System crashed after 'Supertramp allocated at XXXXXXXX' log
Issue
- System crashed with 'Bad RIP value.'.
- Below is one example pattern showing crash
...
Supertramp allocated at ffff880432914000
msda: device registered at 10.54
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle kernel paging request at ffffc9000a2de2d0
IP: [<ffffc9000a2de2d0>] 0xffffc9000a2de2d0
Kernel PGD 147fc18067 PUD 207fc18067 PMD c6f8ee067 PTE 8000000c71191063
User PGD c7fef5067 PUD 0
Oops: 0011 [#1] SMP
last sysfs file: /sys/module/ipv6/initstate
CPU 4
Modules linked in: microsoft_dependency_agent(P)(U) bluechannel(P)(U) iptable_filter ip_tables falcon_lsm_serviceable(P)(U) falcon_nf_netcontain(P)(U) falcon_lsm_pinned_8202(U) ktap_88469(U) vfat fat mpt3sas mpt2sas scsi_transport_sas raid_class mptctl mptbase ipmi_devintf dell_rbu nfsd exportfs autofs4 nfs lockd fscache auth_rpcgss nfs_acl sunrpc bonding ipv6 dm_round_robin dm_multipath power_meter acpi_ipmi ipmi_si ipmi_msghandler microcode iTCO_wdt iTCO_vendor_support dcdbas joydev serio_raw sg lpc_ich mfd_core bnx2x ptp pps_core libcrc32c mdio bnx2 i7core_edac edac_core ext4 jbd2 mbcache sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix qla2xxx scsi_transport_fc scsi_tgt megaraid_sas dm_mirror dm_region_hash dm_log dm_mod [last unloaded: usb_storage]
Pid: 41966, comm: sshd Tainted: P W -- ------------ 2.6.32-754.23.1.el6.x86_64 #1 ...
RIP: 0010:[<ffffc9000a2de2d0>] [<ffffc9000a2de2d0>] 0xffffc9000a2de2d0
RSP: 0018:ffff880c9cc878e0 EFLAGS: 00010286
RAX: ffffc900291a4020 RBX: ffff88145b23fbc0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88144b018340 RDI: ffff88145b23fbc0
RBP: ffff880c9cc87928 R08: 0000000000000000 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88144b018340 R14: 0000000000000000 R15: 0000000000000040
FS: 00007f1171faf7c0(0000) GS:ffff880054040000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000a2de2d0 CR3: 00000023a8b46000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process sshd (pid: 41966, threadinfo ffff880c9cc84000, task ffff8814617a5520)
Stack:
ffffc900291a4041 ffff880c9cc87908 ffffffff81357d1b ffff881463dcbdc0
<d> ffff88145b23fbc0 0000000000000000 ffff88144b018340 0000000000000000
<d> 0000000000000040 ffff880c9cc87958 ffffffff81472973 0000000000000228
Call Trace:
[<ffffffff81357d1b>] ? put_ldisc+0x5b/0xc0
[<ffffffff81472973>] sock_poll+0x63/0x150
[<ffffffff811b9eb8>] do_select+0x3c8/0x7c0
[<ffffffff814cb572>] ? ip_finish_output+0x192/0x380
[<ffffffff811b98a0>] ? __pollwait+0x0/0xf0
[<ffffffff811b9990>] ? pollwake+0x0/0x60
[<ffffffff811b9990>] ? pollwake+0x0/0x60
[<ffffffff811b9990>] ? pollwake+0x0/0x60
[<ffffffff811b9990>] ? pollwake+0x0/0x60
[<ffffffff8155cd0b>] ? _spin_unlock_bh+0x1b/0x20
[<ffffffff8147740a>] ? release_sock+0xea/0x110
[<ffffffff814d3a2c>] ? tcp_sendmsg+0x74c/0xa40
[<ffffffff814762d1>] ? sock_aio_write+0x1a1/0x1c0
[<ffffffff81350ead>] ? tty_wakeup+0x3d/0x80
[<ffffffff811bacfa>] core_sys_select+0x18a/0x2c0
[<ffffffff8135471d>] ? n_tty_read+0x3ad/0x950
[<ffffffff810ab0e0>] ? autoremove_wake_function+0x0/0x40
[<ffffffffa01dad6d>] ? cshook_security_file_permission+0x1d/0x80 [falcon_lsm_serviceable]
[<ffffffffa001be62>] ? release_rundown+0x12/0x20 [falcon_lsm_pinned_8202]
[<ffffffffa001d1db>] ? pinnedhook_security_file_permission+0x6b/0x80 [falcon_lsm_pinned_8202]
[<ffffffffa01d7d31>] ? crowdstrike_probe_sys_exit+0x21/0x170 [falcon_lsm_serviceable]
[<ffffffff811bb087>] sys_select+0x47/0x110
[<ffffffff81564655>] tracesys+0xb2/0xd8
Code: 88 ff ff 98 2d 70 c9 21 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 5e 16 ac 21 88 ff ff <98> 0c 16 31 0d 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00
RIP [<ffffc9000a2de2d0>] 0xffffc9000a2de2d0
RSP <ffff880c9cc878e0>
CR2: ffffc9000a2de2d0
Environment
- Red Hat Enterprise Linux 6
- Microsoft driver 'microsoft_dependency_agent' loaded
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.