lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201002040446.05068.s.L-H@gmx.de>
Date:	Thu, 4 Feb 2010 04:46:02 +0100
From:	"Stefan Lippers-Hollmann" <s.L-H@....de>
To:	Greg KH <gregkh@...e.de>
Cc:	linux-kernel@...r.kernel.org, Eric Paris <eparis@...hat.com>,
	Tejun Heo <tj@...nel.org>, akpm@...ux-foundation.org,
	torvalds@...ux-foundation.org, stable@...nel.org
Subject: Re: patch idr-fix-a-critical-misallocation-bug.patch added to 2.6.32-stable tree

Hi

[ Sorry for not reporting this earlier today, while 
  idr-fix-a-critical-misallocation-bug was still part of queue-2.6.32, but 
  bisecting this (and previously net-restore-ip-source-validation.patch) 
  took its time. ]

On Thursday 04 February 2010, Greg KH wrote:
> On Wed, Feb 03, 2010 at 08:21:39AM -0500, Eric Paris wrote:
> > On Wed, 2010-02-03 at 14:21 +0900, Tejun Heo wrote:
> > 
> > > > Eric Paris located a bug in idr.  With IDR_BITS of 6, it grows to three
> > > > layers when id 4096 is first allocated.  When that happens, idr wraps
> > > > incorrectly and searches the idr array ignoring the high bits.  The
> > > > following test code from Eric demonstrates the bug nicely.
> > > ...
> > > > Based-on-patch-from: Eric Paris <eparis@...hat.com>
> > > > Reported-by: Eric Paris <eparis@...hat.com>
> > > > Signed-off-by: Tejun Heo <tj@...nel.org>
> > > > Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
> > > > Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
> > > > Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
> > > 
> > > Greg, can this wait a bit more, maybe until the next -stable release?
> > > The code there is very fragile and this has been broken forever so I
> > > think it would be better if we wait a bit more while it gets testing
> > > mainline.

Just as a side note, this patch as part of the 2.6.32 stable queue (before 
this patch was removed again) seems to break logging into KDE 4.3.4 through
kdm on several different systems with Intel chipsets/ graphics (kvm 
active). X and kdm start normally, logging in shows the ksplash, which 
quickly terminates the xsession and dumps back to kdm. Removing just this 
patch from 2.6.32 + (previous) stable queue fixes the problem for me; 
however 2.6.33-rc6-git3 seems to be affected as well, but freezes X, 
instead of "just" terminating the current X session and reverting to kdm.

While I have reports from several different intel chipsets, I can 
personally reproduce it on an Intel D945GCLF2 mainboard:

00:00.0 Host bridge [0600]: Intel Corporation 82945G/GZ/P/PL Memory Controller Hub [8086:2770] (rev 02)                                                                                           
00:02.0 VGA compatible controller [0300]: Intel Corporation 82945G/GZ Integrated Graphics Controller [8086:2772] (rev 02)                                                                         
00:1b.0 Audio device [0403]: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller [8086:27d8] (rev 01)                                                                         
00:1c.0 PCI bridge [0604]: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 [8086:27d0] (rev 01)                                                                                         
00:1c.2 PCI bridge [0604]: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 [8086:27d4] (rev 01)                                                                                         
00:1c.3 PCI bridge [0604]: Intel Corporation 82801G (ICH7 Family) PCI Express Port 4 [8086:27d6] (rev 01)                                                                                         
00:1d.0 USB Controller [0c03]: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 [8086:27c8] (rev 01)
00:1d.1 USB Controller [0c03]: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 [8086:27c9] (rev 01)
00:1d.2 USB Controller [0c03]: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 [8086:27ca] (rev 01)
00:1d.3 USB Controller [0c03]: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 [8086:27cb] (rev 01)
00:1d.7 USB Controller [0c03]: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller [8086:27cc] (rev 01)
00:1e.0 PCI bridge [0604]: Intel Corporation 82801 PCI Bridge [8086:244e] (rev e1)
00:1f.0 ISA bridge [0601]: Intel Corporation 82801GB/GR (ICH7 Family) LPC Interface Bridge [8086:27b8] (rev 01)
00:1f.1 IDE interface [0101]: Intel Corporation 82801G (ICH7 Family) IDE Controller [8086:27df] (rev 01)
00:1f.2 IDE interface [0101]: Intel Corporation 82801GB/GR/GH (ICH7 Family) SATA IDE Controller [8086:27c0] (rev 01)
00:1f.3 SMBus [0c05]: Intel Corporation 82801G (ICH7 Family) SMBus Controller [8086:27da] (rev 01)
01:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller [10ec:8168] (rev 02)

===
[ the following might of course be unrelated ]
Oops captured with 2.6.33-rc6-git3 (X and kdm start up without problems, 
but freezes during ksplash - the system remains operationable through ssh):

[drm:i915_gem_do_execbuffer] *ERROR* Invalid object handle 1073741824 at index 23                
BUG: unable to handle kernel paging request at ffffffff00000080                                  
IP: [<ffffffffa00951af>] i915_gem_do_execbuffer+0x79f/0x1370 [i915]                              
PGD 14c0067 PUD 0                                                                                
Oops: 0000 [#1] PREEMPT SMP                                                                      
last sysfs file: /sys/devices/virtual/sound/timer/uevent                                         
CPU 0                                                                                            
Pid: 1846, comm: Xorg Tainted: G        W  2.6.33-rc6-sidux-amd64 #1 D945GCLF2/                  
RIP: 0010:[<ffffffffa00951af>]  [<ffffffffa00951af>] i915_gem_do_execbuffer+0x79f/0x1370 [i915]  
RSP: 0018:ffff88007c49fbf8  EFLAGS: 00010286                                                     
RAX: ffff88007e80aac0 RBX: 00000000fffffff7 RCX: 000000000000001e                                
RDX: ffffffff00000000 RSI: ffffffffa0042710 RDI: ffff88007e162a80                                
RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000020                                
R10: 0000000000000000 R11: 000000000000006e R12: ffff88007e80aa00                                
R13: ffff88007c49fd18 R14: ffff88007e80aa00 R15: ffff88007c49fd18                                
FS:  00007f5bf591d790(0000) GS:ffff880001800000(0000) knlGS:0000000000000000                     
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033                                                
CR2: ffffffff00000080 CR3: 000000007c480000 CR4: 00000000000006f0                                
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000                                
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400                                
Process Xorg (pid: 1846, threadinfo ffff88007c49e000, task ffff88007c4fd280)                     
Stack:                                                                                           
 ffff88007bebdb80 0000000000000000 ffff88007bebde18 ffffffff8135139b                             
<0> ffff88007f002dc0 ffff880000000040 fffffff57f35a800 ffff88007e2f7800                          
<0> 0000000000001000 ffff88007c49fd48 ffff88007e80aa00 ffff88007e2f6000                          
Call Trace:                                                                                      
 [<ffffffff8135139b>] ? unix_stream_recvmsg+0x28b/0x620
 [<ffffffffa0095fa0>] ? i915_gem_execbuffer+0x0/0x410 [i915]
 [<ffffffffa00961b0>] ? i915_gem_execbuffer+0x210/0x410 [i915]
 [<ffffffffa00904d5>] ? i915_gem_sw_finish_ioctl+0x95/0xd0 [i915]
 [<ffffffffa0040958>] ? drm_ioctl+0x308/0x440 [drm]
 [<ffffffffa0095fa0>] ? i915_gem_execbuffer+0x0/0x410 [i915]
 [<ffffffff8111ef2f>] ? do_sync_read+0xbf/0x100
 [<ffffffff81071924>] ? bit_waitqueue+0x14/0xc0
 [<ffffffff8112eed5>] ? vfs_ioctl+0x35/0xd0
 [<ffffffff8112f098>] ? do_vfs_ioctl+0x88/0x570
 [<ffffffff810566b3>] ? do_setitimer+0x1c3/0x240
 [<ffffffff8112f600>] ? sys_ioctl+0x80/0xa0
 [<ffffffff8100a002>] ? system_call_fastpath+0x16/0x1b
Code: eb 48 8b 74 24 68 44 8b 4e 08 45 85 c9 74 4a 4c 8b 64 24 50 31 ed 49 89 f5 0f 1f 00 48 63 c5 49 8d 04 c4 48 8b 10 48 85 d2 74 25 <48> 8b 92 80 00 00 00 c7 82 a0 00 00 00 00 00 00 00 48 8b 38 48
RIP  [<ffffffffa00951af>] i915_gem_do_execbuffer+0x79f/0x1370 [i915]
 RSP <ffff88007c49fbf8>
CR2: ffffffff00000080
---[ end trace 88853e816bdbf457 ]---

I will test 2.6.33 HEAD with idr-fix-a-critical-misallocation-bug.patch
reverted when I get home tonight (UTC+1), I'm likely not able to respond 
before that either.

> > I'm ok with that as well.  inotify should not be able to trip up on this
> > condition any more thanks to other changes to inotify.
> 
> Ok, I've now dropped it.
> 
> thanks,
> 
> greg k-h

Regards
	Stefan Lippers-Hollmann

Post scriptum: 
Xorg.0.log.gz, kdm.log.gz and xsession errors.gz are taken from 
2.6.32.7+queue-2.6.32, including idr-fix-a-critical-misallocation-bug.patch

system:	up to date Debian sid/ unstable
		ii  hal                                                 0.5.14-2                   Hardware Abstraction Layer
		ii  libdrm-intel1                                       2.4.17-1                   Userspace interface to intel-specific kernel DRM serv
		ii  libdrm2                                             2.4.17-1                   Userspace interface to kernel DRM services -- runtime
		ii  libhal-storage1                                     0.5.14-2                   Hardware Abstraction Layer - shared library for stora
		ii  libhal1                                             0.5.14-2                   Hardware Abstraction Layer - shared library
		ii  xserver-xorg-core                                   2:1.7.4-2                  Xorg X server - core server
		ii  xserver-xorg-video-intel                            2:2.9.1-2                  X.Org X server -- Intel i8xx, i9xx display driver

Download attachment "dmesg-2.6.32.7+queue-2.6.32-EXcluding-idr-working.gz" of type "application/x-gzip" (1638 bytes)

Download attachment "Xorg.0.log.gz" of type "application/x-gzip" (5290 bytes)

Download attachment "dmesg-2.6.32.7+queue-2.6.32-including-idr.gz" of type "application/x-gzip" (9050 bytes)

Download attachment "dmesg-2.6.33-rc6-git3.gz" of type "application/x-gzip" (10624 bytes)

Download attachment "kdm.log.gz" of type "application/x-gzip" (1346 bytes)

Download attachment "xsession-errors.gz" of type "application/x-gzip" (591 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ