Kernel crash at cshook_network_ops_inet6_sockraw_recvmsg+0x2b970
Issue
- kernel crashed with below logs:
[2109632.107208] No traceLevel set via falconctl defaulting to none
[2109632.107211] LogLevelUpdate: none = trace level 0.
[2109632.209393] RegisterSensorNetlink 1
[2109632.209398] generic_netlink_register ...
[2109632.209410] generic netlink registered family 27
[2109632.209670] RegisterSensorNetlink 2
[2109632.209672] generic_netlink_register ...
[2109632.209678] generic netlink registered family 28
[2109633.776567] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[2109633.777030] BUG: unable to handle kernel paging request at ffffffffc08957c0
[2109633.777352] IP: [<ffffffffc08957c0>] cshook_network_ops_inet6_sockraw_recvmsg+0x2b970/0x101b0 [falcon_lsm_serviceable]
[2109633.777700] PGD 429214067 PUD 429216067 PMD 22ec6c067 PTE 80000001525a1061
[2109633.778041] Oops: 0011 [#1] SMP
[2109633.778363] Modules linked in: falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) falcon_kal(E) falcon_lsm_pinned_11312(E) bridge stp llc falcon_lsm_pinned_10807(E) binfmt_misc vmw_vsock_vmci_transport vsock sunrpc ext4 mbcache jbd2 ppdev iosf_mbi crc32_pclmul ghash_clmulni_intel vmw_balloon aesni_intel lrw gf128mul glue_helper ablk_helper cryptd joydev pcspkr vmw_vmci sg i2c_piix4 parport_pc parport ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi vmwgfx drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_piix sd_mod drm crc_t10dif libata crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel nfit serio_raw libnvdimm vmxnet3 vmw_pvscsi drm_panel_orientation_quirks floppy dm_mirror dm_region_hash dm_log dm_mod fuse [last unloaded: falcon_kal]
[2109633.780739] CPU: 0 PID: 1804 Comm: snmpd Kdump: loaded Tainted: P W E ------------ 3.10.0-1160.25.1.el7.x86_64 #1
[2109633.781295] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016
[2109633.781884] task: ffff9692a954d280 ti: ffff968ff9f8c000 task.ti: ffff968ff9f8c000
[2109633.782480] RIP: 0010:[<ffffffffc08957c0>] [<ffffffffc08957c0>] cshook_network_ops_inet6_sockraw_recvmsg+0x2b970/0x101b0 [falcon_lsm_serviceable]
[2109633.783128] RSP: 0018:ffff968ff9f8fe40 EFLAGS: 00010246
[2109633.783812] RAX: ffffffffc08957c0 RBX: ffff968ed1e71e00 RCX: ffff968ed1e71e00
[2109633.784480] RDX: 0000000000000000 RSI: ffff968ff9f8fe48 RDI: 0000000000000000
[2109633.785173] RBP: ffff968ff9f8fe60 R08: 0000000000000000 R09: 0000000000000000
[2109633.785864] R10: ffff968ed1e71e30 R11: ffff969153cc1510 R12: 0000000000000000
[2109633.786559] R13: ffff968ed1e71e30 R14: ffff968ff83607a0 R15: ffff968eba09e3c0
[2109633.787263] FS: 00007f8bc8e75880(0000) GS:ffff9692bfc00000(0000) knlGS:0000000000000000
[2109633.788029] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2109633.788791] CR2: ffffffffc08957c0 CR3: 000000041d002000 CR4: 00000000001607f0
[2109633.789576] Call Trace:
[2109633.790336] [<ffffffffc080226e>] ? pinnedhook_network_ops_inet_dgram_release+0x5e/0xa0 [falcon_lsm_pinned_11312]
[2109633.791143] [<ffffffff92235765>] sock_release+0x25/0x90
[2109633.792070] [<ffffffff922357e2>] sock_close+0x12/0x20
[2109633.793094] [<ffffffff91e500fc>] __fput+0xec/0x230
[2109633.794092] [<ffffffff91e5032e>] ____fput+0xe/0x10
[2109633.795100] [<ffffffff91cc28db>] task_work_run+0xbb/0xe0
[2109633.796009] [<ffffffff91c2cc65>] do_notify_resume+0xa5/0xc0
[2109633.797032] [<ffffffff923962ef>] int_signal+0x12/0x17
[2109633.798123] Code: 4e 03 87 42 8b 40 42 19 ca 14 74 03 ca fd 03 1f b5 d4 d8 1e 45 d5 da 62 9a ab c5 0b 8b 1a d4 71 7f e3 5b d3 25 ad e2 f6 ba 61 4e <22> 35 14 2f 33 f9 ea 52 21 48 0c 99 c1 f7 db 06 41 8a 6f 89 2d
[2109633.800308] RIP [<ffffffffc08957c0>] cshook_network_ops_inet6_sockraw_recvmsg+0x2b970/0x101b0 [falcon_lsm_serviceable]
[2109633.801349] RSP <ffff968ff9f8fe40>
[2109633.802393] CR2: ffffffffc08957c0
Environment
- Red Hat Enterprise Linux 7
- 3rd party module
falcon_lsm_serviceable
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.