From: Sasha Levin <sasha.levin@oracle.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: net: netlink executing RO memory
Date: Thu, 05 Jun 2014 16:21:38 -0400 [thread overview]
Message-ID: <5390D152.30702@oracle.com> (raw)
Hi all,
While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel I've stumbled on the following spew:
[ 306.065161] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 306.067295] BUG: unable to handle kernel paging request at ffff880053b8fd08
[ 306.069237] IP: 0xffff880053b8fd08 (??:?)
[ 306.070071] PGD 24b9c067 PUD 705dd2067 PMD 705d34067 PTE 8000000053b8f163
[ 306.070071] Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 306.070071] Dumping ftrace buffer:
[ 306.070071] (ftrace buffer empty)
[ 306.070071] Modules linked in:
[ 306.070071] CPU: 16 PID: 9577 Comm: trinity-c194 Tainted: G W 3.15.0-rc8-next-20140605-sasha-00020-g833a807 #592
[ 306.070071] task: ffff880053b90000 ti: ffff880053b8c000 task.ti: ffff880053b8c000
[ 306.070071] RIP: 0xffff880053b8fd08 (??:?)
[ 306.070071] RSP: 0018:ffff880053b8fcc8 EFLAGS: 00010287
[ 306.070071] RAX: ffff8806286e8000 RBX: 0000000000000000 RCX: 0000004742e748d4
[ 306.070071] RDX: 0000000000000007 RSI: ffffffff9fffd31c RDI: ffffffffa0558ed5
[ 306.070071] RBP: ffff880053b8fd08 R08: 0000000000005d3c R09: 0000000000000000
[ 306.070071] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880053b8fdf8
[ 306.070071] R13: ffff8803d55b8000 R14: ffff88065ea35cd0 R15: 0000000000000000
[ 306.070071] FS: 00007f5c3bb31700(0000) GS:ffff8803d7000000(0000) knlGS:0000000000000000
[ 306.070071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 306.070071] CR2: ffff880053b8fd08 CR3: 0000000053b6b000 CR4: 00000000000006a0
[ 306.070071] DR0: 00000000006d6000 DR1: 00000000006d6000 DR2: 0000000000000000
[ 306.070071] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 000000000095060a
[ 306.070071] Stack:
[ 306.070071] ffff880053b8fdc8 00000000026d7de0 0000000000000010 7fffffffffffffff
[ 306.070071] 0000000000000000 ffff88065ea35cd0 0000000000000001 0000000000000000
[ 306.095047] ffff880053b8fda8 ffffffffa0000ad1 ffff8803d55b8000 ffff8803d71d8340
[ 306.095047] Call Trace:
[ 306.095047] netlink_sendmsg (net/netlink/af_netlink.c:2398)
[ 306.095047] sock_aio_write (net/socket.c:959 net/socket.c:974)
[ 306.095047] ? sched_clock_local (kernel/sched/clock.c:214)
[ 306.095047] ? vtime_account_user (kernel/sched/cputime.c:687)
[ 306.095047] do_sync_write (fs/read_write.c:458)
[ 306.095047] vfs_write (fs/read_write.c:534)
[ 306.095047] SyS_write (fs/read_write.c:584 fs/read_write.c:576)
[ 306.095047] tracesys (arch/x86/kernel/entry_64.S:542)
[ 306.095047] Code: 00 00 00 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 00 00 d0 5c a3 5e 06 88 ff ff 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <a8> fd b8 53 00 88 ff ff d1 0a 00 a0 ff ff ff ff 00 80 5b d5 03
All code
========
0: 00 00 add %al,(%rax)
2: 00 ff add %bh,%bh
4: ff (bad)
5: ff (bad)
6: ff (bad)
7: ff (bad)
8: ff (bad)
9: ff (bad)
a: 7f 00 jg 0xc
c: 00 00 add %al,(%rax)
e: 00 00 add %al,(%rax)
10: 00 00 add %al,(%rax)
12: 00 d0 add %dl,%al
14: 5c pop %rsp
15: a3 5e 06 88 ff ff 01 movabs %eax,0x1ffff88065e
1c: 00 00
...
2a:* 00 a8 fd b8 53 00 add %ch,0x53b8fd(%rax) <-- trapping instruction
30: 88 ff mov %bh,%bh
32: ff d1 callq *%rcx
34: 0a 00 or (%rax),%al
36: a0 ff ff ff ff 00 80 movabs 0xd55b8000ffffffff,%al
3d: 5b d5
3f: 03 00 add (%rax),%eax
Code starting with the faulting instruction
===========================================
0: a8 fd test $0xfd,%al
2: b8 53 00 88 ff mov $0xff880053,%eax
7: ff d1 callq *%rcx
9: 0a 00 or (%rax),%al
b: a0 ff ff ff ff 00 80 movabs 0xd55b8000ffffffff,%al
12: 5b d5
14: 03 00 add (%rax),%eax
[ 306.095047] RIP 0xffff880053b8fd08 (??:?)
[ 306.095047] RSP <ffff880053b8fcc8>
[ 306.095047] CR2: ffff880053b8fd08
Thanks,
Sasha
next reply other threads:[~2014-06-05 20:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-05 20:21 Sasha Levin [this message]
2014-06-06 5:45 ` net: netlink executing RO memory Sasha Levin
2014-06-07 15:07 ` Sasha Levin
2014-06-07 20:36 ` Thomas Gleixner
2014-06-07 20:40 ` Thomas Gleixner
2014-06-06 9:02 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5390D152.30702@oracle.com \
--to=sasha.levin@oracle.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox