff ff ff ff ff ff ff 00 00 00 00 a8 61 00 00 ÿÿÿÿÿÿÿÿ....¨a..
>     Object 0xc10be8d0:  58 00 00 00 28 00 00 00 17 00 00 00 01 00 00 00 X...(...........
>    Redzone 0xc10bec60:  4d 6b 00 00                                     Mk..            
> FreePointer 0xc10bec64 -> 0x00006b4d
> Last alloc: 0x6b4d jiffies_ago=4294923792 cpu=27469 pid=27469
> Last free : 0x6b4d jiffies_ago=4294923792 cpu=27469 pid=27469
>     Filler 0xc10bec88:  4d 6b 00 00 4d 6b 00 00                         Mk..Mk..        
>  [<c013f717>] check_object+0x64/0x23d
>  [<c0141371>] validate_slab+0xff/0x12a
>  [<c01413aa>] validate_slab_slab+0xe/0x51
>  [<c0141488>] validate_store+0x9b/0xe8
>  [<c01343d1>] __handle_mm_fault+0x370/0x68b
>  [<c01413ed>] validate_store+0x0/0xe8
>  [<c013eaa6>] slab_attr_store+0x1e/0x22
>  [<c016e470>] sysfs_write_file+0xad/0xd6
>  [<c016e3c3>] sysfs_write_file+0x0/0xd6
>  [<c0143341>] vfs_write+0x8a/0x10c
>  [<c01437d7>] sys_write+0x41/0x67
>  [<c01022c2>] sysenter_past_esp+0x5f/0x85
>  =======================
> @@@ SLUB kmalloc-1024: Restoring redzone (0xcc) from 0xc10bec60-0xc10bec63
> 

So something did an overwrite of a 1024-byte kmalloc.  Unfortunately that
overwrite seems to have trashed our last-alloc info, so we don't know who
allocated that memory.  Darn.

Does the problem go away if you disable CONFIG_SLUB and enable CONFIG_SLAB?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ