Query:Regarding object poison overwritten in binder_transaction

Query:Regarding object poison overwritten in binder_transaction

[Kohli, Gaurav]

HI ,

Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,

  it seems owner variable of spinlock is
getting corrupted(which is last 8th byte of binder_transaction struct).

    368.423462:   <2> [<ffffff918ec3177c>] print_trailer+0x13c/0x214

    368.428998:   <2> [<ffffff918ec3193c>] check_bytes_and_report+0xe8/0xfc

    368.435144:   <2> [<ffffff918ec31d8c>] check_object+0x248/0x280

    368.440592:   <2> [<ffffff918ec31f0c>] alloc_debug_processing+0x148/0x1a0

    368.446913:   <2> [<ffffff918ec333d0>] ___slab_alloc.constprop.72+0x654/0x690

    368.453586:   <2> [<ffffff918ec33464>] __slab_alloc.isra.68.constprop.71+0x58/0x98

    368.460693:   <2> [<ffffff918ec338fc>] kmem_cache_alloc_trace+0x198/0x2c4

    368.467011:   <2> [<ffffff918f7ae24c>] binder_transaction+0xcb8/0x244c

    368.473065:   <2> [<ffffff918f7b03b8>] binder_thread_write+0x9d8/0x1410

    368.479206:   <2> [<ffffff918f7b0f20>] binder_ioctl_write_read+0x130/0x370

    368.485615:   <2> [<ffffff918f7b16b0>] binder_ioctl+0x550/0x7dc

    368.491065:   <2> [<ffffff918ec5ac0c>] do_vfs_ioctl+0xcc/0x888

    368.496424:   <2> [<ffffff918ec5b458>] SyS_ioctl+0x90/0xa4

    368.501430:   <2> [<ffffff918ea83770>] el0_svc_naked+0x24/0x28

    368.506798:   <6> Kernel panic - not syncing: object poison overwritten

    368.287743:   <6> Object ffffffc5a0692e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.297117:   <6> Object ffffffc5a0692e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.306487:   <6> Object ffffffc5a0692e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.315866:   <6> Object ffffffc5a0692e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.325241:   <6> Object ffffffc5a0692e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.334618:   <6> Object ffffffc5a0692e70: 6b 6b 6b 6b 6b 6b 6b 6b 67 6b 6b 6b 6b 6b 6b a5  kkkkkkkkgkkkkkk.    here it is corrupted(seems write after free case)


    368.343997:   <6> Redzone ffffffc5a0692e80: bb bb bb bb bb bb bb bb                          ........

    368.352755:   <6> Padding ffffffc5a0692fc0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.362215:   <6> Padding ffffffc5a0692fd0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.371681:   <6> Padding ffffffc5a0692fe0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.381146:   <6> Padding ffffffc5a0692ff0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

Regards

Gaurav

-- 

Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,

a Linux Foundation Collaborative Project.

_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Query:Regarding object poison overwritten in binder_transaction

[Greg Kroah-Hartman]

On Sat, Mar 03, 2018 at 08:22:35PM +0530, Kohli, Gaurav wrote:
> HI ,
> 
> Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,

If you are using binder in an Android device with 4.9, please use the
version in the android-common tree, as it has all of the newer features
backported properly there.  You will need that for newer Android systems
(like Android O and newer) anyway, so please try that tree.  If you
still have problems there, please file a bug in AOSP.

thanks,

greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: Query:Regarding object poison overwritten in binder_transaction

[Kohli, Gaurav]

Thanks Greg,

I will check the common tree, and it seems to me a new bug , will file a 
bug if won't be able to

resolve from android-common tree.

Regards

Gaurav


On 3/4/2018 12:57 AM, Greg Kroah-Hartman wrote:
> On Sat, Mar 03, 2018 at 08:22:35PM +0530, Kohli, Gaurav wrote:
>> HI ,
>>
>> Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,
> If you are using binder in an Android device with 4.9, please use the
> version in the android-common tree, as it has all of the newer features
> backported properly there.  You will need that for newer Android systems
> (like Android O and newer) anyway, so please try that tree.  If you
> still have problems there, please file a bug in AOSP.
>
> thanks,
>
> greg k-h

-- 
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.