From: Dave Jones <davej@redhat.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org, Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: tun oops dereferencing garbage nsproxy-> address.
Date: Tue, 13 Mar 2012 14:26:46 -0400 [thread overview]
Message-ID: <20120313182646.GB11500@redhat.com> (raw)
In-Reply-To: <m1vcm8e537.fsf@fess.ebiederm.org>
On Tue, Mar 13, 2012 at 11:19:40AM -0700, Eric W. Biederman wrote:
> > oops happened here..
> >
> > tfile->net = get_net(current->nsproxy->net_ns);
> > 548: 48 8b 92 50 05 00 00 mov 0x550(%rdx),%rdx
> > 54f: 48 8b 52 28 mov 0x28(%rdx),%rdx
> >
> > My guess is the fuzzer called some syscall that set current->nsproxy
> > to garbage (0x0000000100000001), which later got dereferenced when it
> > subsequently randomly did an open() on tun.
> >
> > Any thoughts ?
>
> It smells like a memory stomp. current->nsproxy is always supposed to
> have a valid value, and it never would have an odd value. The value
> should always be at least 8 byte aligned.
>
> Since the value is impossible this doesn't feel like a path where the
> error handling is wrong.
0x0000000100000001 looks like one of strange values my fuzzer passes syscalls
when they ask for an address.
So something managed to get that set as nsproxy. The fuzzer avoids calling
clone(), so are there other syscalls that might set this ?
> So I am guessing this is a memory stomp. My guess it would take the
> same sequence of system calls on the same kernel build to reproduce
> this problem in the same place.
>
> Do you have any more information?
I've not managed to reproduce it, and that run sadly had logging turned off,
so I don't have the exact syscall sequence that caused it.
Dave
next prev parent reply other threads:[~2012-03-13 19:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-13 3:42 tun oops dereferencing garbage nsproxy-> address Dave Jones
2012-03-13 3:42 ` Dave Jones
2012-03-13 18:19 ` Eric W. Biederman
2012-03-13 18:19 ` Eric W. Biederman
2012-03-13 18:26 ` Dave Jones [this message]
2012-03-13 20:10 ` Eric W. Biederman
2012-03-13 20:23 ` Dave Jones
2012-03-18 20:02 ` Maciej Rutecki
2012-03-22 3:58 ` Eric W. Biederman
2012-03-22 19:29 ` Maciej Rutecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120313182646.GB11500@redhat.com \
--to=davej@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.