grsecurity forums


https://forums.grsecurity.net./

linux-3.10 panic due to memory overwrite

https://forums.grsecurity.net./viewtopic.php?f=3&t=3614

Page 1 of 1

linux-3.10 panic due to memory overwrite

PostPosted: Thu Jul 11, 2013 3:33 am
by fly_a320
Hello all,

with the 3.10 kernel I do get this panic, captured with qemu:

If somebody could point me in the right direction what causes the crash, this would be appreciated.

Thanks, thorsten

smpboot: CPU0: Intel QEMU Virtual CPU version 1.4.1 (fam: 06, model: 03, stepping: 03)
APIC calibration not consistent with PM-Timer: 182ms instead of 100ms
APIC delta adjusted to PM-Timer: 6250060 (11434453)
Performance Events: Broken PMU hardware detected, using software events only.
Failed to access perfctr msr (MSR c1 is 0)
Brought up 1 CPUs
smpboot: Total of 1 processors activated (4990.51 BogoMIPS)
PAX: kernel memory overwrite attempt detected to c78011e0 (kmalloc-32) (9 bytes)
CPU: 0 PID: 12 Comm: kdevtmpfs Not tainted 3.10.0-grsec-20130627 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
00000009 00000009 c78011e0 000c5943 c1b42c80 c1b3be1d c1b41143 c78011e0
c78014c0 00000009 00000202 000dc3c3 00000009 c78011e0 c1b6acbb c78982a8
000955fa 00020200 c7898030 00000009 00001000 c1b6acbb c78982a8 00095811
Call Trace:
[<000c5943>] ? __check_object_size+0xd3/0x130
[<000dc3c3>] ? copy_mnt_ns+0x1b3/0x240
[<000955fa>] ? memdup_user+0x2a/0x100
[<00020200>] ? acpi_processor_power_init_bm_check+0x60/0x60
[<00095811>] ? strndup_user+0x31/0x50
[<000db4a6>] ? copy_mount_string+0x16/0x40
[<000dbdb8>] ? SyS_mount+0x28/0xc0
[<00030adf>] ? SyS_unshare+0x1ef/0x230
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c676>] ? devtmpfsd+0x66/0x300
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<000590ec>] ? try_to_wake_up+0x17c/0x200
[<00353537>] ? intel_dp_compute_config+0x2f7/0x3c0
[<00055f16>] ? __wake_up_common+0x46/0x70
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c610>] ? handle_remove+0x210/0x210
[<0004eb42>] ? kthread+0x92/0xa0
[<0061935b>] ? ret_from_kernel_thread+0x1b/0x30
[<0004eab0>] ? __kthread_parkme+0x60/0x60
Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
CPU: 0 PID: 12 Comm: kdevtmpfs Not tainted 3.10.0-grsec-20130627 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
c7898030 c7898030 c78011e0 006116f7 c1b37110 c1e87180 c7898030 c78011e0
00000000 c1b3be1d 00256a19 c1b58c5c 00000000 c1b3bcf3 00000009 c78011e0
c1b3be18 000c5948 c1b42c80 c1b3be1d c1b41143 c78011e0 c78014c0 00000009
Call Trace:
[<006116f7>] ? panic+0x7d/0x158
[<00256a19>] ? gr_handle_kernel_exploit+0x109/0x110
[<000c5948>] ? __check_object_size+0xd8/0x130
[<000dc3c3>] ? copy_mnt_ns+0x1b3/0x240
[<000955fa>] ? memdup_user+0x2a/0x100
[<00020200>] ? acpi_processor_power_init_bm_check+0x60/0x60
[<00095811>] ? strndup_user+0x31/0x50
[<000db4a6>] ? copy_mount_string+0x16/0x40
[<000dbdb8>] ? SyS_mount+0x28/0xc0
[<00030adf>] ? SyS_unshare+0x1ef/0x230
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c676>] ? devtmpfsd+0x66/0x300
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<000590ec>] ? try_to_wake_up+0x17c/0x200
[<00353537>] ? intel_dp_compute_config+0x2f7/0x3c0
[<00055f16>] ? __wake_up_common+0x46/0x70
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c610>] ? handle_remove+0x210/0x210
[<0004eb42>] ? kthread+0x92/0xa0
[<0061935b>] ? ret_from_kernel_thread+0x1b/0x30
[<0004eab0>] ? __kthread_parkme+0x60/0x60
PAX: suspicious general protection fault: fffa [#1] PREEMPT SMP
CPU: 0 PID: 12 Comm: kdevtmpfs Not tainted 3.10.0-grsec-20130627 #2
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: c7898030 ti: c78982a8 task.ti: c78982a8
EIP: 0060:[<006117a2>] EFLAGS: 00000246 CPU: 0
EAX: 00000000 EBX: c7898030 ECX: c1c1dabc EDX: 00000046
ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: c78a5e14
DS: 0068 ES: 0068 FS: 00d8 GS: 0068 SS: 0068
CR0: 8005003b CR2: ffe38000 CR3: 01a05000 CR4: 000006b0
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: 00000000 DR7: 00000000
Stack:
c1b37110 c1e87180 c7898030 c78011e0 00000000 c1b3be1d 00256a19 c1b58c5c
00000000 c1b3bcf3 00000009 c78011e0 c1b3be18 000c5948 c1b42c80 c1b3be1d
c1b41143 c78011e0 c78014c0 00000009 00000202 000dc3c3 00000009 c78011e0
Call Trace:
[<00256a19>] ? gr_handle_kernel_exploit+0x109/0x110
[<000c5948>] ? __check_object_size+0xd8/0x130
[<000dc3c3>] ? copy_mnt_ns+0x1b3/0x240
[<000955fa>] ? memdup_user+0x2a/0x100
[<00020200>] ? acpi_processor_power_init_bm_check+0x60/0x60
[<00095811>] ? strndup_user+0x31/0x50
[<000db4a6>] ? copy_mount_string+0x16/0x40
[<000dbdb8>] ? SyS_mount+0x28/0xc0
[<00030adf>] ? SyS_unshare+0x1ef/0x230
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c676>] ? devtmpfsd+0x66/0x300
[<00008000>] ? force_hpet_resume+0x1a0/0x1c0
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<00003480>] ? do_debug+0x30/0x30
[<000590ec>] ? try_to_wake_up+0x17c/0x200
[<00353537>] ? intel_dp_compute_config+0x2f7/0x3c0
[<00055f16>] ? __wake_up_common+0x46/0x70
[<0037c610>] ? handle_remove+0x210/0x210
[<0037c610>] ? handle_remove+0x210/0x210
[<0004eb42>] ? kthread+0x92/0xa0
[<0061935b>] ? ret_from_kernel_thread+0x1b/0x30
[<0004eab0>] ? __kthread_parkme+0x60/0x60
Code: 00 be 65 00 00 00 4e 74 0c b8 58 89 41 00 e8 46 ab c5 ff eb f1 83 c3 64 eb c2 83 3d 4c 71 e8 c1 00 74 05 e8 81 29 a3 ff fb 31 f6 <39> fe 7c 13 83 f5 01 89 e8 ff 15 40 71 e8 c1 01 c6 8d be c8 00
EIP: [<006117a2>] panic+0x128/0x158 SS:ESP 0068:c78a5e14
---[ end trace 40c18de78641a455 ]---

Re: linux-3.10 panic due to memory overwrite

PostPosted: Fri Jul 12, 2013 6:43 pm
by PaX Team
do you have SLAB enabled? if yes can you also try with SLUB?

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sat Jul 13, 2013 12:52 am
by fly_a320
Yes, I used SLAB. I tried SLUB, the kernel now boots but the latency is very high, eg. moving the mouse the first time it takes literally seconds until the pointer starts to move. And when starting thunderbird I got another kernel panic. I guess I will revert to the 3.9 series for a while.

thanks,

thorsten

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sat Jul 13, 2013 3:12 am
by PaX Team
the SLAB problem will be fixed in the next patch, however i'd like to see what else you ran into if you still have the logs otherwise it'll be hard to fix it ;).

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sat Jul 13, 2013 6:05 am
by fly_a320
I'll try to get the log of the crash. Anything else you guys need? configs or something?

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sun Jul 14, 2013 3:48 am
by fly_a320
OK, with SLUB I get kernel panics when executing eg firefox/thunderbird. Since these are hard crashes, I am unable to get a crashdump. I tried to get kexec to work but failed miserably. The best I could do is take a literal screenshot of the crash.

see: http://flya320.dyndns.org/dump.jpg:20174

thorsten

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sun Jul 14, 2013 11:52 am
by spender
The firefox/thunderbird panic should be fixed in the latest patch now as well.

Thanks,
-Brad

Re: linux-3.10 panic due to memory overwrite

PostPosted: Sun Jul 14, 2013 12:04 pm
by fly_a320
Thanks,

thorsten
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/