Server crash with kernel memory exposure attempt detected.

Solution Verified - Updated -

Issue

  • Server crashes in hardened usercopy code with error:
[16835.468933] usercopy: kernel memory exposure attempt detected from ffffa10d1effe07c (kmalloc-4096) (16260 bytes)
[16835.469026] ------------[ cut here ]------------
[16835.469052] kernel BUG at mm/usercopy.c:72!
[16835.469068] invalid opcode: 0000 [#1] SMP 
[16835.469084] Modules linked in: nfsv3 nfs_acl nfs lockd grace fscache vmw_vsock_vmci_transport vsock sunrpc ppdev vmw_balloon sb_edac iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd joydev pcspkr sg vmw_vmci i2c_piix4 parport_pc parport binfmt_misc ip_tables xfs libcrc32c sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi crct10dif_pclmul crct10dif_common crc32c_intel vmwgfx serio_raw drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm vmxnet3 ata_piix mptspi libata scsi_transport_spi mptscsih mptbase drm_panel_orientation_quirks dm_mirror dm_region_hash dm_log dm_mod
[16835.469394] CPU: 4 PID: 29718 Comm: ssh Kdump: loaded Not tainted 3.10.0-957.1.3.el7.x86_64 #1
[16835.469424] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/21/2015
[16835.469458] task: ffffa108ad2f2080 ti: ffffa10a49ffc000 task.ti: ffffa10a49ffc000
[16835.469483] RIP: 0010:[<ffffffffa443e167>]  [<ffffffffa443e167>] __check_object_size+0x87/0x250
[16835.469517] RSP: 0018:ffffa10a49fffd18  EFLAGS: 00010246
[16835.469536] RAX: 0000000000000064 RBX: ffffa10d1effe07c RCX: 0000000000000000
[16835.469560] RDX: 0000000000000000 RSI: ffffa10d1d713898 RDI: ffffa10d1d713898
[16835.469583] RBP: ffffa10a49fffd38 R08: 0000000000000000 R09: ffffa10d18e99b80
[16835.469608] R10: 00000000000007bc R11: 0000000000000000 R12: 0000000000003f84
[16835.469632] R13: 0000000000000001 R14: ffffa10d1f002000 R15: ffffa10a53af6400
[16835.469657] FS:  00007ff8a310c840(0000) GS:ffffa10d1d700000(0000) knlGS:0000000000000000
[16835.469684] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[16835.469730] CR2: 000055bd16930ab0 CR3: 000000079ae8e000 CR4: 00000000003607e0
[16835.469796] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[16835.469821] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[16835.469847] Call Trace:
[16835.469872]  [<ffffffffa465a0a2>] copy_from_read_buf+0xa2/0x190
[16835.469895]  [<ffffffffa465ae14>] n_tty_read+0x394/0x930
[16835.470716]  [<ffffffffa49696eb>] ? ldsem_down_read+0x3b/0x220
[16835.471545]  [<ffffffffa42d67b0>] ? wake_up_state+0x20/0x20
[16835.472288]  [<ffffffffa4656550>] tty_read+0x90/0x100
[16835.473037]  [<ffffffffa444117f>] vfs_read+0x9f/0x170
[16835.473774]  [<ffffffffa444203f>] SyS_read+0x7f/0xf0
[16835.474501]  [<ffffffffa4974ddb>] system_call_fastpath+0x22/0x27
[16835.475243] Code: 45 d1 48 c7 c6 34 b7 c7 a4 48 c7 c1 40 4c c8 a4 48 0f 45 f1 49 89 c0 4d 89 e1 48 89 d9 48 c7 c7 30 1b c8 a4 31 c0 e8 20 d5 51 00 <0f> 0b 0f 1f 80 00 00 00 00 48 c7 c0 00 00 20 a4 4c 39 f0 73 0d 
[16835.476974] RIP  [<ffffffffa443e167>] __check_object_size+0x87/0x250
[16835.477788]  RSP <ffffa10a49fffd18>

Environment

  • Red Hat Enterprise Linux 7.6
  • Red Hat Enterprise Linux 7.5
  • Red Hat Enterprise Linux 7.4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In