lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090626073919.GD8633@ZenIV.linux.org.uk>
Date:	Fri, 26 Jun 2009 08:39:19 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Zeno Davatz <zdavatz@...il.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: 2.6.31-rc1 crashes randomly on my Machine.

On Fri, Jun 26, 2009 at 08:15:21AM +0100, Al Viro wrote:
> On Fri, Jun 26, 2009 at 08:56:52AM +0200, Zeno Davatz wrote:
> 
> > Jun 25 21:19:12 zenogentoo Code: 00 00 00 c7 47 20 00 00 00 00 c7 47
> > 24 00 00 00 00 c7 47 10 00 00 00 00 c7 47 14 00 00 00 00 c7 47 0c 00
> > 00 00 00 e9 27 ff ff ff <ff> 89 e5 57 56 53 83 ec 34 89 45 d0 89 55 cc
> > 89 4d c8 8b 70 6c
> > Jun 25 21:19:12 zenogentoo EIP: [<c10d1d35>] seq_read+0x0/0x3a5 SS:ESP
> > 0068:f4b01f44
> > Jun 25 21:19:12 zenogentoo CR2: 0000000053565be5
> > Jun 25 21:19:12 zenogentoo ---[ end trace 6254fef9dc80950b ]---
> > Jun 25 21:19:12 zenogentoo BUG: unable to handle kernel paging request
> > at 53565be5
> 
> Real cute...  Disassembly of that sucker:
> 	decl   0x535657e5(%ecx)
> which matches nicely the address in page fault.  However, that doesn't
> look even remotely plausible for a beginning of function.  OTOH,
> disassembly at one byte offset from that gives
> 	mov    %esp,%ebp
> 	push   %edi
> 	push   %esi
> 	push   %ebx
> which is exactly what you'd expect to see in such place.

Actually, it's not *quite* what you'd expect to see.  What's missing is
	push   %ebp
as the first instruction, preceding that stuff.  And it would take one
byte, so...

>  IOW, you've
> got an off-by-one - it had jumped at one byte before the actual entry
> point of seq_read().

... this is not an off-by-one at all.  The first byte of function code
got overwritten with 0xff.  Code before that doesn't seem to be mangled -
it's
	movl   $0x0,0x20(%edi)
	movl   $0x0,0x24(%edi)
	movl   $0x0,0x10(%edi)
	movl   $0x0,0x14(%edi)
	movl   $0x0,0xc(%edi)
	jmp    <a bit back>
which is at least not entirely implausible.  So it seems to be a memory
corruption in .text, which might or might not affect the directly
preceding bytes (0xe9 <signed 32bit int> is a relative jump, so there's
no way to tell whether this 0xff had been the only byte affected - it
would be preceded by 3 0xff coming from small negative integer anyway).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ