Bug#1051643: linux-image-6.1.0-11-686-pae: kernel BUG at mm/usercopy.c:101!
I can confirm that the bug still exists in 6.1.0-15-686-pae:
# uname -a
Linux cobra 6.1.0-15-686-pae #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1
(2023-12-09) i686 GNU/Linux
# apt-get update
Get:1 http://security.debian.org/debian-security bookworm-security
InRelease [48.0 kB]
Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB]
0% [2 InRelease 0 B/151 kB 0%] [1 InRelease 0 B/48.0 kB 0%]
[ 614.150786] usercopy: Kernel memory exposure attempt detected from
kmap (offset 0, size 16384)!
[ 614.150908] ------------[ cut here ]------------
[ 614.150909] kernel BUG at mm/usercopy.c:101!
[ 614.150947] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 614.150983] CPU: 0 PID: 3018 Comm: http Not tainted 6.1.0-15-686-pae
#1 Debian 6.1.66-1
[ 614.151011] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 614.151066] EIP: usercopy_abort+0x65/0x67
[ 614.151104] Code: 44 cb bb 10 ce b2 d1 89 4d f0 b9 2b 48 b1 d1 0f 45
cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 b0 cd b2 d1 e8 61 88 ff
ff <0f> 0b 56 31 d2 b8 5a ce b2 d1 ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[ 614.151177] EAX: 00000053 EBX: d1b2ce10 ECX: f6fcfa00 EDX: f6fc9e90
[ 614.151215] ESI: d1b438fc EDI: d1b438fc EBP: c2b75c90 ESP: c2b75c5c
[ 614.151255] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010286
[ 614.151310] CR0: 80050033 CR2: b7761ec0 CR3: 02bce000 CR4: 001506f0
[ 614.151363] Call Trace:
[ 614.151390] ? __die_body.cold+0x14/0x1a
[ 614.151424] ? __die+0x21/0x26
[ 614.151453] ? die+0x28/0x50
[ 614.151470] ? do_trap+0xbb/0xe0
[ 614.151485] ? do_error_trap+0x4c/0x60
[ 614.151501] ? usercopy_abort+0x65/0x67
[ 614.151532] ? exc_overflow+0x40/0x40
[ 614.151564] ? exc_invalid_op+0x44/0x60
[ 614.151604] ? usercopy_abort+0x65/0x67
[ 614.151656] ? handle_exception+0x133/0x133
[ 614.151705] ? exc_overflow+0x40/0x40
[ 614.151780] ? usercopy_abort+0x65/0x67
[ 614.151816] ? exc_overflow+0x40/0x40
[ 614.151897] ? usercopy_abort+0x65/0x67
[ 614.151977] __check_object_size.cold+0xae/0xae
[ 614.152034] simple_copy_to_iter+0x1c/0x40
[ 614.152113] __skb_datagram_iter+0x163/0x320
[ 614.152186] skb_copy_datagram_iter+0x2d/0x80
[ 614.152635] ? skb_free_datagram+0x20/0x20
[ 614.153028] tcp_recvmsg_locked+0x582/0x8a0
[ 614.153461] tcp_recvmsg+0x6f/0x1e0
[ 614.153845] ? tcp_recv_timestamp+0x240/0x240
[ 614.154203] inet_recvmsg+0x54/0x130
[ 614.154555] ? security_socket_recvmsg+0x41/0x60
[ 614.154911] sock_recvmsg+0x73/0x90
[ 614.155261] ? ipip_gso_segment+0x30/0x30
[ 614.155597] sock_read_iter+0x84/0xe0
[ 614.155924] vfs_read+0x288/0x2c0
[ 614.156259] ksys_read+0xab/0xe0
[ 614.156570] __ia32_sys_read+0x15/0x20
[ 614.156870] __do_fast_syscall_32+0x68/0xb0
[ 614.157155] ? __ia32_sys_pselect6_time32+0x4c/0x80
[ 614.157435] ? exit_to_user_mode_prepare+0x32/0x170
[ 614.157712] ? syscall_exit_to_user_mode+0x29/0x40
[ 614.157986] ? __do_fast_syscall_32+0x72/0xb0
[ 614.158270] ? exit_to_user_mode_prepare+0x9d/0x170
[ 614.158541] ? irqentry_exit_to_user_mode+0x16/0x20
[ 614.158833] do_fast_syscall_32+0x29/0x60
[ 614.159102] do_SYSENTER_32+0x15/0x20
[ 614.159392] entry_SYSENTER_32+0x98/0xf1
[ 614.159664] EIP: 0xb7f6d559
[ 614.159931] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10
07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd
80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 614.160864] EAX: ffffffda EBX: 00000003 ECX: 015bcd09 EDX: 0000fee7
[ 614.161200] ESI: b721cff4 EDI: 00000000 EBP: 015b2f20 ESP: bf9bd970
[ 614.161526] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 614.161856] Modules linked in: xt_tcpudp xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink
vsock_loopback vmw_vsock_virtio_transport_common
vmw_vsock_vmci_transport vsock binfmt_misc xfs libcrc32c intel_rapl_msr
ppdev intel_rapl_common rapl vmw_balloon pcspkr vmwgfx drm_ttm_helper
ttm vmw_vmci drm_kms_helper parport_pc parport button ac joydev evdev
serio_raw sg drm loop fuse efi_pstore configfs ip_tables x_tables
autofs4 ext4 crc16 mbcache jbd2 crc32c_generic dm_mod dax sd_mod t10_pi
crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_common
sr_mod cdrom ata_generic crc32c_intel psmouse mptspi ata_piix mptscsih
mptbase libata scsi_transport_spi e1000 scsi_mod i2c_piix4 scsi_common
floppy
[ 614.165246] ---[ end trace 0000000000000000 ]---
[ 614.165664] EIP: usercopy_abort+0x65/0x67
[ 614.166085] Code: 44 cb bb 10 ce b2 d1 89 4d f0 b9 2b 48 b1 d1 0f 45
cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 b0 cd b2 d1 e8 61 88 ff
ff <0f> 0b 56 31 d2 b8 5a ce b2 d1 ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[ 614.167439] EAX: 00000053 EBX: d1b2ce10 ECX: f6fcfa00 EDX: f6fc9e90
[ 614.167975] ESI: d1b438fc EDI: d1b438fc EBP: c2b75c90 ESP: c2b75c5c
[ 614.168465] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010286
[ 614.169008] CR0: 80050033 CR2: b7761ec0 CR3: 02bce000 CR4: 001506f0
[ 614.170858] usercopy: Kernel memory exposure attempt detected from
kmap (offset 0, size 16384)!
[ 614.171403] ------------[ cut here ]------------
[ 614.171924] kernel BUG at mm/usercopy.c:101!
[ 614.172439] invalid opcode: 0000 [#2] PREEMPT SMP PTI
[ 614.172953] CPU: 0 PID: 3019 Comm: http Tainted: G D
6.1.0-15-686-pae #1 Debian 6.1.66-1
[ 614.174017] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 614.175078] EIP: usercopy_abort+0x65/0x67
[ 614.175616] Code: 44 cb bb 10 ce b2 d1 89 4d f0 b9 2b 48 b1 d1 0f 45
cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 b0 cd b2 d1 e8 61 88 ff
ff <0f> 0b 56 31 d2 b8 5a ce b2 d1 ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[ 614.177304] EAX: 00000053 EBX: d1b2ce10 ECX: f6fc9e94 EDX: f6fc9e90
[ 614.177884] ESI: d1b438fc EDI: d1b438fc EBP: c2b4bcd4 ESP: c2b4bca0
[ 614.178458] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[ 614.179141] CR0: 80050033 CR2: bfb78dcc CR3: 02bd6000 CR4: 001506f0
[ 614.179726] Call Trace:
[ 614.180274] ? __die_body.cold+0x14/0x1a
[ 614.180827] ? __die+0x21/0x26
[ 614.181380] ? die+0x28/0x50
[ 614.181911] ? do_trap+0xbb/0xe0
[ 614.182430] ? do_error_trap+0x4c/0x60
[ 614.182937] ? usercopy_abort+0x65/0x67
[ 614.183473] ? exc_overflow+0x40/0x40
[ 614.183959] ? exc_invalid_op+0x44/0x60
[ 614.184432] ? usercopy_abort+0x65/0x67
[ 614.184891] ? handle_exception+0x133/0x133
[ 614.185343] ? exc_overflow+0x40/0x40
[ 614.185791] ? usercopy_abort+0x65/0x67
[ 614.186245] ? exc_overflow+0x40/0x40
[ 614.186677] ? usercopy_abort+0x65/0x67
[ 614.187100] __check_object_size.cold+0xae/0xae
[ 614.187512] simple_copy_to_iter+0x1c/0x40
[ 614.187917] __skb_datagram_iter+0x163/0x320
[ 614.188320] skb_copy_datagram_iter+0x2d/0x80
[ 614.188715] ? skb_free_datagram+0x20/0x20
[ 614.189115] tcp_recvmsg_locked+0x582/0x8a0
[ 614.189500] tcp_recvmsg+0x6f/0x1e0
[ 614.189871] ? tcp_recv_timestamp+0x240/0x240
[ 614.190239] inet_recvmsg+0x54/0x130
[ 614.190604] ? security_socket_recvmsg+0x41/0x60
[ 614.190968] sock_recvmsg+0x73/0x90
[ 614.191321] ? ipip_gso_segment+0x30/0x30
[ 614.191659] sock_read_iter+0x84/0xe0
[ 614.191987] vfs_read+0x288/0x2c0
[ 614.192337] ksys_read+0xab/0xe0
[ 614.192647] __ia32_sys_read+0x15/0x20
[ 614.192947] __do_fast_syscall_32+0x68/0xb0
[ 614.193239] ? exit_to_user_mode_prepare+0x32/0x170
[ 614.193521] ? irqentry_exit_to_user_mode+0x16/0x20
[ 614.193799] do_fast_syscall_32+0x29/0x60
[ 614.194075] do_SYSENTER_32+0x15/0x20
[ 614.194347] entry_SYSENTER_32+0x98/0xf1
[ 614.194650] EIP: 0xb7f8e559
[ 614.194932] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10
07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd
80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 614.195817] EAX: ffffffda EBX: 00000003 ECX: 00a9aeab EDX: 0000fef5
[ 614.196132] ESI: b721cff4 EDI: 00000000 EBP: 00a91300 ESP: bfb88bb0
[ 614.196447] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 614.196775] Modules linked in: xt_tcpudp xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink
vsock_loopback vmw_vsock_virtio_transport_common
vmw_vsock_vmci_transport vsock binfmt_misc xfs libcrc32c intel_rapl_msr
ppdev intel_rapl_common rapl vmw_balloon pcspkr vmwgfx drm_ttm_helper
ttm vmw_vmci drm_kms_helper parport_pc parport button ac joydev evdev
serio_raw sg drm loop fuse efi_pstore configfs ip_tables x_tables
autofs4 ext4 crc16 mbcache jbd2 crc32c_generic dm_mod dax sd_mod t10_pi
crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_common
sr_mod cdrom ata_generic crc32c_intel psmouse mptspi ata_piix mptscsih
mptbase libata scsi_transport_spi e1000 scsi_mod i2c_piix4 scsi_common
floppy
[ 614.199927] ---[ end trace 0000000000000000 ]---
[ 614.200342] EIP: usercopy_abort+0x65/0x67
[ 614.200755] Code: 44 cb bb 10 ce b2 d1 89 4d f0 b9 2b 48 b1 d1 0f 45
cb ff 75 0c ff 75 08 57 52 56 50 ff 75 f0 51 68 b0 cd b2 d1 e8 61 88 ff
ff <0f> 0b 56 31 d2 b8 5a ce b2 d1 ff 75 ec 8b 4d f0 e8 86 ff ff ff 56
[ 614.202095] EAX: 00000053 EBX: d1b2ce10 ECX: f6fcfa00 EDX: f6fc9e90
[ 614.202557] ESI: d1b438fc EDI: d1b438fc EBP: c2b75c90 ESP: c2b75c5c
[ 614.203020] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010286
[ 614.203525] CR0: 80050033 CR2: bfb78dcc CR3: 02bd6000 CR4: 001506f0
Klaus.
--
levigo systems gmbh ----------- ein Unternehmen der levigo gruppe
Bebelsbergstraße 31 Telefon: 07031 / 4161-10
D-71088 Holzgerlingen Telefax: 07031 / 4161-11
GF: Oliver Bausch, Vincenzo Biasi http://systems.levigo.de/
Informationen zu Art.13,14 DSGVO: https://datenschutz.levigo.de/
Registergericht: Stuttgart HRB 245180 USt-ID: DE813226078
Reply to: