lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.10.1402230859560.18653@vincent-weaver-1.um.maine.edu>
Date:	Sun, 23 Feb 2014 09:05:01 -0500 (EST)
From:	Vince Weaver <vincent.weaver@...ne.edu>
To:	"H. Peter Anvin" <hpa@...or.com>
cc:	Vince Weaver <vincent.weaver@...ne.edu>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>, "H.J. Lu" <hjl.tools@...il.com>
Subject: Re: perf_fuzzer compiled for x32 causes reboot

On Sat, 22 Feb 2014, H. Peter Anvin wrote:

> I'd be interested in how rbp gets set, too.  It might just be a 
> coincidence and the value in rbp has some other meaning here.

The code in question does this:

        i=find_random_active_event();
        if (i<0) return;
        if ((event_data[i].mmap)) {
                value=0xdeadbeef;
                memset(event_data[i].mmap,value,getpagesize());


  [New LWP 10526]
  Core was generated by `./perf_fuzzer -t OCIRMQWPpAi -r 1392938876'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x0041efab in __memset_sse2 ()
  (gdb) bt
  #0  0x0041efab in __memset_sse2 ()
  #1  0x004017ec in trash_random_mmap () at perf_fuzzer.c:808
  #2  main (argc=<optimized out>, argv=<optimized out>) at perf_fuzzer.c:1604


So rbp is set by the imul below, it is the offset into the
event_data[i] array where the elements have size of 0x120

   0x004017bd <+3085>:  callq  0x402ee0 <find_random_active_event>
   0x004017c2 <+3090>:  test   %eax,%eax
   0x004017c4 <+3092>:  js     0x4011e8 <main+1592>
   0x004017ca <+3098>:  imul   $0x120,%eax,%ebp
   0x004017d0 <+3104>:  mov    0x756b2c(%ebp),%eax

   0x004017d7 <+3111>:  test   %eax,%eax
   0x004017d9 <+3113>:  je     0x40183b <main+3211>

   0x004017db <+3115>:  mov    0xc(%esp),%edx
   0x004017e0 <+3120>:  mov    %eax,%edi
   0x004017e2 <+3122>:  mov    $0xdeadbeef,%esi
   0x004017e7 <+3127>:  callq  0x400260
   0x004017ec <+3132>:  testb  $0x20,0x353e76(%rip)        # 0x755669 <logging+$

   400260:       ff 25 ce 0e 2d 00       jmpq   *0x2d0ece(%rip)        # 6d1134 $

   0x6d1134:       0x0041e710

  Dump of assembler code for function __memset_sse2:

   0x0041e710 <+0>:     cmp    $0x1,%rdx
   0x0041e714 <+4>:     mov    %rdi,%rax
   0x0041e717 <+7>:     jne    0x41e71d <__memset_sse2+13>
   0x0041e719 <+9>:     mov    %sil,(%rdi)

and as far as I can tell nothing touches rbp again until the segfault.
Nothing in _memset_sse2 does as far as I can tell.

Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ