lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0709201019510.8283@schroedinger.engr.sgi.com>
Date:	Thu, 20 Sep 2007 10:25:46 -0700 (PDT)
From:	Christoph Lameter <clameter@....com>
To:	ebiederm@...ssion.com
cc:	Alexey Dobriyan <adobriyan@...ru>,
	Andrew Morton <akpm@...ux-foundation.org>, gregkh@...e.de,
	linux-kernel@...r.kernel.org
Subject: Re: 2.6.23-rc6-mm1: BUG kmalloc-16: Object padding overwritten
 (sysfs?)

On Thu, 20 Sep 2007, Alexey Dobriyan wrote:

> OK, I do clean boot, ssh to box, then sudo slabinfo -v.
> 
> 
> =============================================================================
> BUG kmalloc-16: Object padding overwritten
> -----------------------------------------------------------------------------
> 
> INFO: 0xffff810100fd8998-0xffff810100fd8999. First byte 0xa7 instead of 0x5a
> INFO: Allocated in sysfs_new_dirent+0x100/0x120 age=11055 cpu=0 pid=3474
> INFO: Freed in kobject_uevent_env+0x123/0x430 age=11055 cpu=0 pid=3474
> INFO: Slab 0xffff810004837740 used=28 fp=0xffff810100fd89a0 flags=0x8000000000000083
> INFO: Object 0xffff810100fd8948 @offset=2376 fp=0xffff810100fd89a0

Hmmm.. A corrupted sysfs object at an offset of one word from the end of 
the object that could never have been caught by SLAB since it does not 
check more than 4 bytes. Does the value 0x5ea7 tell us anything? Maybe a 
counter was incremented a couple of times from the initial value of 0x5a5a 
that was put there by SLUB?

> INFO: 0xffff810101b45310-0xffff810101b45311. First byte 0xd3 instead of 0x5a
> INFO: Allocated in kobject_get_path+0x57/0xc0 age=18405 cpu=1 pid=2006
> INFO: Freed in kobject_uevent_env+0x123/0x430 age=18405 cpu=1 pid=2006
> INFO: Slab 0xffff81000485f718 used=8 fp=0xffff810101b45318 flags=0x8000000000000083
> INFO: Object 0xffff810101b452c0 @offset=704 fp=0xffff810101b45370
> 
> Bytes b4 0xffff810101b452b0:  db f9 fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a Ûùûÿ....ZZZZZZZZ
>   Object 0xffff810101b452c0:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk¥
>  Redzone 0xffff810101b452d0:  bb bb bb bb bb bb bb bb                         »»»»»»»»        
>  Padding 0xffff810101b45310:  d3 5e 5a 5a 5a 5a 5a 5a                         Ó^ZZZZZZ        

Ditto.... but here we have a freed object in the above case the object is 
still in use. Done by different processes at different times.

Eric: Anything that comes to mind in sysfs?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ