Date: Fri, 29 Sep 2006 14:43:31 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Martin Blapp <mb@imp.ch> Cc: cvs-src@FreeBSD.org, Martin Blapp <mbr@FreeBSD.org>, cvs-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: cvs commit: src/sys/kern tty_pty.c Message-ID: <20060929184331.GA33567@xor.obsecurity.org> In-Reply-To: <20060929202338.W91466@godot.imp.ch> References: <200609290952.k8T9qvcU053566@repoman.freebsd.org> <20060929202338.W91466@godot.imp.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
--UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 29, 2006 at 08:26:40PM +0200, Martin Blapp wrote: >=20 > Hi all, >=20 > > Free tty struct after last close. This should fix the pty-leak by numbe= rs. > > Remove workarounds for tty_refcount beeing 0, this will be fixed=20 > > differently > > later. > > > > Back out rev 1.145 since we initialize the tty struct from scratch and = bad > > things can't happen anymore. > > >=20 > Sigh. Peter Holmes stress tests did show that we still have problems. Wit= h=20 > the beckout of rev. 1.145 we get again the same panics as the pty_pts cod= e=20 > does. > This is deep somewhere in the devfs code. It does happen with/without=20 > freeing > struct tty. >=20 > Memory modified after free 0xc45b7d00(252) val=3Ddeadc0dd @ 0xc45b7d70 > panic: Most recently used by DEVFS1 You can identify precisely where the use-after-free occurs by configuring DEBUG_MEMGUARD; I posted a trace of what is probably the same bug once to current@ once but don't have it to hand. Kris --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFHWlSWry0BWjoQKURAssEAKC8bfc+yWoVzhbfYEu5QWV4jH0dCwCgjRGa zZ1q4iYI3I+xgsk4hEgiB9c= =hKEa -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060929184331.GA33567>