Sanitize CPU-state when switching from virtual-8086 mode to othertask
From: halfdog
Date: Sat Dec 28 2013 - 17:48:07 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It seems that missing CPU-state sanitation during task switching
triggers kernel-panic. This might be related to unhandled FPU-errors.
See [1] for POC and serial console log of OOPs. Due to missing real
32-bit x86-hardware it is not clear, if this issue might be related to
subtle differences in virtual-8086 mode handling when inside a
virtualbox guest.
hd
[1] http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/
[ 348.270712] fpu exception: 0000 [#1]
[ 348.270763] Modules linked in: nfnetlink_log nfnetlink xt_multiport
xt_hashlimit xt_tcpudp ipt_ULOG xt_LOG xt_conntrack iptable_raw
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_filter ip_tables x_tables snd_pcm
snd_page_alloc snd_timer snd parport_pc soundcore microcode psmouse
serio_raw pcspkr evdev parport ac battery button i2c_piix4 i2c_core
ext4 crc16 mbcache jbd2 sg sr_mod sd_mod cdrom crc_t10dif ata_generic
ata_piix mptspi scsi_transport_spi mptscsih libata mptbase pcnet32 mii
scsi_mod
[ 348.270763] CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 3.11-2-486
#1 Debian 3.11.10-1
[ 348.270763] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 348.270763] task: cf835400 ti: cf930000 task.ti: cf84a000
[ 348.270763] EIP: 0060:[<c10013e0>] EFLAGS: 00010002 CPU: 0
[ 348.270763] EIP is at __switch_to+0x190/0x300
[ 348.270763] EAX: cd2eec00 EBX: cd2eec00 ECX: 00000000 EDX: 00000000
[ 348.270763] ESI: cf835400 EDI: 00000001 EBP: cd2eedf8 ESP: cf931a40
[ 348.270763] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 348.270763] CR0: 80050033 CR2: b76997e0 CR3: 0d11a000 CR4: 00000690
[ 348.270763] Stack:
[ 348.270763] 4a6ef7ab ccee9c80 ccee9900 cf835400 c13978cf cd2eec00
00200082 c15de480
[ 348.270763] 00000018 67bf6d70 cf930000 cd2eec00 1625d3df 00000051
cd2eec2c c1056e15
[ 348.270763] 00200086 0000000a cf931a90 c1006cc8 00393f1e 00000000
5d3e5d0f 00000040
[ 348.270763] Call Trace:
[ 348.270763] [<c13978cf>] ? __schedule+0x1ef/0x510
[ 348.270763] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.270763] [<c1006cc8>] ? sched_clock+0x8/0x10
[ 348.270763] [<c13973d5>] ? schedule_hrtimeout_range_clock+0x165/0x180
[ 348.270763] [<c1044e9f>] ? __flush_work+0xbf/0x100
[ 348.270763] [<d0a4fa59>] ? nf_nat_get_offset+0x39/0x60 [nf_nat]
[ 348.270763] [<d0a68df7>] ? tcp_packet+0x637/0xf40 [nf_conntrack]
[ 348.270763] [<c124932c>] ? tty_write_room+0xc/0x20
[ 348.270763] [<c1246fb9>] ? n_tty_poll+0x189/0x1a0
[ 348.270763] [<c13973ff>] ? schedule_hrtimeout_range+0xf/0x20
[ 348.270763] [<c11093a0>] ? poll_schedule_timeout+0x20/0x40
[ 348.270763] [<c1109c77>] ? do_select+0x537/0x5f0
[ 348.270763] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.270763] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.270763] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.270763] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.270763] [<c12f688d>] ? nf_iterate+0x7d/0x90
[ 348.270763] [<c1067e6c>] ? __getnstimeofday+0x2c/0x110
[ 348.270763] [<c133f7f2>] ? bictcp_cong_avoid+0x12/0x4a0
[ 348.270763] [<c1067f55>] ? getnstimeofday+0x5/0x20
[ 348.270763] [<c131116b>] ? tcp_ack+0x82b/0xdc0
[ 348.270763] [<c10353a0>] ? local_bh_enable+0x70/0x80
[ 348.270763] [<c1300301>] ? ip_finish_output+0x151/0x350
[ 348.270763] [<c10c612a>] ? put_compound_page+0xa/0xe0
[ 348.270763] [<c1311b07>] ? tcp_rcv_established+0xf7/0x7a0
[ 348.270763] [<c12c1edc>] ? sk_reset_timer+0xc/0x20
[ 348.270763] [<c131a94e>] ? tcp_v4_do_rcv+0x15e/0x3b0
[ 348.270763] [<c12c3558>] ? release_sock+0x88/0xf0
[ 348.270763] [<c13088d7>] ? tcp_sendmsg+0x177/0xc60
[ 348.270763] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.270763] [<c1109e5c>] ? core_sys_select+0x12c/0x220
[ 348.270763] [<c12beee1>] ? sock_aio_write+0xe1/0x110
[ 348.270763] [<c10f9cda>] ? do_sync_write+0x6a/0xa0
[ 348.270763] [<c112b673>] ? fsnotify+0x203/0x2f0
[ 348.270763] [<c1109fdf>] ? SyS_select+0x8f/0xc0
[ 348.270763] [<c100aca2>] ? syscall_trace_leave+0xa2/0xb0
[ 348.270763] [<c1398fef>] ? syscall_call+0x7/0xb
[ 348.270763] Code: e9 1d ff ff ff 8d b6 00 00 00 00 b8 7d 00 00 00
e8 36 b8 00 00 84 c0 0f 85 e1 fe ff ff 0f 06 8d 74 26 00 e9 d6 fe ff
ff 8d 76 00 <0f> 77 db 83 4c 02 00 00 89 f6 8d b6 00 00 00 00 eb 66 b8
ff ff
[ 348.270763] EIP: [<c10013e0>] __switch_to+0x190/0x300 SS:ESP
0068:cf931a40
[ 348.270763] ---[ end trace c3836805b501f815 ]---
[ 348.274764] ------------[ cut here ]------------
[ 348.278424] kernel BUG at
/build/linux-tAcKXn/linux-3.11.10/kernel/exit.c:870!
[ 348.278764] invalid opcode: 0000 [#2]
[ 348.278764] Modules linked in: nfnetlink_log nfnetlink xt_multiport
xt_hashlimit xt_tcpudp ipt_ULOG xt_LOG xt_conntrack iptable_raw
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_filter ip_tables x_tables snd_pcm
snd_page_alloc snd_timer snd parport_pc soundcore microcode psmouse
serio_raw pcspkr evdev parport ac battery button i2c_piix4 i2c_core
ext4 crc16 mbcache jbd2 sg sr_mod sd_mod cdrom crc_t10dif ata_generic
ata_piix mptspi scsi_transport_spi mptscsih libata mptbase pcnet32 mii
scsi_mod
[ 348.278764] CPU: 0 PID: 2220 Comm: sshd Tainted: G D
3.11-2-486 #1 Debian 3.11.10-1
[ 348.278764] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 348.278764] task: cd2eec00 ti: cf930000 task.ti: cf930000
[ 348.278764] EIP: 0060:[<c103348a>] EFLAGS: 00010282 CPU: 0
[ 348.278764] EIP is at do_exit+0x44a/0x830
[ 348.278764] EAX: 00000080 EBX: cf835400 ECX: 00000000 EDX: cd2eec00
[ 348.278764] ESI: 00000001 EDI: 00000001 EBP: cf835c00 ESP: cf93190c
[ 348.278764] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 348.278764] CR0: 80050033 CR2: b74faf38 CR3: 0d11a000 CR4: 00000690
[ 348.278764] Stack:
[ 348.278764] 0000000b cf931a04 00000010 c1393e1c cf835510 cf8353f8
cf835510 00000001
[ 348.278764] cf835558 cf931930 cf931930 00000046 0000000b cf931a04
00000010 c1399cf1
[ 348.278764] cf931a04 cf931a04 cf835400 c1446e22 c10029be 00000000
00000010 00000008
[ 348.278764] Call Trace:
[ 348.278764] [<c1393e1c>] ? printk+0x37/0x3b
[ 348.278764] [<c1399cf1>] ? oops_end+0x81/0xc0
[ 348.278764] [<c10029be>] ? math_error+0x14e/0x2d0
[ 348.278764] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.278764] [<c1056921>] ? sched_slice.isra.35+0x41/0x80
[ 348.278764] [<c1055a8a>] ? update_cpu_load_active+0x1a/0x80
[ 348.278764] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.278764] [<c1002b40>] ? math_error+0x2d0/0x2d0
[ 348.278764] [<c1399585>] ? error_code+0x65/0x70
[ 348.278764] [<c10013e0>] ? __switch_to+0x190/0x300
[ 348.278764] [<c13978cf>] ? __schedule+0x1ef/0x510
[ 348.278764] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.278764] [<c1006cc8>] ? sched_clock+0x8/0x10
[ 348.278764] [<c13973d5>] ? schedule_hrtimeout_range_clock+0x165/0x180
[ 348.278764] [<c1044e9f>] ? __flush_work+0xbf/0x100
[ 348.278764] [<d0a4fa59>] ? nf_nat_get_offset+0x39/0x60 [nf_nat]
[ 348.278764] [<d0a68df7>] ? tcp_packet+0x637/0xf40 [nf_conntrack]
[ 348.278764] [<c124932c>] ? tty_write_room+0xc/0x20
[ 348.278764] [<c1246fb9>] ? n_tty_poll+0x189/0x1a0
[ 348.278764] [<c13973ff>] ? schedule_hrtimeout_range+0xf/0x20
[ 348.278764] [<c11093a0>] ? poll_schedule_timeout+0x20/0x40
[ 348.278764] [<c1109c77>] ? do_select+0x537/0x5f0
[ 348.278764] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.278764] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.278764] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.278764] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.278764] [<c12f688d>] ? nf_iterate+0x7d/0x90
[ 348.278764] [<c1067e6c>] ? __getnstimeofday+0x2c/0x110
[ 348.278764] [<c133f7f2>] ? bictcp_cong_avoid+0x12/0x4a0
[ 348.278764] [<c1067f55>] ? getnstimeofday+0x5/0x20
[ 348.278764] [<c131116b>] ? tcp_ack+0x82b/0xdc0
[ 348.278764] [<c10353a0>] ? local_bh_enable+0x70/0x80
[ 348.278764] [<c1300301>] ? ip_finish_output+0x151/0x350
[ 348.278764] [<c10c612a>] ? put_compound_page+0xa/0xe0
[ 348.278764] [<c1311b07>] ? tcp_rcv_established+0xf7/0x7a0
[ 348.278764] [<c12c1edc>] ? sk_reset_timer+0xc/0x20
[ 348.278764] [<c131a94e>] ? tcp_v4_do_rcv+0x15e/0x3b0
[ 348.278764] [<c12c3558>] ? release_sock+0x88/0xf0
[ 348.278764] [<c13088d7>] ? tcp_sendmsg+0x177/0xc60
[ 348.278764] [<c1056e15>] ? update_curr+0x95/0x140
[ 348.278764] [<c1109e5c>] ? core_sys_select+0x12c/0x220
[ 348.278764] [<c12beee1>] ? sock_aio_write+0xe1/0x110
[ 348.278764] [<c10f9cda>] ? do_sync_write+0x6a/0xa0
[ 348.278764] [<c112b673>] ? fsnotify+0x203/0x2f0
[ 348.278764] [<c1109fdf>] ? SyS_select+0x8f/0xc0
[ 348.278764] [<c100aca2>] ? syscall_trace_leave+0xa2/0xb0
[ 348.278764] [<c1398fef>] ? syscall_call+0x7/0xb
[ 348.278764] Code: 74 05 e8 9a 2d 09 00 8b 83 c4 03 00 00 85 c0 74
06 01 05 60 d8 4e c1 f3 90 81 4b 0c 00 80 00 00 c7 03 40 00 00 00 e8
66 47 36 00 <0f> 0b 8d 74 26 00 8b 46 10 85 c0 0f 85 67 02 00 00 89 ae
0c 01
[ 348.278764] EIP: [<c103348a>] do_exit+0x44a/0x830 SS:ESP 0068:cf93190c
[ 348.278776] ---[ end trace c3836805b501f816 ]---
[ 348.285890] type=1106 audit(1388235169.398:64338): pid=2218 uid=0
auid=1000 ses=2
[ 348.285890] msg='op=PAM:session_close acct="test"
exe="/usr/sbin/sshd" hostname=10.255.255.1 addr=10.255.255.1
terminal=ssh res=success'
[ 348.287096] type=1104 audit(1388235169.402:64339): pid=2218 uid=0
auid=1000 ses=2
[ 348.287096] msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd"
hostname=10.255.255.1 addr=10.255.255.1 terminal=ssh res=success'
[ 348.766895] fpu exception: 0000 [#3]
[ 348.770794] Modules linked in: nfnetlink_log nfnetlink xt_multiport
xt_hashlimit xt_tcpudp ipt_ULOG xt_LOG xt_conntrack iptable_raw
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_filter ip_tables x_tables snd_pcm
snd_page_alloc snd_timer snd parport_pc soundcore microcode psmouse
serio_raw pcspkr evdev parport ac battery button i2c_piix4 i2c_core
ext4 crc16 mbcache jbd2 sg sr_mod sd_mod cdrom crc_t10dif ata_generic
ata_piix mptspi scsi_transport_spi mptscsih libata mptbase pcnet32 mii
scsi_mod
[ 348.770794] CPU: 0 PID: 0 Comm: swapper Tainted: G D
3.11-2-486 #1 Debian 3.11.10-1
[ 348.770794] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 348.770794] task: c14d84e0 ti: cdd84000 task.ti: c14cc000
[ 348.770794] EIP: 0060:[<c10013e0>] EFLAGS: 00210002 CPU: 0
[ 348.770794] EIP is at __switch_to+0x190/0x300
[ 348.770794] EAX: cf5ec000 EBX: cf5ec000 ECX: 00000000 EDX: 00000000
[ 348.770794] ESI: c14d84e0 EDI: 00000001 EBP: cf5ec1f8 ESP: cdd85ad8
[ 348.770794] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 348.770794] CR0: 80050033 CR2: b7662000 CR3: 0cdb3000 CR4: 00000690
[ 348.770794] Stack:
[ 348.770794] 37df9a44 ccf3d040 ccf3dac0 c14d84e0 c13978cf cf5ec000
00200082 00000000
[ 348.770794] 00000000 00000000 cdd84000 cf5ec000 00000000 ccf11ef0
c14e6e98 c11c4d70
[ 348.770794] 65747300 cdd85b7c c14e6e8c c104d0ca 65747300 cdd85b7c
c14e6e8c 00200292
[ 348.770794] Call Trace:
[ 348.770794] [<c13978cf>] ? __schedule+0x1ef/0x510
[ 348.770794] [<c11c4d70>] ? timerqueue_add+0x50/0xb0
[ 348.770794] [<c104d0ca>] ? enqueue_hrtimer+0x1a/0x60
[ 348.770794] [<c1397332>] ? schedule_hrtimeout_range_clock+0xc2/0x180
[ 348.770794] [<c104cdc0>] ? hrtimer_get_res+0x30/0x30
[ 348.770794] [<c139731d>] ? schedule_hrtimeout_range_clock+0xad/0x180
[ 348.770794] [<c13973ff>] ? schedule_hrtimeout_range+0xf/0x20
[ 348.770794] [<c11093a0>] ? poll_schedule_timeout+0x20/0x40
[ 348.770794] [<c110a671>] ? do_sys_poll+0x3f1/0x490
[ 348.770794] [<c12d33c8>] ? dev_queue_xmit+0x1f8/0x3b0
[ 348.770794] [<c10353a0>] ? local_bh_enable+0x70/0x80
[ 348.770794] [<c1300301>] ? ip_finish_output+0x151/0x350
[ 348.770794] [<c13005c8>] ? ip_local_out+0x18/0x20
[ 348.770794] [<c13017cb>] ? ip_send_skb+0xb/0x50
[ 348.770794] [<c132376b>] ? udp_send_skb+0x27b/0x340
[ 348.770794] [<c1323af8>] ? udp_sendmsg+0x268/0x820
[ 348.770794] [<c12ff070>] ? ip_copy_metadata+0x140/0x140
[ 348.770794] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.770794] [<c11094d0>] ? poll_select_copy_remaining+0x110/0x110
[ 348.770794] [<c11c59f8>] ? put_dec.part.1+0xb8/0x100
[ 348.770794] [<c11c5dcf>] ? number.isra.2+0x38f/0x3a0
[ 348.770794] [<c11c76d9>] ? vsnprintf+0x179/0x420
[ 348.770794] [<c10bbc60>] ? find_get_page+0x10/0x50
[ 348.770794] [<c10bc5af>] ? find_lock_page+0x1f/0x60
[ 348.770794] [<c10ce33d>] ? shmem_getpage_gfp+0x7d/0x680
[ 348.770794] [<c11c5448>] ? format_decode+0x308/0x370
[ 348.770794] [<c11c770b>] ? vsnprintf+0x1ab/0x420
[ 348.770794] [<c10cf09f>] ? shmem_fault+0x3f/0x90
[ 348.770794] [<c10d8059>] ? __do_fault+0x329/0x450
[ 348.770794] [<c1396c18>] ? mutex_lock+0x8/0x15
[ 348.770794] [<c1100f35>] ? pipe_read+0x205/0x470
[ 348.770794] [<c10f9c3a>] ? do_sync_read+0x6a/0xa0
[ 348.770794] [<c1068117>] ? ktime_get_ts+0x37/0xf0
[ 348.770794] [<c1109718>] ? poll_select_set_timeout+0x58/0x80
[ 348.770794] [<c110a7ad>] ? SyS_poll+0x4d/0xb0
[ 348.770794] [<c1398fef>] ? syscall_call+0x7/0xb
[ 348.770794] Code: e9 1d ff ff ff 8d b6 00 00 00 00 b8 7d 00 00 00
e8 36 b8 00 00 84 c0 0f 85 e1 fe ff ff 0f 06 8d 74 26 00 e9 d6 fe ff
ff 8d 76 00 <0f> 77 db 83 4c 02 00 00 89 f6 8d b6 00 00 00 00 eb 66 b8
ff ff
[ 348.770794] EIP: [<c10013e0>] __switch_to+0x190/0x300 SS:ESP
0068:cdd85ad8
[ 348.770794] ---[ end trace c3836805b501f817 ]---
[ 348.770794] Kernel panic - not syncing: Attempted to kill the idle
task!
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlK/Sl0ACgkQxFmThv7tq+6hcwCfSwoLsuqvl62oKVsbwUun2fi4
67sAn3UXxmyW8oEbMSuOu2KX7r/D4CMe
=YIVj
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/