| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090924165125.7cf51a1f@leela> Date: Thu, 24 Sep 2009 16:51:25 +0200 From: Michal Schmidt <mschmidt@...hat.com> To: linux-kernel@...r.kernel.org Cc: cpufreq@...r.kernel.org, Mark Langsdorf <mark.langsdorf@....com> Subject: use after free of struct powernow_k8_data Hello, After resume from suspend I get: ============================================================================= BUG kmalloc-256: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880073bf1bb0-0xffff880073bf1bb7. First byte 0x12 instead of 0x6b INFO: Allocated in powernowk8_cpu_init+0x72/0xc27 [powernow_k8] age=290 cpu=0 pid=1782 INFO: Freed in powernowk8_cpu_exit+0x6b/0x88 [powernow_k8] age=289 cpu=0 pid=1782 INFO: Slab 0xffffea0002f059e8 objects=12 used=10 fp=0xffff880073bf1b88 flags=0x200000000000c3 INFO: Object 0xffff880073bf1b88 @offset=2952 fp=0xffff880073bf1e18 Bytes b4 0xffff880073bf1b78: ec 77 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ěwţ˙....ZZZZZZZZ Object 0xffff880073bf1b88: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880073bf1b98: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880073bf1ba8: 6b 6b 6b 6b 6b 6b 6b 6b 12 00 00 00 0c 00 00 00 kkkkkkkk........ Object 0xffff880073bf1bb8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk The overwritten values correspond to the currvid (0x12) and currfid (0x0c) fields if struct powernow_k8_data. Earlier in dmesg these exact values can be seen: powernow-k8: table matched fid 0xc, giving vid 0x12 powernow-k8: target matches current values (fid 0xc, vid 0x12) It seems that something called query_current_values_with_pending_wait() while the struct was already freed. It is perfectly reproducible. The kernel is the latest from git (94a8d5caba74211ec76dac80fc6e2d5c391530df). I'm attaching the full dmesg and .config. Michal View attachment "dmesg.txt" of type "text/plain" (80003 bytes) View attachment "config.txt" of type "text/plain" (75654 bytes)
Powered by blists - more mailing lists