[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1051643: Info received (Bug#1051643: Acknowledgement (linux-image-6.1.0-11-686-pae: kernel BUG at mm/usercopy.c:101!))

I spoke too soon... it's happening on 6.1.0-12-686 as well:

# apt-get update
Get:1 http://security.debian.org/debian-security bookworm-security/updates InRelease [48.0 kB]
0% [Waiting for headers] [1 InRelease 0 B/48.0 kB 0%]
Message from syslogd@mini1 at Sep 12 11:07:33 ...
 kernel:[123507.826321] usercopy: Kernel memory exposure attempt detected from kmap (offset 0, size 16384)!
Hit:2 http://ftp.us.debian.org/debian bookworm InRelease
Get:3 http://ftp.us.debian.org/debian bookworm-updates InRelease [52.1 kB]
0% [3 InRelease 0 B/52.1 kB 0%] [1 InRelease 0 B/48.0 kB 0%]
Message from syslogd@mini1 at Sep 12 11:07:33 ...
 kernel:[123508.220983] usercopy: Kernel memory exposure attempt detected from kmap (offset 0, size 16384)!

[123452.464498] ------------[ cut here ]------------
[123452.464530] kernel BUG at mm/usercopy.c:101!
[123452.464566] invalid opcode: 0000 [#1] PREEMPT SMP
[123452.464606] CPU: 1 PID: 7495 Comm: http Not tainted 6.1.0-12-686 #1  Debian 6.1.52-1
[123452.464653] Hardware name: Apple Computer, Inc. Macmini1,1/Mac-F4208EC8, BIOS     MM11.88Z.0055.B08.0610121326 10/12/06
[123452.464729] EIP: usercopy_abort+0x65/0x67
[123452.464772] Code: 44 cb bb d8 d9 b1 cc 89 4d f0 b9 12 55 b0 cc 0f 45 cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 78 d9 b1 cc e8 8a 8e ff ff <0f> 0b 56 31 d2 b8 22 da b1 cc ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[123452.464886] EAX: 00000052 EBX: ccb1d9d8 ECX: 00000001 EDX: 00000001
[123452.464930] ESI: ccb3449c EDI: ccb3449c EBP: c349fce0 ESP: c349fcac
[123452.464974] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[123452.465024] CR0: 80050033 CR2: 01be6000 CR3: 0e3d2000 CR4: 000006d0
[123452.465068] Call Trace:
[123452.465093]  ? __die_body.cold+0x14/0x1a
[123452.465126]  ? __die+0x21/0x26
[123452.465152]  ? die+0x28/0x50
[123452.465179]  ? do_trap+0xbb/0xe0
[123452.465206]  ? do_error_trap+0x4c/0x60
[123452.465235]  ? usercopy_abort+0x65/0x67
[123452.465271]  ? exc_overflow+0x40/0x40
[123452.465303]  ? exc_invalid_op+0x44/0x60
[123452.465338]  ? usercopy_abort+0x65/0x67
[123452.465372]  ? handle_exception+0x133/0x133
[123452.465409]  ? up_read+0x7b/0x80
[123452.465436]  ? exc_overflow+0x40/0x40
[123452.465467]  ? usercopy_abort+0x65/0x67
[123452.465501]  ? exc_overflow+0x40/0x40
[123452.465532]  ? usercopy_abort+0x65/0x67
[123452.465565]  __check_object_size.cold+0xae/0xae
[123452.465605]  ? kmap_high+0x6f/0x1f0
[123452.465639]  simple_copy_to_iter+0x1c/0x40
[123452.465670]  __skb_datagram_iter+0x163/0x320
[123452.465703]  skb_copy_datagram_iter+0x2d/0x80
[123452.465738]  ? skb_free_datagram+0x20/0x20
[123452.465768]  tcp_recvmsg_locked+0x30e/0x890
[123452.465806]  tcp_recvmsg+0x6f/0x1e0
[123452.465839]  ? tcp_recv_timestamp+0x240/0x240
[123452.465876]  inet_recvmsg+0x54/0x130
[123452.465906]  ? security_socket_recvmsg+0x41/0x60
[123452.465942]  sock_recvmsg+0x73/0x90
[123452.465978]  ? ipip_gso_segment+0x30/0x30
[123452.466015]  sock_read_iter+0x84/0xe0
[123452.466050]  vfs_read+0x288/0x2c0
[123452.466083]  ksys_read+0xab/0xe0
[123452.466110]  __ia32_sys_read+0x15/0x20
[123452.466138]  __do_fast_syscall_32+0x68/0xb0
[123452.466171]  ? syscall_exit_to_user_mode+0x29/0x40
[123452.466205]  ? __do_fast_syscall_32+0x72/0xb0
[123452.466237]  ? exit_to_user_mode_prepare+0x14d/0x1a0
[123452.466273]  ? sysvec_reboot+0x30/0x30
[123452.466302]  do_fast_syscall_32+0x29/0x60
[123452.466334]  do_SYSENTER_32+0x15/0x20
[123452.466369]  entry_SYSENTER_32+0x98/0xf1
[123452.466399] EIP: 0xb7f3d559
[123452.466425] Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[123452.466530] EAX: ffffffda EBX: 00000003 ECX: 01be5df0 EDX: 00010000
[123452.466573] ESI: b778eff4 EDI: 00000000 EBP: 01be4bb0 ESP: bf8d9b50
[123452.466617] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[123452.466670] Modules linked in: tls tun ath5k i915 ath snd_hda_codec_idt mac80211 snd_hda_codec_generic drm_buddy ledtrig_audio drm_display_helper libarc4 snd_hda_intel cec snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi rc_core cfg80211 snd_hda_codec ttm kvm iTCO_wdt intel_pmc_bxt iTCO_vendor_support snd_hda_core watchdog applesmc snd_hwdep drm_kms_helper at24 snd_pcm xt_tcpudp irqbypass i2c_algo_bit snd_timer pcspkr xt_conntrack rng_core snd fb_sys_fops rfkill nf_conntrack syscopyarea soundcore sysfillrect sysimgblt nf_defrag_ipv6 tpm_infineon nf_defrag_ipv4 button acpi_cpufreq nft_compat apple_mfi_fastcharge evdev nf_tables sg nfnetlink binfmt_misc drm loop fuse efi_pstore dm_mod configfs ip_tables x_tables autofs4 xfs libcrc32c crc32c_generic hid_apple hid_appleir hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 sr_mod crc_t10dif cdrom crct10dif_generic crct10dif_common ata_generic ata_piix ahci libahci libata firewire_ohci scsi_mod firewire_core ehci_pci i2c_i801 i2c_smbus
[123452.466844]  scsi_common lpc_ich uhci_hcd ehci_hcd crc_itu_t sky2 usbcore usb_common video wmi
[123452.467367] ---[ end trace 0000000000000000 ]---
[123452.467409] EIP: usercopy_abort+0x65/0x67
[123452.467449] Code: 44 cb bb d8 d9 b1 cc 89 4d f0 b9 12 55 b0 cc 0f 45 cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 78 d9 b1 cc e8 8a 8e ff ff <0f> 0b 56 31 d2 b8 22 da b1 cc ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[123452.467578] EAX: 00000052 EBX: ccb1d9d8 ECX: 00000001 EDX: 00000001
[123452.467621] ESI: ccb3449c EDI: ccb3449c EBP: c349fce0 ESP: c349fcac
[123452.470914] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[123452.474151] CR0: 80050033 CR2: 01be6000 CR3: 0e3d2000 CR4: 000006d0
[123452.491067] usercopy: Kernel memory exposure attempt detected from kmap (offset 0, size 16384)!
[123452.494366] ------------[ cut here ]------------
[123452.497541] kernel BUG at mm/usercopy.c:101!
[123452.500755] invalid opcode: 0000 [#2] PREEMPT SMP
[123452.503769] CPU: 0 PID: 7496 Comm: http Tainted: G      D            6.1.0-12-686 #1  Debian 6.1.52-1
[123452.506882] Hardware name: Apple Computer, Inc. Macmini1,1/Mac-F4208EC8, BIOS     MM11.88Z.0055.B08.0610121326 10/12/06
[123452.510050] EIP: usercopy_abort+0x65/0x67
[123452.513156] Code: 44 cb bb d8 d9 b1 cc 89 4d f0 b9 12 55 b0 cc 0f 45 cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 78 d9 b1 cc e8 8a 8e ff ff <0f> 0b 56 31 d2 b8 22 da b1 cc ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[123452.516483] EAX: 00000053 EBX: ccb1d9d8 ECX: 00000001 EDX: 00000001
[123452.519769] ESI: ccb3449c EDI: ccb3449c EBP: f5dabc98 ESP: f5dabc64
[123452.523115] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[123452.526353] CR0: 80050033 CR2: 01939768 CR3: 12618000 CR4: 000006d0
[123452.529363] Call Trace:
[123452.532450]  ? __die_body.cold+0x14/0x1a
[123452.535541]  ? __die+0x21/0x26
[123452.538526]  ? die+0x28/0x50
[123452.541594]  ? do_trap+0xbb/0xe0
[123452.544641]  ? do_error_trap+0x4c/0x60
[123452.547592]  ? usercopy_abort+0x65/0x67
[123452.550655]  ? exc_overflow+0x40/0x40
[123452.553725]  ? exc_invalid_op+0x44/0x60
[123452.556737]  ? usercopy_abort+0x65/0x67
[123452.559776]  ? handle_exception+0x133/0x133
[123452.562907]  ? up_read+0x7b/0x80
[123452.565945]  ? exc_overflow+0x40/0x40
[123452.569024]  ? usercopy_abort+0x65/0x67
[123452.572062]  ? exc_overflow+0x40/0x40
[123452.575100]  ? usercopy_abort+0x65/0x67
[123452.578205]  __check_object_size.cold+0xae/0xae
[123452.581307]  ? kmap_high+0x6f/0x1f0
[123452.584350]  simple_copy_to_iter+0x1c/0x40
[123452.587542]  __skb_datagram_iter+0x163/0x320
[123452.590684]  skb_copy_datagram_iter+0x2d/0x80
[123452.593774]  ? skb_free_datagram+0x20/0x20
[123452.596873]  tcp_recvmsg_locked+0x30e/0x890
[123452.599950]  tcp_recvmsg+0x6f/0x1e0
[123452.602970]  ? tcp_recv_timestamp+0x240/0x240
[123452.606107]  inet_recvmsg+0x54/0x130
[123452.609225]  ? security_socket_recvmsg+0x41/0x60
[123452.612271]  sock_recvmsg+0x73/0x90
[123452.615302]  ? ipip_gso_segment+0x30/0x30
[123452.618338]  sock_read_iter+0x84/0xe0
[123452.621643]  vfs_read+0x288/0x2c0
[123452.624773]  ksys_read+0xab/0xe0
[123452.627793]  __ia32_sys_read+0x15/0x20
[123452.630837]  __do_fast_syscall_32+0x68/0xb0
[123452.633878]  ? syscall_exit_to_user_mode+0x29/0x40
[123452.636891]  ? __ia32_sys_read+0x15/0x20
[123452.639939]  ? __do_fast_syscall_32+0x72/0xb0
[123452.643011]  ? debug_smp_processor_id+0x12/0x20
[123452.646044]  ? fpregs_assert_state_consistent+0x25/0x50
[123452.649102]  ? exit_to_user_mode_prepare+0x41/0x1a0
[123452.652181]  ? irqentry_exit_to_user_mode+0x16/0x20
[123452.655344]  do_fast_syscall_32+0x29/0x60
[123452.658420]  do_SYSENTER_32+0x15/0x20
[123452.661510]  entry_SYSENTER_32+0x98/0xf1
[123452.664587] EIP: 0xb7fc8559
[123452.667686] Code: 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[123452.670822] EAX: ffffffda EBX: 00000003 ECX: 01abe328 EDX: 0000fe88
[123452.673910] ESI: b7819ff4 EDI: 00000000 EBP: 01abd3c0 ESP: bfee4b00
[123452.677014] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[123452.680110] Modules linked in: tls tun ath5k i915 ath snd_hda_codec_idt mac80211 snd_hda_codec_generic drm_buddy ledtrig_audio drm_display_helper libarc4 snd_hda_intel cec snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi rc_core cfg80211 snd_hda_codec ttm kvm iTCO_wdt intel_pmc_bxt iTCO_vendor_support snd_hda_core watchdog applesmc snd_hwdep drm_kms_helper at24 snd_pcm xt_tcpudp irqbypass i2c_algo_bit snd_timer pcspkr xt_conntrack rng_core snd fb_sys_fops rfkill nf_conntrack syscopyarea soundcore sysfillrect sysimgblt nf_defrag_ipv6 tpm_infineon nf_defrag_ipv4 button acpi_cpufreq nft_compat apple_mfi_fastcharge evdev nf_tables sg nfnetlink binfmt_misc drm loop fuse efi_pstore dm_mod configfs ip_tables x_tables autofs4 xfs libcrc32c crc32c_generic hid_apple hid_appleir hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 sr_mod crc_t10dif cdrom crct10dif_generic crct10dif_common ata_generic ata_piix ahci libahci libata firewire_ohci scsi_mod firewire_core ehci_pci i2c_i801 i2c_smbus
[123452.680271]  scsi_common lpc_ich uhci_hcd ehci_hcd crc_itu_t sky2 usbcore usb_common video wmi
[123452.699090] ---[ end trace 0000000000000000 ]---
[123452.702138] EIP: usercopy_abort+0x65/0x67
[123452.705202] Code: 44 cb bb d8 d9 b1 cc 89 4d f0 b9 12 55 b0 cc 0f 45 cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 78 d9 b1 cc e8 8a 8e ff ff <0f> 0b 56 31 d2 b8 22 da b1 cc ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[123452.708239] EAX: 00000052 EBX: ccb1d9d8 ECX: 00000001 EDX: 00000001
[123452.711218] ESI: ccb3449c EDI: ccb3449c EBP: c349fce0 ESP: c349fcac
[123452.714203] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[123452.717188] CR0: 80050033 CR2: 01939768 CR3: 12618000 CR4: 000006d0

On Mon, Sep 11, 2023 at 3:46 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
Control: tags -1 + moreinfo

Hi,

On Mon, Sep 11, 2023 at 12:51:48AM -0400, Jiann-Ming Su wrote:
> This may have been fixed in linux-image-6.1.0-12-686.

Is this a confirmation that the problem is solved after the update?
In that case we can accordingly close the bug.

Regards,
Salvatore


--
Jiann-Ming Su
Reply to: