lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 24 Sep 2009 16:51:25 +0200
From:	Michal Schmidt <mschmidt@...hat.com>
To:	linux-kernel@...r.kernel.org
Cc:	cpufreq@...r.kernel.org, Mark Langsdorf <mark.langsdorf@....com>
Subject: use after free of struct powernow_k8_data

Hello,

After resume from suspend I get:

=============================================================================
BUG kmalloc-256: Poison overwritten
-----------------------------------------------------------------------------

INFO: 0xffff880073bf1bb0-0xffff880073bf1bb7. First byte 0x12 instead of 0x6b
INFO: Allocated in powernowk8_cpu_init+0x72/0xc27 [powernow_k8] age=290 cpu=0 pid=1782
INFO: Freed in powernowk8_cpu_exit+0x6b/0x88 [powernow_k8] age=289 cpu=0 pid=1782
INFO: Slab 0xffffea0002f059e8 objects=12 used=10 fp=0xffff880073bf1b88 flags=0x200000000000c3
INFO: Object 0xffff880073bf1b88 @offset=2952 fp=0xffff880073bf1e18

Bytes b4 0xffff880073bf1b78:  ec 77 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ěwţ˙....ZZZZZZZZ
  Object 0xffff880073bf1b88:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
  Object 0xffff880073bf1b98:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
  Object 0xffff880073bf1ba8:  6b 6b 6b 6b 6b 6b 6b 6b 12 00 00 00 0c 00 00 00 kkkkkkkk........
  Object 0xffff880073bf1bb8:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk

The overwritten values correspond to the currvid (0x12) and currfid (0x0c)
fields if struct powernow_k8_data. Earlier in dmesg these exact values
can be seen:

powernow-k8: table matched fid 0xc, giving vid 0x12
powernow-k8: target matches current values (fid 0xc, vid 0x12)

It seems that something called query_current_values_with_pending_wait()
while the struct was already freed.

It is perfectly reproducible. The kernel is the latest from git
(94a8d5caba74211ec76dac80fc6e2d5c391530df).
I'm attaching the full dmesg and .config.

Michal

View attachment "dmesg.txt" of type "text/plain" (80003 bytes)

View attachment "config.txt" of type "text/plain" (75654 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ