[Devel] Re: BUG in tty_open when using containers and ptrace
Grzegorz Nosek
root at localdomain.pl
Sat Jul 4 07:34:12 PDT 2009
On Sat, Jul 04, 2009 at 03:28:52PM +0200, Grzegorz Nosek wrote:
> Decoding the code yields:
> All code
> ========
> 0: 81 fb 00 f0 ff ff cmp $0xfffff000,%ebx
> 6: 76 11 jbe 0x19
> 8: 48 c7 c7 60 61 7d 80 mov $0xffffffff807d6160,%rdi
> f: e8 c1 38 17 00 callq 0x1738d5
> 14: e9 a9 00 00 00 jmpq 0xc2
> 19: 48 85 db test %rbx,%rbx
> 1c: 74 5c je 0x7a
> 1e: 80 bb 40 01 00 00 00 cmpb $0x0,0x140(%rbx)
> 25: 48 8b 53 08 mov 0x8(%rbx),%rdx
> 29: 78 64 js 0x8f
> 2b:* 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx) <-- trapping instruction
> 32: 00 01 00
> 35: 75 16 jne 0x4d
> 37: 83 .byte 0x83
> 38: bb 48 01 00 00 mov $0x148,%ebx
>
> Code starting with the faulting instruction
> ===========================================
> 0: 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx)
> 7: 00 01 00
> a: 75 16 jne 0x22
> c: 83 .byte 0x83
> d: bb 48 01 00 00 mov $0x148,%ebx
To my untrained eye it looks like the cmpl corresponds to:
1841 if (tty->driver->type == TTY_DRIVER_TYPE_PTY &&
1842 tty->driver->subtype == PTY_TYPE_MASTER)
in drivers/char/tty_io.c
That means that %rdx should contain tty->driver, but contains
0x6973646e65732f64, which looks like a part of '/etc/init.d/sendsigs'.
So, we're possibly using an already freed and overwritten tty struct.
Best regards,
Grzegorz Nosek
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list