SECURIY: ldd core (more detailed info )

Guest (guest@manjak.knm.org.pl)
Wed, 27 Jan 1999 14:59:30 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: mike mangino: "Re: LINUX 2.2 SECURITY: more clues"
Previous message: Andreas Schwab: "Re: 2.2.0 SECURITY - *IMPORTANT*"

Hello,

I've done a little more debugging and here are my results.
It appears that the thing that causes reboot in my machine
is a call to pmd_clear() in free_one_pmd().

What I've done first was to insert a call to panic() in
mm/memory.c:free_one_pmd()

if (pmd_bad(*dir)) {
printk("free_one_pmd: bad directory entry %08lx\n", pmd_val(*dir));
pmd_clear(dir);
panic(" HERE !!!");
return;
}

Reboot -> ldd core -> *boom*. However if I put the panic() call just
before pmd_clear() the system didn't crashed. Below is the result of
forced oops:

if (pmd_bad(*dir)) {
printk("free_one_pmd: bad directory entry %08lx\n", pmd_val(*dir));
*(int *) 0 = 0;
...

free_one_pmd: bad directory entry 000001e3
Unable to handle kernel NULL pointer dereference at virtual address 00000000
current->tss.cr3 = 03b43000, %cr3 = 03b43000
*pde = 00000000
Oops: 0002
CPU: 0
EIP: 0010:[<c01195d0>]
EFLAGS: 00010296
eax: 0000002b ebx: 00000000 ecx: 00000005 edx: 00000001
esi: c3b43c00 edi: c3b43c00 ebp: 00000001 esp: c3237efc
ds: 0018 es: 0018 ss: 0018
Process ld-linux.so.2 (pid: 318, process nr: 26, stackpage=c3237000)
Stack: c3268380 000002ff bffff000 c00083e0 c011b2eb c00083e0 000002ff 00000002
00000000 bffff000 00000000 00001000 c011b51d c00083e0 c3268380 bffff000
c0000000 c32683c0 bffff000 00001000 c00083e0 c00083e0 c32682c0 c3268380
Call Trace: [<c011b2eb>] [<c011b51d>] [<c011ac36>] [<c010d5f6>] [<c01096a4>]
Code: c7 05 00 00 00 00 00 00 00 00 68 ed 5b 19 c0 e8 10 97 ff ff

3824 symbols from /usr/src/linux/System.map

EIP: 0xc01195d0 T clear_page_tables+0x50/0xb0
EIP: <c01195d0> [klogd]
trace: 0xc011b2eb t free_pgtables+0x7b/0x84
trace: 0xc011b51d T do_munmap+0x229/0x244
trace: 0xc011ac36 T do_mmap+0x272/0x3cc
trace: 0xc010d5f6 T old_mmap+0xba/0xf4
trace: 0xc01096a4 T system_call+0x34/0x38
code: 00000000 <oops>:
code: 0: c7 05 00 00 00 movl $0x0,0x0
code: 5: 00 00 00 00 00
code: a: 68 ed 5b 19 c0 pushl $0xc0195bed
code: f: e8 10 97 ff ff call ffff9724 <main+0xffff9724>

I guess that the bug was introduced in pre8 when AVL tree was integrated
into the kernel. Could people test if your machine reboots in 2.2.0-pre7
and earlier kernels ?

Martin

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: mike mangino: "Re: LINUX 2.2 SECURITY: more clues"
Previous message: Andreas Schwab: "Re: 2.2.0 SECURITY - *IMPORTANT*"