lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 5 Sep 2020 12:04:12 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Yang Yingliang <yangyingliang@...wei.com>
Cc:     Linux Kernel Network Developers <netdev@...r.kernel.org>,
        Wei Yongjun <weiyongjun1@...wei.com>
Subject: Re: [Question] Oops when using connector in linux-4.19

On Sat, Sep 5, 2020 at 12:28 AM Yang Yingliang <yangyingliang@...wei.com> wrote:
>
> Hi,
>
> I got some crashes when using connector module in linux-4.19:

Can you test a reasonably recent kernel?


> The invalid address[0x000000030000004c] is the value of nlmsghdr from cn netlink, nlmsg_type is 3 and nlmsg_len is 0x4c.
>
> It seems the skb->data pointer is freed wrongly:
>
> Process A                                                   Process B
>
> calls cn_netlink_send_mult()
> skb = nlmsg_new(size, gfp_mask);
>                                                         unknown process calls kfree(skb->data)
>                                                         //put skb->data pointer back to freelist of struct kmem_cache_cpu or struct page
>
> nlh = nlmsg_put(skb, 0, msg->seq, NLMSG_DONE, size, 0);
> //set (*skb->data) to 0x000000030000004c,
> //so the freelist is broken here.

This does not make sense. The newly allocated skb is only visible to
process A at this point, it is impossible to be freed by another process.

I guess there might be some buffer overrun on heap, you probably
need to turn on other memory debugging options like SLUB debug:
https://www.kernel.org/doc/Documentation/vm/slub.txt.

Thanks.

Powered by blists - more mailing lists