| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4AA609E8.3060408@gmail.com>
Date: Tue, 08 Sep 2009 09:38:16 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: Jike Song <albcamus@...il.com>
CC: Parag Warudkar <parag.lkml@...il.com>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53
Jike Song a écrit :
> On Tue, Sep 8, 2009 at 11:56 AM, Parag Warudkar<parag.lkml@...il.com> wrote:
>> On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@...il.com> wrote:
>>>> hi, I hit this with vnc. Below is part of dmesg :
>>> Still producible in 2.6.31-rc9, anybody helps?
>> How does one go about reproducing this? You said VNC triggers this but
>> what VNC version, server or client? What distro and what needs to be done
>> with VNC to trigger this problem? I ask since I use VNC myself and test -git kernels
>> and have not encountered this issue.
>>
>> Parag
>>
>>
> Thanks for your attention, CC netdev this time.
>
> VNC server: tigervnc-server-0.0.91-0.11.fc11.x86_64
> VNC client: TurboVNC Viewer version 0.5 for Solaris
> Distro : Fedora 11, x86-64
>
> I specify gnome-init in xstartup, below is my xstartup file, with this
> file one only need to run vncviewer from the client to produce this
> bug:
>
> #!/bin/sh
>
> unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER
> LANG=zh_CN.UTF-8
> export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER
> export G_FILENAME_ENCODING=@...ale
> XMODIFIERS="@im=SCIM"
> GTK_IM_MODULE="scim"
> export XMODIFIERS GTK_IM_MODULE
> if type scim &> /dev/null ; then
> scim -d &
> fi
>
> vncconfig -iconic &
> unset SESSION_MANAGER
> unset DBUS_SESSION_BUS_ADDRESS
> OS=`uname -s`
> if [ $OS = 'Linux' ]; then
> case "$WINDOWMANAGER" in
> *gnome*)
> if [ -e /etc/SuSE-release ]; then
> PATH=$PATH:/opt/gnome/bin
> export PATH
> fi
> ;;
> esac
> fi
> if [ -x /etc/X11/xinit/xinitrc ]; then
> exec /etc/X11/xinit/xinitrc
> fi
> if [ -f /etc/X11/xinit/xinitrc ]; then
> exec sh /etc/X11/xinit/xinitrc
> fi
> [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
> xsetroot -solid grey
> xterm -geometry 1024x768 -ls -title "$VNCDESKTOP Desktop" &
> gnome-init &
>
>
>
We decrement a refcnt while object already freed.
(SLUB DEBUG poisons the zone with 0x6B pattern)
You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U
in sk_free() : We'll see the path trying to delete an already freed sock
diff --git a/net/core/sock.c b/net/core/sock.c
index 7633422..1cb85ff 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk)
void sk_free(struct sock *sk)
{
+ WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U);
/*
* We substract one from sk_wmem_alloc and can know if
* some packets are still in some tx queue.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists