lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 5 Sep 2020 12:04:12 -0700
From:   Cong Wang <>
To:     Yang Yingliang <>
Cc:     Linux Kernel Network Developers <>,
        Wei Yongjun <>
Subject: Re: [Question] Oops when using connector in linux-4.19

On Sat, Sep 5, 2020 at 12:28 AM Yang Yingliang <> wrote:
> Hi,
> I got some crashes when using connector module in linux-4.19:

Can you test a reasonably recent kernel?

> The invalid address[0x000000030000004c] is the value of nlmsghdr from cn netlink, nlmsg_type is 3 and nlmsg_len is 0x4c.
> It seems the skb->data pointer is freed wrongly:
> Process A                                                   Process B
> calls cn_netlink_send_mult()
> skb = nlmsg_new(size, gfp_mask);
>                                                         unknown process calls kfree(skb->data)
>                                                         //put skb->data pointer back to freelist of struct kmem_cache_cpu or struct page
> nlh = nlmsg_put(skb, 0, msg->seq, NLMSG_DONE, size, 0);
> //set (*skb->data) to 0x000000030000004c,
> //so the freelist is broken here.

This does not make sense. The newly allocated skb is only visible to
process A at this point, it is impossible to be freed by another process.

I guess there might be some buffer overrun on heap, you probably
need to turn on other memory debugging options like SLUB debug:


Powered by blists - more mailing lists