grsecurity forums


https://forums.grsecurity.net./

Deadly bug with X-Plane 10 - or malicious actions by it?

https://forums.grsecurity.net./viewtopic.php?f=3&t=4351

Page 1 of 1

Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 10:52 am
by Toquinha
Recently, whenever I quit X-Plane 10, my system will freeze to death, only a reboot solves it. My first suspicion was Firejail because of how it causes a bug to appear on Pulseaudio (that renders pulse almost unusable), but I don't think that is the problem.
I zeroed my HD, started from scratch, downloaded 300 GB of data, and it still happens. Here are the lines on journalctl:

Code: Select all
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c08d992>] __schedule_bug+0x52/0x60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e5ad4>] __schedule+0xa04/0xcf0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1237eb>] ? printk+0x6b/0x90
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e5df5>] schedule+0x35/0x80
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c06816a>] do_exit+0x97a/0xb60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0683d7>] do_group_exit+0x37/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0078ca>] oops_end+0x9a/0xe0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c007ba6>] die+0x46/0x70
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c004afa>] do_general_protection+0xca/0x150
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5ebc28>] general_protection+0x28/0x30
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0b1238>] ? mutex_optimistic_spin+0x48/0x1c0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5eadb4>] ? retint_kernel+0x22/0x2c
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e6eb4>] __mutex_lock_slowpath+0x44/0x150
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e6d22>] mutex_lock+0x22/0x40
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc01b87fe>] radeon_mn_unregister+0x3e/0xa0 [radeon]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00fef4d>] radeon_gem_object_free+0x4d/0x80 [radeon]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00056b9>] drm_gem_object_free+0x39/0x60 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00057e4>] drm_gem_object_handle_unreference_unlocked+0x104/0x120 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc000608b>] drm_gem_object_release_handle+0x5b/0x80 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c2d6d1c>] idr_for_each+0xcc/0x130
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc0006030>] ? drm_gem_dumb_destroy+0x30/0x30 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c186e16>] ? kmem_cache_free+0x1e6/0x210
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00066d1>] drm_gem_release+0x21/0x40 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc0005456>] drm_release+0x3f6/0x4e0 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1aa6a4>] __fput+0xa4/0x210
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1aa850>] ____fput+0x10/0x20
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c086790>] task_work_run+0x80/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c067b09>] do_exit+0x319/0xb60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0683d7>] do_group_exit+0x37/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c075440>] get_signal+0x230/0x580
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c003978>] do_signal+0x48/0x7f0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0014b3>] prepare_exit_to_usermode+0x93/0xe0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0015dd>] syscall_return_slowpath+0xdd/0x1b0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0e1e7e>] ? SyS_futex+0x1ae/0x290
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5ea3f1>] int_ret_from_sys_call+0x25/0xa4
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:26 amarildo polkitd[482]: Unregistered Authentication Agent for unix-session:c2 (system bus name :1.31, object path /org/mate/Po
Dec 27 04:44:26 amarildo sddm-helper[578]: [PAM] Ended.
Dec 27 04:44:26 amarildo sddm[461]: Auth: sddm-helper exited with 9
Dec 27 04:44:26 amarildo sddm[461]: Socket server stopping...
Dec 27 04:44:26 amarildo sddm[461]: Socket server stopped.
Dec 27 04:44:26 amarildo sddm[461]: Display server stopping...
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:28 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:29 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:30 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:31 amarildo sddm[461]: Removing display ":0" ...
Dec 27 04:44:31 amarildo sddm[461]: Adding new display on vt 1 ...
Dec 27 04:44:31 amarildo sddm[461]: Display server starting...
Dec 27 04:44:31 amarildo sddm[461]: Running: /usr/bin/X -nolisten tcp -auth /var/run/sddm/{a1136b5f-9739-4192-a86b-b3dc6345c126} -background
Dec 27 04:44:32 amarildo dhclient[493]: DHCPREQUEST on enp0s7 to 189.7.136.32 port 67
Dec 27 04:44:32 amarildo dhclient[493]: send_packet: Operation not permitted
Dec 27 04:44:32 amarildo dhclient[493]: dhclient.c:2237: Failed to send 300 byte long packet over fallback interface.
Dec 27 04:44:32 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=189.7.136.32 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=9974
Dec 27 04:44:33 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:33 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:41 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:41 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:42 amarildo dhclient[493]: DHCPREQUEST on enp0s7 to 189.7.136.32 port 67
Dec 27 04:44:42 amarildo dhclient[493]: send_packet: Operation not permitted
Dec 27 04:44:42 amarildo dhclient[493]: dhclient.c:2237: Failed to send 300 byte long packet over fallback interface.
Dec 27 04:44:42 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=189.7.136.32 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=1227
Dec 27 04:44:50 amarildo systemd-logind[460]: Power key pressed.
Dec 27 04:44:50 amarildo systemd-logind[460]: Powering Off...
Dec 27 04:44:50 amarildo systemd-logind[460]: System is powering down.
-- Reboot --


You can see "RULE 21" is not allowing packats to be sent. Here are my firewall rules: http://pastebin.com/RwWCDDDL

My config:

Arch Linux
Radeon driver
linux-grsec (4.3.3.201512222129-1) paxd checksec pax-utils paxtest
softmode=0
Disabled MPROTECT for X-Plane

Steps to reproduce:

1) Use X-Plane 10.42 (I think the demo version could still cause this);
2) Download the following scenery and plugins: http://pastebin.com/NJaNECDJ
3) Run X-Plane
4) Upon exiting, your entire system will freeze

So, the question is: Is this a bug in grsecurity? Or a malicious action by X-Plane? It didn't use to happen in older versions of grsecurity

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 11:04 am
by spender
This looks like a use after free bug in the Radeon code, likely made visible by PAX_MEMORY_SANITIZE, which though I can't see the full oops report, very likely caused a deref of a non-canonical pointer value (hence do_general_protection in the stack trace). Could you provide the top of the oops report that contains the oops reason and register contents?

Thanks,
-Brad

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 11:24 am
by Toquinha
I'm not sure what the top of the oops is, but I think anything from 4:44 AM is valid :) If the following isn't enough, then I can past more text here, from before 4:44.

Code: Select all
Dec 27 12:30:12 amarildo kernel: system 00:05: [io  0x0280-0x028f] has been reserved
Dec 27 12:30:12 amarildo kernel: system 00:05: [io  0x0290-0x029f] has been reserved
Dec 27 04:44:01 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12036 D
Dec 27 04:44:02 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12083 D
Dec 27 04:44:03 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12195 D
Dec 27 04:44:04 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12479 D
Dec 27 04:44:05 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12711 D
Dec 27 04:44:06 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=12902 D
Dec 27 04:44:07 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13086 D
Dec 27 04:44:08 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13106 D
Dec 27 04:44:09 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13326 D
Dec 27 04:44:10 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13345 D
Dec 27 04:44:11 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13547 D
Dec 27 04:44:12 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13566 D
Dec 27 04:44:13 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13790 D
Dec 27 04:44:14 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=13846 D
Dec 27 04:44:15 amarildo dhclient[493]: DHCPREQUEST on enp0s7 to 189.7.136.32 port 67
Dec 27 04:44:15 amarildo dhclient[493]: send_packet: Operation not permitted
Dec 27 04:44:15 amarildo dhclient[493]: dhclient.c:2237: Failed to send 300 byte long packet over fallback interface.
Dec 27 04:44:15 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=189.7.136.32 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=5782
Dec 27 04:44:15 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14079 D
Dec 27 04:44:16 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14340 D
Dec 27 04:44:17 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14604 D
Dec 27 04:44:18 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14633 D
Dec 27 04:44:19 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14821 D
Dec 27 04:44:20 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=14887 D
Dec 27 04:44:21 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=15170 D
Dec 27 04:44:23 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=15218 D
Dec 27 04:44:24 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=15498 D
Dec 27 04:44:25 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=239.255.1.1 LEN=58 TOS=0x00 PREC=0x00 TTL=1 ID=15543 D
Dec 27 04:44:26 amarildo kernel: RULE 24 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PRO
Dec 27 04:44:26 amarildo kernel: general protection fault: 0000 [#1] PREEMPT SMP
Dec 27 04:44:26 amarildo kernel: Modules linked in: nf_log_ipv4 nf_log_common xt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 xt_tcpudp xt_multiport
Dec 27 04:44:26 amarildo kernel:  libps2 i8042 serio sata_nv pata_amd ohci_pci ohci_hcd ehci_pci ehci_hcd libata scsi_mod usbcore usb_common
Dec 27 04:44:26 amarildo kernel: CPU: 0 PID: 2155 Comm: X-Plane-x86_64 Not tainted 4.3.3.201512222129-1-grsec #1
Dec 27 04:44:26 amarildo kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./N68-VS3 UCC, BIOS P1.20 09/19/2011
Dec 27 04:44:26 amarildo kernel: task: ffff8801e5f3c980 ti: ffff8801e5f3d3c8 task.ti: ffff8801e5f3d3c8
Dec 27 04:44:26 amarildo kernel: RIP: 0010:[<ffffffff8c0b1238>]  [<ffffffff8c0b1238>] mutex_optimistic_spin+0x48/0x1c0
Dec 27 04:44:26 amarildo kernel: RSP: 0018:ffffc900011138f0  EFLAGS: 00010282
Dec 27 04:44:26 amarildo kernel: RAX: fefefefefefefefe RBX: ffff8800d062f5d0 RCX: ffff8802141c8738
Dec 27 04:44:26 amarildo kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800d062f5d0
Dec 27 04:44:26 amarildo kernel: RBP: ffffc90001113940 R08: 0000000000000000 R09: ffff880217003900
Dec 27 04:44:26 amarildo kernel: R10: ffff8800b94828d0 R11: 0000069d221a7642 R12: 0000000000000000
Dec 27 04:44:26 amarildo kernel: R13: ffff8801e5f3c980 R14: 0000000000000000 R15: ffff8800d062f5d0
Dec 27 04:44:26 amarildo kernel: FS:  0000032f4b704700(0000) GS:ffff88021fc00000(0000) knlGS:00000000dcc40b40
Dec 27 04:44:26 amarildo kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Dec 27 04:44:26 amarildo kernel: CR2: 000003d28a2cbbd8 CR3: 000000000c5f8000 CR4: 00000000000006f0
Dec 27 04:44:26 amarildo kernel: Stack:
Dec 27 04:44:26 amarildo kernel:  ffffffff8c5eadb4 00000000000011c0 0000000001113900 ffff8801e5f3c980
Dec 27 04:44:26 amarildo kernel:  ffffc900011139f8 ffff8800d062f5d0 ffff8802141cab58 ffff8801e5f3c980
Dec 27 04:44:26 amarildo kernel:  0000000000000000 ffff8800d062f5d0 ffffc90001113998 ffffffff8c5e6eb4
Dec 27 04:44:26 amarildo kernel: Call Trace:
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c5eadb4>] ? retint_kernel+0x22/0x2c
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c5e6eb4>] __mutex_lock_slowpath+0x44/0x150
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c5e6d22>] mutex_lock+0x22/0x40
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc01b87fe>] radeon_mn_unregister+0x3e/0xa0 [radeon]
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc00fef4d>] radeon_gem_object_free+0x4d/0x80 [radeon]
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc00056b9>] drm_gem_object_free+0x39/0x60 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc00057e4>] drm_gem_object_handle_unreference_unlocked+0x104/0x120 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc000608b>] drm_gem_object_release_handle+0x5b/0x80 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c2d6d1c>] idr_for_each+0xcc/0x130
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc0006030>] ? drm_gem_dumb_destroy+0x30/0x30 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c186e16>] ? kmem_cache_free+0x1e6/0x210
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc00066d1>] drm_gem_release+0x21/0x40 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffffc0005456>] drm_release+0x3f6/0x4e0 [drm]
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c1aa6a4>] __fput+0xa4/0x210
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c1aa850>] ____fput+0x10/0x20
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c086790>] task_work_run+0x80/0xa0
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c067b09>] do_exit+0x319/0xb60
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c0683d7>] do_group_exit+0x37/0xa0
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c075440>] get_signal+0x230/0x580
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c003978>] do_signal+0x48/0x7f0
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c0014b3>] prepare_exit_to_usermode+0x93/0xe0
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c0015dd>] syscall_return_slowpath+0xdd/0x1b0
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c0e1e7e>] ? SyS_futex+0x1ae/0x290
Dec 27 04:44:26 amarildo kernel:  [<ffffffff8c5ea3f1>] int_ret_from_sys_call+0x25/0xa4
Dec 27 04:44:26 amarildo kernel: Code: 65 48 8b 04 25 c0 9d 00 00 48 89 45 c8 65 48 8b 04 25 58 9d 00 00 48 8b 00 a8 08 75 1c e8 61 20 01 00
Dec 27 04:44:26 amarildo kernel: RIP  [<ffffffff8c0b1238>] mutex_optimistic_spin+0x48/0x1c0
Dec 27 04:44:26 amarildo kernel:  RSP <ffffc900011138f0>
Dec 27 04:44:26 amarildo kernel: ---[ end trace 0719ac91e1701343 ]---
Dec 27 04:44:26 amarildo kernel: grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Dec 27 04:44:26 amarildo kernel: Fixing recursive fault but reboot is needed!
Dec 27 04:44:27 amarildo kernel: BUG: scheduling while atomic: X-Plane-x86_64/2155/0x00000002
Dec 27 04:44:27 amarildo kernel: Modules linked in: nf_log_ipv4 nf_log_common xt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 xt_tcpudp xt_multiport
Dec 27 04:44:27 amarildo kernel:  libps2 i8042 serio sata_nv pata_amd ohci_pci ohci_hcd ehci_pci ehci_hcd libata scsi_mod usbcore usb_common
Dec 27 04:44:27 amarildo kernel: CPU: 0 PID: 2155 Comm: X-Plane-x86_64 Tainted: G      D         4.3.3.201512222129-1-grsec #1
Dec 27 04:44:27 amarildo kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./N68-VS3 UCC, BIOS P1.20 09/19/2011
Dec 27 04:44:27 amarildo kernel:  0000000000000002 813b1c1fe5336ea0 0000000000000000 00000000000100c0
Dec 27 04:44:27 amarildo kernel:  ffffc90001113660 ffffffff8c2d63a0 ffff8801e5f3c980 ffffc90001113678
Dec 27 04:44:27 amarildo kernel:  ffffffff8c08d992 ffff88021fc100c0 ffffc900011136f0 ffffffff8c5e5ad4
Dec 27 04:44:27 amarildo kernel: Call Trace:
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c2d63a0>] dump_stack+0x4b/0x8b
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c08d992>] __schedule_bug+0x52/0x60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e5ad4>] __schedule+0xa04/0xcf0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1237eb>] ? printk+0x6b/0x90
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e5df5>] schedule+0x35/0x80
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c06816a>] do_exit+0x97a/0xb60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0683d7>] do_group_exit+0x37/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0078ca>] oops_end+0x9a/0xe0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c007ba6>] die+0x46/0x70
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c004afa>] do_general_protection+0xca/0x150
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5ebc28>] general_protection+0x28/0x30
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0b1238>] ? mutex_optimistic_spin+0x48/0x1c0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5eadb4>] ? retint_kernel+0x22/0x2c
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e6eb4>] __mutex_lock_slowpath+0x44/0x150
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5e6d22>] mutex_lock+0x22/0x40
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc01b87fe>] radeon_mn_unregister+0x3e/0xa0 [radeon]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00fef4d>] radeon_gem_object_free+0x4d/0x80 [radeon]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00056b9>] drm_gem_object_free+0x39/0x60 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00057e4>] drm_gem_object_handle_unreference_unlocked+0x104/0x120 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc000608b>] drm_gem_object_release_handle+0x5b/0x80 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c2d6d1c>] idr_for_each+0xcc/0x130
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc0006030>] ? drm_gem_dumb_destroy+0x30/0x30 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c186e16>] ? kmem_cache_free+0x1e6/0x210
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc00066d1>] drm_gem_release+0x21/0x40 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffffc0005456>] drm_release+0x3f6/0x4e0 [drm]
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1aa6a4>] __fput+0xa4/0x210
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c1aa850>] ____fput+0x10/0x20
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c086790>] task_work_run+0x80/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c067b09>] do_exit+0x319/0xb60
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0683d7>] do_group_exit+0x37/0xa0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c075440>] get_signal+0x230/0x580
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c003978>] do_signal+0x48/0x7f0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0014b3>] prepare_exit_to_usermode+0x93/0xe0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0015dd>] syscall_return_slowpath+0xdd/0x1b0
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c0e1e7e>] ? SyS_futex+0x1ae/0x290
Dec 27 04:44:27 amarildo kernel:  [<ffffffff8c5ea3f1>] int_ret_from_sys_call+0x25/0xa4
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: RULE 24 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PRO
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:26 amarildo polkitd[482]: Unregistered Authentication Agent for unix-session:c2 (system bus name :1.31, object path /org/mate/Po
Dec 27 04:44:26 amarildo sddm-helper[578]: [PAM] Ended.
Dec 27 04:44:26 amarildo sddm[461]: Auth: sddm-helper exited with 9
Dec 27 04:44:26 amarildo sddm[461]: Socket server stopping...
Dec 27 04:44:26 amarildo sddm[461]: Socket server stopped.
Dec 27 04:44:26 amarildo sddm[461]: Display server stopping...
Dec 27 04:44:27 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:28 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:29 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:30 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:31 amarildo sddm[461]: Removing display ":0" ...
Dec 27 04:44:31 amarildo sddm[461]: Adding new display on vt 1 ...
Dec 27 04:44:31 amarildo sddm[461]: Display server starting...
Dec 27 04:44:31 amarildo sddm[461]: Running: /usr/bin/X -nolisten tcp -auth /var/run/sddm/{a1136b5f-9739-4192-a86b-b3dc6345c126} -background
Dec 27 04:44:32 amarildo dhclient[493]: DHCPREQUEST on enp0s7 to 189.7.136.32 port 67
Dec 27 04:44:32 amarildo dhclient[493]: send_packet: Operation not permitted
Dec 27 04:44:32 amarildo dhclient[493]: dhclient.c:2237: Failed to send 300 byte long packet over fallback interface.
Dec 27 04:44:32 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=189.7.136.32 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=9974
Dec 27 04:44:33 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:33 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:41 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=200.174.148.18 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:41 amarildo kernel: INVALID state -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=162.254.193.19 LEN=52 TOS=0x00 PREC=0x00 TTL=64
Dec 27 04:44:42 amarildo dhclient[493]: DHCPREQUEST on enp0s7 to 189.7.136.32 port 67
Dec 27 04:44:42 amarildo dhclient[493]: send_packet: Operation not permitted
Dec 27 04:44:42 amarildo dhclient[493]: dhclient.c:2237: Failed to send 300 byte long packet over fallback interface.
Dec 27 04:44:42 amarildo kernel: RULE 21 -- DENY IN= OUT=enp0s7 SRC=187.181.245.21 DST=189.7.136.32 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=1227
Dec 27 04:44:50 amarildo systemd-logind[460]: Power key pressed.
Dec 27 04:44:50 amarildo systemd-logind[460]: Powering Off...
Dec 27 04:44:50 amarildo systemd-logind[460]: System is powering down.
-- Reboot --

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 11:51 am
by spender
Could you send your vmlinux (not vmlinuz) file to spender@grsecurity.net? I want to confirm the disassembly from the oops, because it suggests the use after free is happening on dereferencing current_tinfo when calling need_resched() to check TIF_NEED_RESCHED.

-Brad

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 11:57 am
by Toquinha
Absolutely. Expect to receive it in 10 minutes or less.

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 12:01 pm
by Toquinha
I don't have a vmlinux, only vmlinuz. I think this is because I didn't compile the Kernel myself, but installed it from Arch's repos.

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 12:26 pm
by spender
Vmlinuz should be ok for this, send it over anyway.

Thanks,
-Brad

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 1:23 pm
by Toquinha
Done.

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 4:19 pm
by Toquinha
Could you confirm that you received the e-Mail?

Cheers.

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Sun Dec 27, 2015 9:03 pm
by spender
I have, thank you.

-Brad

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Mon Dec 28, 2015 10:40 am
by Toquinha
Hi Brad,

I wonder if you guys reported the problem to mesa developers, or if I should do it.

Have a nice week,
Amarildo

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Mon Dec 28, 2015 10:00 pm
by PaX Team
this seems to be a use-after-free bug in the radeon kernel driver so you'll have to take this to the kernel developers i'm afraid. what i figured out so far is that in drivers/gpu/drm/radeon/radeon_mn.c:radeon_mn_unregister the object pointed at by 'rmn' somehow becomes free and the mutex_lock on it takes the slow path due to the poison value we chose for SANITIZE. __mutex_lock_slowpath then ends up in mutex_optimistic_spin then in mutex_can_spin_on_owner which tries to dereference the lock->owner field that is also poisoned and its value passes the NULL check and triggers a GPF when dereferenced.

Re: Deadly bug with X-Plane 10 - or malicious actions by it?

PostPosted: Mon Dec 28, 2015 11:09 pm
by Toquinha
Thank you so much for your help.

Bug filed: https://bugzilla.kernel.org/show_bug.cgi?id=110121
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/