| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jan 2013 10:20:23 -0500 From: Dave Jones <davej@...hat.com> To: Neil Horman <nhorman@...driver.com> Cc: netdev@...r.kernel.org Subject: Re: ip6_dst_lookup_tail oops On Fri, Jan 18, 2013 at 07:48:09AM -0500, Neil Horman wrote: > > Now I've hit it with rt->n = 2000000000000010. So I'm starting to > > think this is getting passed in directly from userspace somehow, as > > these values look like the output of my 'set a few random bits' routine > > that sometimes gets called for params. > > > > I'm having trouble mapping a corrupt sendmsg parameter to a messed up rt->n though. > > > Well, neighbor table entries for ipv6 get added over rtnetlink, ah, that's helpful. That explains why just fuzzing sendmsg alone won't hit this. > but it seems you > would have to be able to memory map the socket to get a pointer like that into > place. Trinity doesn't record the syscalls it makes does it? That might be > helpful in tracking this down. It does, but when it takes two days to hit something like this, you end up with gigabytes of data to look through. Dave -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists