RHEL 7/8: kernel panic at vt_ioctl
Issue
- CVE-2020-36558
- Kernel panic with logs in RHEL 8:
[ 43.716346] BUG: unable to handle kernel NULL pointer dereference at 0000000000000304
[ 43.716350] PGD 10dd917067 P4D 10dd917067 PUD 10c6b83067 PMD 0
[ 43.716355] Oops: 0002 [#1] SMP NOPTI
[ 43.716358] CPU: 106 PID: 12330 Comm: pty07 Kdump: loaded Not tainted 4.18.0-372.73.1.el8_6.x86_64 #1
[ 43.716361] Hardware name: HPE ProLiant DL365 Gen10 Plus/ProLiant DL365 Gen10 Plus, BIOS A42 10/29/2021
[ 43.716362] RIP: 0010:vt_ioctl+0x720/0x1020
[ 43.716371] Code: ff 0f b7 44 24 0c 66 85 c0 74 09 48 8b 13 89 82 90 01 00 00 0f b7 44 24 0e 48 8b 13 66 85 c0 74 09 89 82 04 02 00 00 48 8b 13 <c7> 82 04 03 00 00 01 00 00 00 0f b7 54 24 08 0f b7 74 24 0a 48 8b
[ 43.716373] RSP: 0018:ffff9ef60d63fd70 EFLAGS: 00010246
[ 43.716375] RAX: 0000000000000000 RBX: ffffffffbb10e1f0 RCX: 0000000000000000
[ 43.716377] RDX: 0000000000000000 RSI: 0000000000000286 RDI: 0000000000000286
[ 43.716378] RBP: ffffffffbb10f0d8 R08: 0000000000002e47 R09: 0000000000002e47
[ 43.716379] R10: 0000000000000000 R11: ffff8a913e4a9b84 R12: 0000000000631d08
[ 43.716380] R13: ffff8a8198a4ac00 R14: ffff8a8198a4c400 R15: 0000000000000000
[ 43.716381] FS: 00007fad03723740(0000) GS:ffff8a913e480000(0000) knlGS:0000000000000000
[ 43.716383] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 43.716384] CR2: 0000000000000304 CR3: 00000010ea188006 CR4: 0000000000770ee0
[ 43.716386] PKRU: 55555554
[ 43.716387] Call Trace:
[ 43.716391] ? finish_fault+0x4f/0x70
[ 43.716397] tty_ioctl+0x106/0x920
[ 43.716402] ? proc_taint+0x17b/0x1b0
[ 43.716408] ? selinux_file_ioctl+0x183/0x220
[ 43.716412] do_vfs_ioctl+0xa4/0x690
[ 43.716417] ksys_ioctl+0x64/0xa0
[ 43.716419] __x64_sys_ioctl+0x16/0x20
[ 43.716421] do_syscall_64+0x5b/0x1b0
[ 43.716427] entry_SYSCALL_64_after_hwframe+0x61/0xc6
[ 43.716432] RIP: 0033:0x7fad02d517cb
[ 43.716435] Code: 73 01 c3 48 8b 0d bd 66 38 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d 66 38 00 f7 d8 64 89 01 48
[ 43.716437] RSP: 002b:00007ffd02c43f48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 43.716439] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fad02d517cb
[ 43.716440] RDX: 0000000000631d08 RSI: 000000000000560a RDI: 0000000000000003
[ 43.716441] RBP: 0000000000000000 R08: 00007ffd02cfa1b0 R09: 000000000000e986
[ 43.716441] R10: 000000000000e986 R11: 0000000000000246 R12: 0000000000000000
[ 43.716442] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffd02c44020
[ 43.716445] Modules linked in: xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink bridge stp llc sunrpc vfat fat ipmi_ssif intel_rapl_msr intel_rapl_common edac_mce_amd amd_energy kvm_amd kvm irqbypass crct10dif_pclmul acpi_ipmi crc32_pclmul ses enclosure ghash_clmulni_intel ipmi_si sp5100_tco pcspkr rapl ipmi_devintf hpilo hpwdt ccp i2c_piix4 k10temp wmi ipmi_msghandler acpi_tad acpi_power_meter acpi_cpufreq xfs libcrc32c sd_mod t10_pi sg mgag200 drm_kms_helper qede syscopyarea sysfillrect sysimgblt fb_sys_fops crc32c_intel drm qed igb smartpqi scsi_transport_sas dca i2c_algo_bit crc8 dm_mirror dm_region_hash dm_log dm_mod fuse
[ 43.716500] CR2: 0000000000000304
- Kernel panic with log in RHEL 7:
[ 62.012459] BUG: unable to handle kernel NULL pointer dereference at 00000000000002bc
[ 62.012463] IP: [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[ 62.012464] PGD 26caed067 PUD 26cae8067 PMD 0
[ 62.012464] Oops: 0002 [#1] SMP
[ 62.012471] Modules linked in: sunrpc kvm_amd kvm iTCO_wdt iTCO_vendor_support irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper joydev cryptd i2c_i801 sg pcspkr lpc_ich virtio_rng virtio_balloon ip_tables xfs libcrc32c sr_mod cdrom ahci virtio_net libahci net_failover virtio_console virtio_blk failover libata crct10dif_pclmul crct10dif_common crc32c_intel serio_raw virtio_pci virtio_ring virtio dm_mirror dm_region_hash dm_log dm_mod
[ 62.012473] CPU: 1 PID: 1809 Comm: pty07 Kdump: loaded Not tainted 3.10.0-1160.108.1.el7.x86_64 #1
[ 62.012473] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-4.el9 04/01/2014
[ 62.012473] task: ffff9fb8eb5d6300 ti: ffff9fb8ee3e8000 task.ti: ffff9fb8ee3e8000
[ 62.012474] RIP: 0010:[<ffffffffac4933e7>] [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[ 62.012475] RSP: 0018:ffff9fb8ee3ebd70 EFLAGS: 00010246
[ 62.012475] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 62.012475] RDX: 0000000000000019 RSI: 0000000000000050 RDI: 0000000000000282
[ 62.012475] RBP: ffff9fb8ee3ebde0 R08: ffff9fb8ee3e8000 R09: 0000000000000001
[ 62.012475] R10: 0000000000000001 R11: 0000000000000400 R12: 0000000000000000
[ 62.012475] R13: 0000000000000050 R14: 0000000000000019 R15: ffffffffad285d70
[ 62.012477] FS: 00007f9622f7f740(0000) GS:ffff9fb7f5a40000(0000) knlGS:0000000000000000
[ 62.012477] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 62.012477] CR2: 00000000000002bc CR3: 000000026e4bc000 CR4: 0000000000740ee0
[ 62.012478] PKRU: 55555554
[ 62.012478] Call Trace:
[ 62.012482] [<ffffffffac1fbc07>] ? arch_tlb_finish_mmu+0x47/0x80
[ 62.012482] [<ffffffffac1fbd33>] ? tlb_finish_mmu+0x23/0x40
[ 62.012484] [<ffffffffac485fa4>] tty_ioctl+0x284/0xc00
[ 62.012485] [<ffffffffac205ec1>] ? __vma_rb_erase+0x121/0x230
[ 62.012487] [<ffffffffac271988>] do_vfs_ioctl+0x3a8/0x5c0
[ 62.012488] [<ffffffffac0706ce>] ? kvm_clock_get_cycles+0x1e/0x30
[ 62.012489] [<ffffffffac271c21>] SyS_ioctl+0x81/0xa0
[ 62.012491] [<ffffffffac146966>] ? __audit_syscall_exit+0x1f6/0x2b0
[ 62.012492] [<ffffffffac7c539a>] system_call_fastpath+0x25/0x2a
[ 62.012496] Code: 85 db 74 0c 49 8b 07 8b 4d 94 89 88 48 01 00 00 66 45 85 e4 74 0c 49 8b 07 8b 4d 98 89 88 bc 01 00 00 49 8b 07 44 89 f2 44 89 ee <c7> 80 bc 02 00 00 01 00 00 00 49 8b 3f e8 f7 a1 00 00 e8 72 eb
[ 62.012497] RIP [<ffffffffac4933e7>] vt_ioctl+0xea7/0x12f0
[ 62.012497] RSP <ffff9fb8ee3ebd70>
[ 62.012497] CR2: 00000000000002bc
Environment
- Red Hat Enterprise Linux 7/8
- Seen on
kernel-3.10.0-1160.108.1.el7
- Seen on
kernel-4.18.0-372.73.1.el8_6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.