From: Sukadev Bhattiprolu <sukadev-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
To: Grzegorz Nosek <root-AfQBxy1nhrQ00sYp1HPQUA@public.gmane.org>
Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: BUG in tty_open when using containers and ptrace
Date: Mon, 6 Jul 2009 20:31:35 -0700 [thread overview]
Message-ID: <20090707033135.GA29461@us.ibm.com> (raw)
In-Reply-To: <20090704143412.GA27523-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
Grzegorz Nosek [root-AfQBxy1nhrQ00sYp1HPQUA@public.gmane.org] wrote:
| On Sat, Jul 04, 2009 at 03:28:52PM +0200, Grzegorz Nosek wrote:
| > Decoding the code yields:
| > All code
| > ========
| > 0: 81 fb 00 f0 ff ff cmp $0xfffff000,%ebx
| > 6: 76 11 jbe 0x19
| > 8: 48 c7 c7 60 61 7d 80 mov $0xffffffff807d6160,%rdi
| > f: e8 c1 38 17 00 callq 0x1738d5
| > 14: e9 a9 00 00 00 jmpq 0xc2
| > 19: 48 85 db test %rbx,%rbx
| > 1c: 74 5c je 0x7a
| > 1e: 80 bb 40 01 00 00 00 cmpb $0x0,0x140(%rbx)
| > 25: 48 8b 53 08 mov 0x8(%rbx),%rdx
| > 29: 78 64 js 0x8f
| > 2b:* 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx) <-- trapping instruction
| > 32: 00 01 00
| > 35: 75 16 jne 0x4d
| > 37: 83 .byte 0x83
| > 38: bb 48 01 00 00 mov $0x148,%ebx
| >
| > Code starting with the faulting instruction
| > ===========================================
| > 0: 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx)
| > 7: 00 01 00
| > a: 75 16 jne 0x22
| > c: 83 .byte 0x83
| > d: bb 48 01 00 00 mov $0x148,%ebx
|
| To my untrained eye it looks like the cmpl corresponds to:
|
| 1841 if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
| 1842 tty->driver->subtype == PTY_TYPE_MASTER)
|
| in drivers/char/tty_io.c
I don't yet have the exact version of tty_io.c so the line numbers don't
match, but even so isn't the above 'cmpl' comparing a constant 0x10004
with the %rdx+0x9c address ? If so, I am not sure how it matches up to
either TTY_DRIVER_TYPE_PTY (0x0004) or PTY_TYPE_MASTER (0x0001).
Wouldn't the above 'if' require two separate compare instructions ?
|
| That means that %rdx should contain tty->driver, but contains
| 0x6973646e65732f64, which looks like a part of '/etc/init.d/sendsigs'.
| So, we're possibly using an already freed and overwritten tty struct.
Is it possibly related to this bug where they talk of some sort of
corruption going on with tty data structures (kernel versions appear
to be close, but need to double check).
http://lkml.org/lkml/2009/6/16/131
next prev parent reply other threads:[~2009-07-07 3:31 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-12 13:45 BUG in tty_open when using containers and ptrace Môshe van der Sterre
2009-04-12 13:45 ` Môshe van der Sterre
2009-04-13 14:20 ` Serge E. Hallyn
[not found] ` <20090413142038.GB13007-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-04 13:28 ` Grzegorz Nosek
[not found] ` <20090704132851.GA16373-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-04 14:34 ` Grzegorz Nosek
[not found] ` <20090704143412.GA27523-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-05 12:08 ` Grzegorz Nosek
2009-07-07 3:31 ` Sukadev Bhattiprolu [this message]
[not found] ` <20090707033135.GA29461-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-07 7:34 ` Grzegorz Nosek
2009-07-08 10:54 ` Grzegorz Nosek
[not found] ` <20090708105417.GA16833-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-11 19:30 ` Grzegorz Nosek
[not found] ` <20090711193055.GA11303-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-11 20:01 ` Grzegorz Nosek
[not found] ` <20090711200133.GB11303-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-11 22:19 ` Alan Cox
[not found] ` <20090711231935.6ff59796-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2009-07-12 7:49 ` Grzegorz Nosek
[not found] ` <20090712074932.GA17291-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-13 19:02 ` Serge E. Hallyn
[not found] ` <20090713190211.GA4208-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-13 19:30 ` Grzegorz Nosek
[not found] ` <20090713193058.GL18617-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-13 20:26 ` Serge E. Hallyn
[not found] ` <20090713202610.GA6447-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-13 22:34 ` Grzegorz Nosek
[not found] ` <20090713223444.GM18617-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-14 6:49 ` Sukadev Bhattiprolu
[not found] ` <20090714064905.GA25278-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-14 10:31 ` Grzegorz Nosek
[not found] ` <20090714103129.GB12958-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-15 4:47 ` Sukadev Bhattiprolu
[not found] ` <20090715044744.GA25745-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-15 5:42 ` Grzegorz Nosek
2009-07-15 13:19 ` Grzegorz Nosek
[not found] ` <20090715131923.GB21417-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-18 20:52 ` Sukadev Bhattiprolu
[not found] ` <20090718205244.GA23625-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-19 7:15 ` Grzegorz Nosek
[not found] ` <20090719071531.GA20818-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-22 6:41 ` Sukadev Bhattiprolu
[not found] ` <20090722064120.GA24373-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-22 22:25 ` Grzegorz Nosek
[not found] ` <20090722222550.GA633-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-23 1:27 ` Sukadev Bhattiprolu
[not found] ` <20090723012733.GB27764-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-23 1:48 ` H. Peter Anvin
[not found] ` <4A67C187.5000201-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-07-23 7:47 ` Grzegorz Nosek
[not found] ` <20090723074736.GA20236-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-23 8:04 ` [lxc-devel] " Daniel Lezcano
2009-07-23 18:26 ` Grzegorz Nosek
[not found] ` <20090723182620.GA16322-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-23 19:32 ` Sukadev Bhattiprolu
[not found] ` <20090723193245.GA25662-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-23 20:33 ` Grzegorz Nosek
[not found] ` <20090723203329.GC16322-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-23 22:11 ` H. Peter Anvin
[not found] ` <4A68E026.1070608-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2009-07-24 7:31 ` Grzegorz Nosek
[not found] ` <20090724073158.GA2617-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-07-30 18:06 ` Sukadev Bhattiprolu
[not found] ` <20090730180611.GA20872-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-07-30 18:44 ` Sukadev Bhattiprolu
2009-07-31 21:58 ` Grzegorz Nosek
2009-08-07 19:08 ` Sukadev Bhattiprolu
2009-07-05 20:00 ` Môshe van der Sterre
2009-07-05 20:35 ` Grzegorz Nosek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090707033135.GA29461@us.ibm.com \
--to=sukadev-23vcf4htsmix0ybbhkvfkdbpr1lh4cv8@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
--cc=root-AfQBxy1nhrQ00sYp1HPQUA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.