[Top] [All Lists]

elf_core_dump() from binfmt_elfo32.c trashes heap

Subject: elf_core_dump() from binfmt_elfo32.c trashes heap
From: Dave Johnson <>
Date: Tue, 12 Jul 2005 18:05:09 -0400
Original-recipient: rfc822;
64bit kernel, o32 userspace.

The call to elf_core_copy_regs() from elf_core_dump() is writing
beyond the end of prstatus because the wrong copy function is being

slab error in cache_free_debugcheck(): cache `size-256': double free, or memory 
outside object was overwritten
Call Trace:
 [<ffffffff8016f77c>] __slab_error+0x2c/0x38
 [<ffffffff80171c50>] cache_free_debugcheck+0x290/0x318
 [<ffffffff80171c1c>] cache_free_debugcheck+0x25c/0x318
 [<ffffffff80172d80>] kfree+0x98/0x168
 [<ffffffff80172ce8>] kfree+0x0/0x168
 [<ffffffff8011a250>] elf_core_dump+0x508/0xb58
 [<ffffffff8019b394>] do_coredump+0x234/0x260
 [<ffffffff80144a28>] __dequeue_signal+0x0/0x2c0
 [<ffffffff80147118>] get_signal_to_deliver+0x210/0x390
 [<ffffffff80116d10>] do_signal32+0x80/0x288
 [<ffffffff80145f80>] kill_something_info+0x48/0x128
 [<ffffffff8011727c>] sys32_rt_sigprocmask+0xfc/0x1c0
 [<ffffffff80106ed4>] do_notify_resume+0x3c/0x48
 [<ffffffff801039cc>] work_notifysig+0xc/0x14
 [<ffffffff8011a9c0>] handle_sys+0x120/0x13c

a80000013ff0b2b8: redzone 1: 0x170fc2a5, redzone 2: 0x7a120.

redzone 2 has been overwritten.


Running binfmt_elfo32.c through the pre-processor reveals that
elf_core_copy_regs() is calling dump_regs() instead of

In arch/mips/kernel/binfmt_elfo32.c:

#define ELF_CORE_COPY_REGS(_dest,_regs) elf32_core_copy_regs(_dest,_regs);

Those 2 have no effect because elf_core_copy_regs() has already been
defined inline by including 'linux/elfcore.h' at the top of

Changing elf32_core_copy_regs to a static also reveals the problem:

  CC      arch/mips/kernel/binfmt_elfo32.o
arch/mips/kernel/binfmt_elfo32.c:116: warning: `elf32_core_copy_regs' defined 
but not used


There's probably 10 different ways to fix this by re-ordering
#includes/#defines in arch/mips/kernel/binfmt_elfo32.c.


I found a reference to this in the mailing list from Jan/Feb 2005, but
the proposed patch didn't seem to get applied.

Suggestions on the best way to fix this?  Was that patch no good?

Dave Johnson
Starent Networks

<Prev in Thread] Current Thread [Next in Thread>
  • elf_core_dump() from binfmt_elfo32.c trashes heap, Dave Johnson <=