1415494 – kernel memory exposure attempt

Bug 1415494 - kernel memory exposure attempt

Summary: kernel memory exposure attempt

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-22 15:52 UTC by Donald O'Dona
Modified:	2019-01-09 12:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-16 22:05:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Donald O'Dona 2017-01-22 15:52:58 UTC

Description of problem:
Message from syslogd@XXX at Jan 22 16:33:26 ...
 kernel:usercopy: kernel memory exposure attempt detected from ffff8882d4b38bac

Version-Release number of selected component (if applicable):
Fedora 25
kernel:Linux XXX 4.9.4-201.fc25.x86_64

How reproducible:
appears suddenly


Steps to Reproduce:
1. boot 
2. login
3.

Actual results:
Message from syslogd@XXX at Jan 22 16:33:26 ...
 kernel:usercopy: kernel memory exposure attempt detected from ffff8882d4b38bac

Expected results:
-

Additional info:

Comment 1 Laura Abbott 2017-01-24 19:02:01 UTC

Can you give the kernel logs from when this happened?

Comment 2 Donald O. 2017-02-16 07:39:24 UTC

please close the request. Thanks.

Comment 3 tony 2017-03-31 20:15:33 UTC

I have suffered the same issue and can provide data for analysis. 

Mar 31 20:41:07 charon audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 31 20:41:07 charon audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 31 20:41:31 charon audit: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4585 comm="vmx-svga" exe="/usr/lib/vmware/bin/vmware-vmx" sig=6
Mar 31 20:41:31 charon abrt-hook-ccpp: Process 4585 (vmware-vmx) of user 1000 killed by SIGABRT - dumping core
Mar 31 20:41:31 charon abrt-hook-ccpp: /var/spool/abrt is 1683064181 bytes (more than 1279MiB), deleting 'ccpp-2017-03-31-20:36:59-3998'
Mar 31 20:41:46 charon plasmashell: QQuickItem::stackAfter: Cannot stack after 0x560d4a42afa0, which must be a sibling
Mar 31 20:42:05 charon audit: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=4685 comm="vmx-svga" exe="/usr/lib/vmware/bin/vmware-vmx" sig=6
Mar 31 20:42:05 charon abrt-hook-ccpp: Process 4685 (vmware-vmx) of user 1000 killed by SIGABRT - dumping core
Mar 31 20:42:05 charon abrt-hook-ccpp: /var/spool/abrt is 1717299431 bytes (more than 1279MiB), deleting 'ccpp-2017-03-31-20:41:31-4585'
Mar 31 20:42:06 charon kernel: usercopy: kernel memory exposure attempt detected from ffff951f7abc6000 (Acpi-Parse) (4096 bytes)
Mar 31 20:42:06 charon kernel: ------------[ cut here ]------------
Mar 31 20:42:06 charon kernel: kernel BUG at mm/usercopy.c:75!
Mar 31 20:42:06 charon kernel: invalid opcode: 0000 [#2] SMP
Mar 31 20:42:06 charon kernel: Modules linked in: ccm rfcomm ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp llc ebtable_nat ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6ta
ble_raw ip6table_mangle ip6table_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c iptable_raw iptable_mangle iptable_security ebtable_filter ebtables ip6table_filter ip6_tables vmnet(OE) ppd
ev parport_pc parport fuse vmw_vsock_vmci_transport vsock vmw_vmci vmmon(OE) cmac bnep arc4 iTCO_wdt iTCO_vendor_support mei_wdt intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp iwlmvm snd_hda_codec_realtek snd_hda_codec_generic
 snd_hda_codec_hdmi kvm_intel mac80211 kvm snd_hda_intel snd_hda_codec uvcvideo snd_hda_core irqbypass snd_hwdep intel_cstate
Mar 31 20:42:06 charon kernel: iwlwifi intel_uncore snd_seq btusb intel_rapl_perf snd_seq_device btrtl videobuf2_vmalloc btbcm videobuf2_memops videobuf2_v4l2 btintel videobuf2_core bluetooth snd_pcm cfg80211 videodev joydev i2c_i801 int
el_pch_thermal media thinkpad_acpi rtsx_pci_ms memstick lpc_ich snd_timer shpchp mei_me snd mei soundcore wmi rfkill tpm_tis tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc dm_crypt uas usb_storage i915 rtsx_pci_sdmmc mmc_co
re crct10dif_pclmul crc32_pclmul crc32c_intel i2c_algo_bit drm_kms_helper ghash_clmulni_intel e1000e drm serio_raw rtsx_pci ptp pps_core fjes video
Mar 31 20:42:06 charon kernel: CPU: 0 PID: 4650 Comm: vmx-svga Tainted: G      D    OE   4.10.6-200.fc25.x86_64 #1


Mar 31 20:42:06 charon kernel: CPU: 0 PID: 4650 Comm: vmx-svga Tainted: G      D    OE   4.10.6-200.fc25.x86_64 #1
Mar 31 20:42:06 charon kernel: Hardware name: LENOVO 20BWS3510K/20BWS3510K, BIOS JBET56WW (1.21 ) 01/27/2016
Mar 31 20:42:06 charon kernel: task: ffff95204f02cb00 task.stack: ffffb1d00a964000
Mar 31 20:42:06 charon kernel: RIP: 0010:__check_object_size+0x77/0x1d7
Mar 31 20:42:06 charon kernel: RSP: 0018:ffffb1d00a967940 EFLAGS: 00010286
Mar 31 20:42:06 charon kernel: RAX: 0000000000000061 RBX: ffff951f7abc6000 RCX: 0000000000000000
Mar 31 20:42:06 charon kernel: RDX: 0000000000000000 RSI: ffff95206dc0e0e8 RDI: ffff95206dc0e0e8
Mar 31 20:42:06 charon kernel: RBP: ffffb1d00a967960 R08: 0000000000098c30 R09: 00000000000003cb
Mar 31 20:42:06 charon kernel: R10: 0000000000000038 R11: ffffffffb6224d0d R12: 0000000000001000
Mar 31 20:42:06 charon kernel: R13: 0000000000000001 R14: ffff951f7abc7000 R15: 00007efc095734a0
Mar 31 20:42:06 charon kernel: FS:  00007efc09577700(0000) GS:ffff95206dc00000(0000) knlGS:0000000000000000
Mar 31 20:42:06 charon kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Mar 31 20:42:06 charon kernel: CR2: 00007fb4cef3d000 CR3: 000000023b31d000 CR4: 00000000003406f0
Mar 31 20:42:06 charon kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Mar 31 20:42:06 charon kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Mar 31 20:42:06 charon kernel: Call Trace:
Mar 31 20:42:06 charon kernel: HostIF_CopyToUser+0x26/0x50 [vmmon]
Mar 31 20:42:06 charon kernel: HostIF_ReadPage+0x6d/0xc0 [vmmon]
Mar 31 20:42:06 charon kernel: LinuxDriver_Ioctl+0x7bc/0xb10 [vmmon]
Mar 31 20:42:06 charon kernel: ? __find_get_block+0xb4/0x260
Mar 31 20:42:06 charon kernel: ? find_get_pages+0x1bb/0x290
Mar 31 20:42:06 charon kernel: ? __ext4_handle_dirty_metadata+0x48/0x200
Mar 31 20:42:06 charon kernel: ? ext4_mark_iloc_dirty+0x53e/0x7c0
Mar 31 20:42:06 charon kernel: ? __ext4_journal_get_write_access+0x3b/0x80
Mar 31 20:42:06 charon kernel: ? __wake_up+0x44/0x50
Mar 31 20:42:06 charon kernel: ? jbd2_journal_stop+0x1a1/0x3f0
Mar 31 20:42:06 charon kernel: ? ext4_dirty_inode+0x5c/0x70
Mar 31 20:42:06 charon kernel: ? __ext4_journal_stop+0x3d/0xa0
Mar 31 20:42:06 charon kernel: ? ext4_da_write_end+0x136/0x2b0
Mar 31 20:42:06 charon kernel: ? iov_iter_copy_from_user_atomic+0xb2/0x340
Mar 31 20:42:06 charon kernel: ? generic_perform_write+0x13c/0x1c0
Mar 31 20:42:06 charon kernel: ? __generic_file_write_iter+0x185/0x1d0
Mar 31 20:42:06 charon kernel: ? ext4_file_write_iter+0x96/0x370
Mar 31 20:42:06 charon kernel: ? set_next_entity+0xc3/0x1a0
Mar 31 20:42:06 charon kernel: do_vfs_ioctl+0xa3/0x5f0
Mar 31 20:42:06 charon kernel: SyS_ioctl+0x79/0x90
Mar 31 20:42:06 charon kernel: entry_SYSCALL_64_fastpath+0x1a/0xa9
Mar 31 20:42:06 charon kernel: RIP: 0033:0x7efe40a9f787
Mar 31 20:42:06 charon kernel: RSP: 002b:00007efc09573498 EFLAGS: 00003206 ORIG_RAX: 0000000000000010
Mar 31 20:42:06 charon kernel: RAX: ffffffffffffffda RBX: 00000000000c63e0 RCX: 00007efe40a9f787
Mar 31 20:42:06 charon kernel: RDX: 00007efc095734a0 RSI: 00000000000007e6 RDI: 000000000000000f
Mar 31 20:42:06 charon kernel: RBP: 00007efc095733b0 R08: fffffffffffffff0 R09: 00007efc040163e0
Mar 31 20:42:06 charon kernel: R10: 00007efc09573aa1 R11: 0000000000003206 R12: 000000000023444e
Mar 31 20:42:06 charon kernel: R13: 0000000000004000 R14: 00007efc04001120 R15: 0000000000000000
Mar 31 20:42:06 charon kernel: Code: 48 0f 44 d1 48 c7 c6 b4 c3 c6 b5 48 c7 c1 e5 fe c5 b5 48 0f 44 f1 4d 89 e1 49 89 c0 48 89 d9 48 c7 c7 90 87 c6 b5 e8 f8 60 f6 ff <0f> 0b e8 b2 78 fb ff 85 c0 75 73 48 89 df e8 a6 fb e0 ff 84 c0 
Mar 31 20:42:06 charon kernel: RIP: __check_object_size+0x77/0x1d7 RSP: ffffb1d00a967940
Mar 31 20:42:06 charon kernel: ---[ end trace 650b4605bf2d6e5f ]---
Mar 31 20:42:08 charon abrt-dump-journal-oops: abrt-dump-journal-oops: Found oopses: 1
Mar 31 20:42:08 charon abrt-dump-journal-oops: abrt-dump-journal-oops: Creating problem directories
Mar 31 20:42:08 charon abrt-server: Can't find a meaningful backtrace for hashing in '.'
Mar 31 20:42:08 charon abrt-server: Option 'DropNotReportableOopses' is not configured
Mar 31 20:42:08 charon abrt-server: Preserving oops '.' because DropNotReportableOopses is 'no'

Just let me know what you need and I will add when possible.

Comment 4 Laura Abbott 2017-03-31 21:21:53 UTC

This is coming from the out of tree vmware modules which Fedora doesn't support. This issue must be reported to vmware.

Comment 5 tony 2017-03-31 21:23:50 UTC

OK thank you.

Note You need to log in before you can comment on or make changes to this bug.