On Sat, Jul 04, 2009 at 03:28:52PM +0200, Grzegorz Nosek wrote: > Decoding the code yields: > All code > ======== > 0: 81 fb 00 f0 ff ff cmp $0xfffff000,%ebx > 6: 76 11 jbe 0x19 > 8: 48 c7 c7 60 61 7d 80 mov $0xffffffff807d6160,%rdi > f: e8 c1 38 17 00 callq 0x1738d5 > 14: e9 a9 00 00 00 jmpq 0xc2 > 19: 48 85 db test %rbx,%rbx > 1c: 74 5c je 0x7a > 1e: 80 bb 40 01 00 00 00 cmpb $0x0,0x140(%rbx) > 25: 48 8b 53 08 mov 0x8(%rbx),%rdx > 29: 78 64 js 0x8f > 2b:* 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx) <-- trapping instruction > 32: 00 01 00 > 35: 75 16 jne 0x4d > 37: 83 .byte 0x83 > 38: bb 48 01 00 00 mov $0x148,%ebx > > Code starting with the faulting instruction > =========================================== > 0: 81 ba 9c 00 00 00 04 cmpl $0x10004,0x9c(%rdx) > 7: 00 01 00 > a: 75 16 jne 0x22 > c: 83 .byte 0x83 > d: bb 48 01 00 00 mov $0x148,%ebx To my untrained eye it looks like the cmpl corresponds to: 1841 if (tty->driver->type == TTY_DRIVER_TYPE_PTY && 1842 tty->driver->subtype == PTY_TYPE_MASTER) in drivers/char/tty_io.c That means that %rdx should contain tty->driver, but contains 0x6973646e65732f64, which looks like a part of '/etc/init.d/sendsigs'. So, we're possibly using an already freed and overwritten tty struct. Best regards, Grzegorz Nosek _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
