| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 5 Sep 2020 12:04:12 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Yang Yingliang <yangyingliang@...wei.com>
Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>,
Wei Yongjun <weiyongjun1@...wei.com>
Subject: Re: [Question] Oops when using connector in linux-4.19
On Sat, Sep 5, 2020 at 12:28 AM Yang Yingliang <yangyingliang@...wei.com> wrote:
>
> Hi,
>
> I got some crashes when using connector module in linux-4.19:
Can you test a reasonably recent kernel?
> The invalid address[0x000000030000004c] is the value of nlmsghdr from cn netlink, nlmsg_type is 3 and nlmsg_len is 0x4c.
>
> It seems the skb->data pointer is freed wrongly:
>
> Process A Process B
>
> calls cn_netlink_send_mult()
> skb = nlmsg_new(size, gfp_mask);
> unknown process calls kfree(skb->data)
> //put skb->data pointer back to freelist of struct kmem_cache_cpu or struct page
>
> nlh = nlmsg_put(skb, 0, msg->seq, NLMSG_DONE, size, 0);
> //set (*skb->data) to 0x000000030000004c,
> //so the freelist is broken here.
This does not make sense. The newly allocated skb is only visible to
process A at this point, it is impossible to be freed by another process.
I guess there might be some buffer overrun on heap, you probably
need to turn on other memory debugging options like SLUB debug:
https://www.kernel.org/doc/Documentation/vm/slub.txt.
Thanks.
Powered by blists - more mailing lists