Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64'
From: Ard Biesheuvel
Date: Mon Sep 10 2018 - 16:02:42 EST
n
On 10 September 2018 at 21:53, Theodore Y. Ts'o <tytso@xxxxxxx> wrote:
> On Mon, Sep 10, 2018 at 08:08:51PM +0300, Meelis Roos wrote:
>> This is weekend's 4.19.0-rc2-00246-gd7b686ebf704 on a Thinkad T460s.
>> There seems to be a usercopy warning from rng_dev read (full dmesg
>> below).
>
> Looking at rng_dev_head(), which is in drivers/char/hw_random.c, it
> looks like this was probably caused by a problem in the specific
> hardware random number generator being used. Can you tell us which
> one was in use?
>
The line right before the splat suggests that this is tpm_get_random()
in drivers/char/tpm/tpm-interface.c
[...]
>> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get random
>> [146535.257304] usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' (offset 0, size 379)!
The TPM return code '379' is returned from rng_get_data(), and
interpreted as a byte count rather than an error code.
>> [146535.257331] ------------[ cut here ]------------
>> [146535.257338] kernel BUG at mm/usercopy.c:102!
>> [146535.257361] invalid opcode: 0000 [#1] SMP PTI
>> [146535.257375] CPU: 0 PID: 1729 Comm: rngd Not tainted 4.19.0-rc2-00246-gd7b686ebf704 #36
>> [146535.257382] Hardware name: LENOVO 20F9003SMS/20F9003SMS, BIOS N1CET65W (1.33 ) 02/16/2018
>> [146535.257402] RIP: 0010:usercopy_abort+0x6f/0x71
>> [146535.257412] Code: 0f 45 c6 48 c7 c2 b4 26 80 a4 48 c7 c6 b5 53 7f a4 51 48 0f 45 f2 48 89 f9 41 52 48 89 c2 48 c7 c7 80 27 80 a4 e8 7e 3a ed ff <0f> 0b 49 89 e8 31 c9 44 89 e2 31 f6 48 c7 c7 e8 26 80 a4 e8 79 ff
>> [146535.257421] RSP: 0018:ffffbc4ec076bdb0 EFLAGS: 00010246
>> [146535.257433] RAX: 0000000000000065 RBX: ffff9c2d1464ad80 RCX: 0000000000000006
>> [146535.257441] RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff9c2d16a15500
>> [146535.257449] RBP: 000000000000017b R08: ffffffffa3f11900 R09: 0000000000000065
>> [146535.257457] R10: ffffffffa50908d8 R11: ffffffffa507efae R12: 0000000000000001
>> [146535.257463] R13: ffff9c2d1464aefb R14: 000000000000017b R15: 000000000000017b
>> [146535.257474] FS: 00007f023c524700(0000) GS:ffff9c2d16a00000(0000) knlGS:0000000000000000
>> [146535.257484] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [146535.257492] CR2: 00001834aa0fc000 CR3: 0000000309104005 CR4: 00000000003606f0
>> [146535.257499] Call Trace:
>> [146535.257524] __check_heap_object+0xd5/0x100
>> [146535.257539] __check_object_size+0xf5/0x17c
>> [146535.257554] rng_dev_read+0x6e/0x270
>> [146535.257576] __vfs_read+0x31/0x170
>> [146535.257604] vfs_read+0x85/0x130
>> [146535.257631] ksys_read+0x4a/0xb0
>> [146535.257658] do_syscall_64+0x4a/0xf0
>> [146535.257695] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [146535.257716] RIP: 0033:0x7f023c6f6394
>> [146535.257735] Code: 84 00 00 00 00 00 41 54 55 49 89 d4 53 48 89 f5 89 fb 48 83 ec 10 e8 8b fc ff ff 4c 89 e2 41 89 c0 48 89 ee 89 df 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 38 44 89 c7 48 89 44 24 08 e8 c7 fc ff ff 48
>> [146535.257748] RSP: 002b:00007f023c523e10 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
>> [146535.257767] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f023c6f6394
>> [146535.257776] RDX: 00000000000009c4 RSI: 0000563938a24f00 RDI: 0000000000000003
>> [146535.257790] RBP: 0000563938a24f00 R08: 0000000000000000 R09: 00007fff1df64080
>> [146535.257803] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000000009c4
>> [146535.257816] R13: 00007fff1dedba3f R14: 00007fff1dedba40 R15: 0000000000000000
>> [146535.257836] Modules linked in: ipheth tun ipt_MASQUERADE nf_conntrack_netlink iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter bpfilter xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netfilter bridge stp llc overlay fuse bnep cpufreq_userspace snd_hda_codec_hdmi iwlmvm mac80211 uvcvideo snd_hda_codec_realtek videobuf2_vmalloc cdc_mbim iwlwifi x86_pkg_temp_thermal videobuf2_memops snd_hda_codec_generic intel_powerclamp cdc_wdm videobuf2_v4l2 coretemp videobuf2_common joydev pcspkr cdc_ncm btusb snd_hda_intel iTCO_wdt btrtl iTCO_vendor_support btbcm snd_hda_codec videodev snd_hwdep media usbnet btintel snd_hda_core mii cdc_acm cfg80211 bluetooth ecdh_generic mei_me mei intel_pch_thermal tpm_crb tpm_tis tpm_tis_core thinkpad_acpi tpm pcc_cpufreq ip_tables dm_crypt dm_mod
>> [146535.258082] dax hid_generic rtsx_pci_sdmmc mmc_core crct10dif_pclmul e1000e i2c_i801 rtsx_pci mfd_core
>> [146535.258139] ---[ end trace 40fa61fde8e22944 ]---
>> [146535.258260] RIP: 0010:usercopy_abort+0x6f/0x71
>> [146535.258290] Code: 0f 45 c6 48 c7 c2 b4 26 80 a4 48 c7 c6 b5 53 7f a4 51 48 0f 45 f2 48 89 f9 41 52 48 89 c2 48 c7 c7 80 27 80 a4 e8 7e 3a ed ff <0f> 0b 49 89 e8 31 c9 44 89 e2 31 f6 48 c7 c7 e8 26 80 a4 e8 79 ff
>> [146535.258315] RSP: 0018:ffffbc4ec076bdb0 EFLAGS: 00010246
>> [146535.258367] RAX: 0000000000000065 RBX: ffff9c2d1464ad80 RCX: 0000000000000006
>> [146535.258391] RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff9c2d16a15500
>> [146535.258421] RBP: 000000000000017b R08: ffffffffa3f11900 R09: 0000000000000065
>> [146535.258450] R10: ffffffffa50908d8 R11: ffffffffa507efae R12: 0000000000000001
>> [146535.258485] R13: ffff9c2d1464aefb R14: 000000000000017b R15: 000000000000017b
>> [146535.258520] FS: 00007f023c524700(0000) GS:ffff9c2d16a00000(0000) knlGS:0000000000000000
>> [146535.258555] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [146535.258593] CR2: 00001834aa0fc000 CR3: 0000000309104005 CR4: 00000000003606f0
>>
>> --
>> Meelis Roos (mroos@xxxxxxxx)