Package: linux-image-3.16.0-4-amd64
Version: 3.16.43-2+deb8u2
kernel panic on tty driver:
[ 306.962357] BUG: unable to handle kernel paging request at 00007f78bcc12000
[ 306.962595] IP: [<ffffffff812bb2b6>] memcpy+0x6/0x110
[ 306.962758] PGD 846260067 PUD 832d46067 PMD 832cc8067 PTE 0
[ 306.963130] Oops: 0000 [#1] SMP
[ 306.963354] Modules linked in: ipt_MASQUERADE xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack bridge aufs(C) 8021q garp stp mrp llc ipmi_devintf x86_pkg_temp_thermal coretemp kvm_intel kvm iTCO_wdt iTCO_vendor_support mxm_wmi crc32_pclmul evdev dcdbas aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ttm drm_kms_helper drm i2c_algo_bit pcspkr i2c_core lpc_ich mei_me mfd_core mei shpchp ipmi_si ipmi_msghandler wmi processor acpi_power_meter thermal_sys button autofs4 ext4 crc16 mbcache jbd2 sg sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common ahci crc32c_intel libahci libata ehci_pci xhci_hcd ehci_hcd ixgbe dca ptp usbcore pps_core scsi_mod mdio usb_common
[ 306.969565]
[ 306.969640] CPU: 0 PID: 2209 Comm: apt-get Tainted: G C 3.16.0-4-amd64 #1 Debian 3.16.43-2+deb8u2
[ 306.969737] Hardware name: Dell Inc. PowerEdge C6320/082F9M, BIOS 2.1.5 04/12/2016
[ 306.969827] task: ffff88085305c190 ti: ffff880852428000 task.ti: ffff880852428000
[ 306.969939] RIP: 0010:[<ffffffff812bb2b6>] [<ffffffff812bb2b6>] memcpy+0x6/0x110
[ 306.970144] RSP: 0018:ffff88085242bd80 EFLAGS: 00010246
[ 306.970251] RAX: ffff88085291b000 RBX: 0000000000000000 RCX: 0000000000000002
[ 306.970361] RDX: 0000000000000002 RSI: 00007f78bcc12000 RDI: ffff88085291b000
[ 306.970472] RBP: 00007f78bcc12002 R08: 0000000000000002 R09: 0000000000000000
[ 306.970583] R10: 0000000000000002 R11: 0000000000000fc9 R12: 0000000000000002
[ 306.970694] R13: 0000000000001000 R14: ffff88085666e6c0 R15: 0000000000000000
[ 306.970805] FS: 00007f78bcc08740(0000) GS:ffff88087f200000(0000) knlGS:0000000000000000
[ 306.970939] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 306.971047] CR2: 00007f78bcc12000 CR3: 0000000854af6000 CR4: 00000000003407f0
[ 306.971158] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 306.971268] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 306.971379] Stack:
[ 306.971477] ffffffff81375053 ffff88085666e6c8 0000008800011208 ffff88085666e6c0
[ 306.971896] ffffc90019295000 ffff881048f1e400 00007f78bcc12000 0000000000000000
[ 306.972315] 0000000000000001 ffffc90019295000 ffffffff8136e3d6 7fffffffffffffff
[ 306.972734] Call Trace:
[ 306.972840] [<ffffffff81375053>] ? tty_audit_add_data+0x173/0x3a0
[ 306.972950] [<ffffffff8136e3d6>] ? n_tty_read+0x826/0xb70
[ 306.973061] [<ffffffff81098370>] ? wake_up_state+0x10/0x10
[ 306.973168] [<ffffffff813695a8>] ? tty_read+0x88/0x100
[ 306.973276] [<ffffffff811aada3>] ? vfs_read+0x93/0x170
[ 306.973383] [<ffffffff811ab9d2>] ? SyS_read+0x42/0xa0
[ 306.973492] [<ffffffff810f7ef6>] ? __audit_syscall_exit+0x1f6/0x2a0
[ 306.973606] [<ffffffff8151a48d>] ? system_call_fast_compare_end+0x10/0x15
[ 306.973808] Code: 43 50 88 43 4e 5b c3 66 0f 1f 44 00 00 e8 03 fc ff ff 48 8b 43 58 48 2b 43 50 88 43 4e eb e6 90 90 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b
[ 306.978655] RIP [<ffffffff812bb2b6>] memcpy+0x6/0x110
[ 306.978834] RSP <ffff88085242bd80>
[ 306.978935] CR2: 00007f78bcc12000
I can reproduce this issue by add pam_tty_audit.so in the /etc/pam.d/sshd, like this:
session required pam_tty_audit.so disable=* enable=rootfollowing the trace:
n_tty_read -> canon_copy_from_read_buf -> tty_copy_to_user -> tty_copy_to_user
the usr space addr is used as the kernel addr directly.
check kernel version 4.4 the code has been changed.
this patch below is ok for me:
diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
index 9ab5c40..f7fbe7d 100644
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -168,7 +168,7 @@ static inline int tty_copy_to_user(struct tty_struct *tty,
{
struct n_tty_data *ldata = tty->disc_data;
- tty_audit_add_data(tty, from, n, ldata->icanon);
+ tty_audit_add_data(tty, to, n, ldata->icanon);
return copy_to_user(to, from, n);
}