lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Sep 2020 12:04:12 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: Yang Yingliang <yangyingliang@...wei.com> Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>, Wei Yongjun <weiyongjun1@...wei.com> Subject: Re: [Question] Oops when using connector in linux-4.19 On Sat, Sep 5, 2020 at 12:28 AM Yang Yingliang <yangyingliang@...wei.com> wrote: > > Hi, > > I got some crashes when using connector module in linux-4.19: Can you test a reasonably recent kernel? > The invalid address[0x000000030000004c] is the value of nlmsghdr from cn netlink, nlmsg_type is 3 and nlmsg_len is 0x4c. > > It seems the skb->data pointer is freed wrongly: > > Process A Process B > > calls cn_netlink_send_mult() > skb = nlmsg_new(size, gfp_mask); > unknown process calls kfree(skb->data) > //put skb->data pointer back to freelist of struct kmem_cache_cpu or struct page > > nlh = nlmsg_put(skb, 0, msg->seq, NLMSG_DONE, size, 0); > //set (*skb->data) to 0x000000030000004c, > //so the freelist is broken here. This does not make sense. The newly allocated skb is only visible to process A at this point, it is impossible to be freed by another process. I guess there might be some buffer overrun on heap, you probably need to turn on other memory debugging options like SLUB debug: https://www.kernel.org/doc/Documentation/vm/slub.txt. Thanks.
Powered by blists - more mailing lists