| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <84144f020807210252k68d5cf65i8c7ae3c11cecc046@mail.gmail.com> Date: Mon, 21 Jul 2008 12:52:45 +0300 From: "Pekka Enberg" <penberg@...helsinki.fi> To: "Ingo Molnar" <mingo@...e.hu> Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, "Vegard Nossum" <vegard.nossum@...il.com>, "Rafael J. Wysocki" <rjw@...k.pl>, cl@...ux-foundation.org, davem@...emloft.net, johnpol@....mipt.ru Subject: Re: [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten Hi Ingo, On Mon, Jul 21, 2008 at 12:41 PM, Ingo Molnar <mingo@...e.hu> wrote: > update about this problem: just triggered another colorful crash, see > below. This was with the 4K object dump patch already, maybe the dump > gives a clue? ...to point out the obvious: > ============================================================================= > BUG skbuff_head_cache: Poison overwritten > ----------------------------------------------------------------------------- > > INFO: 0xf7ccc100-0xf7ccc103. First byte 0x0 instead of 0x6b > INFO: Allocated in __alloc_skb+0x30/0x10e age=1 cpu=1 pid=1 > INFO: Freed in __kfree_skb+0x63/0x66 age=1 cpu=0 pid=0 > INFO: Slab 0xc1c34ca0 objects=16 used=1 fp=0xf7ccc100 flags=0x400000c3 > INFO: Object 0xf7ccc100 @offset=256 fp=0xf7ccc200 > > Bytes b4 0xf7ccc0f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ > Object 0xf7ccc100: 00 00 00 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b ....kkkkkkkkkkkk Use after free where first four bytes are zeroed. > Object 0xf7ccc110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc170: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc180: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc190: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk > Object 0xf7ccc1a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk� Rest of the object looks correct. > Redzone 0xf7ccc1b0: bb bb bb bb ���� > Padding 0xf7ccc1d8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ > Padding 0xf7ccc1e8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ > Padding 0xf7ccc1f8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ > Pid: 1, comm: swapper Not tainted 2.6.26-tip #3261 > [<c01673ad>] print_trailer+0xd1/0xd9 > [<c0167428>] check_bytes_and_report+0x73/0x8f > [<c0167664>] check_object+0xa5/0x15a > [<c016824c>] __slab_alloc+0x2fb/0x3c8 > [<c0168364>] kmem_cache_alloc+0x4b/0xa8 > [<c0497376>] ? __alloc_skb+0x30/0x10e > [<c0497376>] ? __alloc_skb+0x30/0x10e > [<c0497376>] __alloc_skb+0x30/0x10e > [<c04a6678>] alloc_skb+0xc/0xe > [<c04a6ce5>] find_skb+0x28/0x66 > [<c04a6f5f>] netpoll_send_udp+0x2b/0x1cf > [<c058800f>] ? _spin_lock_irqsave+0x4b/0x55 > [<c03db399>] write_msg+0x79/0xac > [<c03db320>] ? write_msg+0x0/0xac > [<c0122f96>] __call_console_drivers+0x56/0x63 > [<c0122ffa>] _call_console_drivers+0x57/0x5b > [<c0123386>] release_console_sem+0x112/0x1a5 > [<c01238f3>] vprintk+0x344/0x35e > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ >
Powered by blists - more mailing lists