xen kernel crashes in domU NX-protected page
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xen-source (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Using the latest (vmlinuz-
I am using hardy with the default xen installation. It is triggered by something happening with apache2 evidently, and happens irregularly, possibly as a result of malicious input to apache2?
[18211.970960] kernel tried to execute NX-protected page - exploit attempt? (uid: 33)
[18211.970974] BUG: unable to handle kernel paging request at virtual address c1d5dbe0
[18211.970981] printing eip: c1d5dbe0
[18211.970989] 017bb000 -> *pde = 00000001:676f3001
[18211.970993] 017bc000 -> *pme = 00000001:42a7f067
[18211.970997] 00000000 -> *pte = 80000001:67152063
[18211.971004] Oops: 0011 [#1] SMP
[18211.971010] Modules linked in: nf_conntrack_ftp nf_conntrack_ipv4 xt_state nf_conntrack xt_multiport iptable_filter ip_tables x_tables quota_v1 ipv6 evdev ext3 jbd mbcache dm_mirror dm_snapshot dm_mod fuse
[18211.971044]
[18211.971049] Pid: 24093, comm: apache2 Not tainted (2.6.24-19-xen #2)
[18211.971054] EIP: 0061:[<c1d5dbe0>] EFLAGS: 00010206 CPU: 0
[18211.971062] EIP is at 0xc1d5dbe0
[18211.971066] EAX: c1d5cca0 EBX: c1d5cca0 ECX: 00000004 EDX: 00000000
[18211.971070] ESI: 0000000c EDI: 40040000 EBP: 00000000 ESP: dfc1de94
[18211.971074] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0069
[18211.971079] Process apache2 (pid: 24093, ti=dfc1c000 task=ecb4e330 task.ti=dfc1c000)
[18211.971083] Stack: c01623a5 00000000 c03fe800 dfc1dee0 0000000c 0000000e dfc1ded0 c0162456
[18211.971100] c1d9fd60 c15bd86c 0000000e 0000000d c01658c8 0000000e 00000000 0000000e
[18211.971116] 00000000 c1bc8ea0 c1e85d00 c1d5cca0 c22951c0 c1bc8120 c1d9f4c0 c1e82f00
[18211.971133] Call Trace:
[18211.971137] [<c01623a5>] free_hot_
[18211.971155] [<c0162456>] __pagevec_
[18211.971163] [<c01658c8>] release_
[18211.971171] [<c017a5f4>] free_pages_
[18211.971179] [<c01737b7>] exit_mmap+
[18211.971187] [<c0124303>] mmput+0x23/0x80
[18211.971195] [<c0129d95>] do_exit+0x165/0x8b0
[18211.971203] [<c0174250>] do_munmap+
[18211.971210] [<c0183649>] filp_close+
[18211.971217] [<c012a50a>] do_group_
[18211.971224] [<c0105832>] syscall_
[18211.971232] [<c0320000>] vcc_def_
[18211.971240] =======
[18211.971243] Code: 00 00 00 c0 02 40 ed 00 d0 65 e9 80 00 00 40 01 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 c0 13 42 ed 00 e0 65 e9 <00> 20 00 40 01 00 00 00 ff ff ff ff b4 cc d5 c1 00 00 00 00 a0
[18211.971340] EIP: [<c1d5dbe0>] 0xc1d5dbe0 SS:ESP 0069:dfc1de94
[18211.971352] ---[ end trace 627327b2b71cc16d ]---
[18211.971356] Fixing recursive fault but reboot is needed!
Changed in xen-source (Ubuntu): | |
status: | New → Invalid |
Additional crash info including the CPU soft lock that it degrades into. This is a pretty effective DoS in any case.
[27790.285754] kernel tried to execute NX-protected page - exploit attempt? (uid: 33) cold_page+ 0x195/0x220 free+0x26/ 0x30 pages+0x137/ 0x160 and_swap_ cache+0x74/ 0xa0 0xe7/0x100 0x49/0x80 exit+0x2a/ 0xa0 call+0x7/ 0xb wakeup+ 0x10/0x60 ======= ======= ==
[27790.285768] BUG: unable to handle kernel paging request at virtual address c1d7f160
[27790.285776] printing eip: c1d7f160
[27790.285784] 017bb000 -> *pde = 00000001:676f3001
[27790.285787] 017bc000 -> *pme = 00000001:435aa067
[27790.285791] 00000000 -> *pte = 80000001:67130063
[27790.285798] Oops: 0011 [#1] SMP
[27790.285804] Modules linked in: nf_conntrack_ftp nf_conntrack_ipv4 xt_state nf_conntrack xt_multiport iptable_filter ip_tables x_tables quota_v1 ipv6 evdev ext3 jbd mbcache dm_mirror dm_snapshot dm_mod fuse
[27790.285838]
[27790.285843] Pid: 21030, comm: apache2 Not tainted (2.6.24-19-xen #2)
[27790.285849] EIP: 0061:[<c1d7f160>] EFLAGS: 00010206 CPU: 0
[27790.285856] EIP is at 0xc1d7f160
[27790.285860] EAX: c1db96a0 EBX: c1db96a0 ECX: 00000004 EDX: 00000000
[27790.285864] ESI: 00000005 EDI: 40040000 EBP: 00000000 ESP: ea567e94
[27790.285868] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0069
[27790.285872] Process apache2 (pid: 21030, ti=ea566000 task=dffbd190 task.ti=ea566000)
[27790.285876] Stack: c01623a5 00000000 c03fef80 ea567ef8 00000005 0000000d ea567ed0 c0162456
[27790.285893] c1d7b6e0 c15bd2f8 c03fef80 0000000e c0165997 0000000e 00000000 0000000d
[27790.285911] 00000000 c1e6f780 c1fcc660 c2187c60 c1fad920 c1fabbe0 c1d89aa0 c1fa9500
[27790.285928] Call Trace:
[27790.285932] [<c01623a5>] free_hot_
[27790.285948] [<c0162456>] __pagevec_
[27790.285956] [<c0165997>] release_
[27790.285963] [<c017a5f4>] free_pages_
[27790.285972] [<c01737b7>] exit_mmap+
[27790.285979] [<c0124303>] mmput+0x23/0x80
[27790.285987] [<c0129d95>] do_exit+0x165/0x8b0
[27790.285995] [<c0183649>] filp_close+
[27790.286002] [<c012a50a>] do_group_
[27790.286009] [<c0105832>] syscall_
[27790.286016] [<c0320000>] vcc_def_
[27790.286024] =======
[27790.286027] Code: 00 00 00 c0 08 40 ed 20 84 de e7 80 00 00 40 01 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 c0 3c 40 ed 00 a0 70 ea <00> 20 00 40 01 00 00 00 ff ff ff ff b4 96 db c1 00 00 00 00 c0
[27790.286125] EIP: [<c1d7f160>] 0xc1d7f160 SS:ESP 0069:ea567e94
[27790.286137] ---[ end trace 1f3ceb0e275558e5 ]---
[27790.286142] Fixing recursive fault but reboot is needed!
[27873.920667] kernel tried to execute NX-protected page - exploit attempt? (uid: 33)
[27873.920681] BUG: unable to handle kernel paging request at virtual address c1db8f60
[27873.920689] printing eip: c1db8f60
[27873.920696] 017bb000 -> *pde = 00000001:676f3001
[27873.920700] 017bc000 -> *pme = 00000001:435aa067
[27873.920704] 00000000 -> *pte = 80000001:670f7063
[27873.920710] Oops: 0011 [#2] SMP
[27873.920717] Modules linked in: nf_conntrack_ftp nf_conntrack_ipv4 xt_state nf_conntrack xt_multiport iptable_filter ip_tables x_tables quota_v1 ipv6 evdev ext3 jbd mbcache dm_mirror dm_snapshot dm_mod fuse
[27873.920750]
[27873.920755] Pid: 21305, comm:...