lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 27 Sep 2016 18:34:14 +0200
From:   Wim Osterholt <wim@....tudelft.nl>
To:     Oliver Neukum <oneukum@...e.com>
Cc:     linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
        Wim Osterholt <wim@....tudelft.nl>
Subject: Re: crash by cdc_acm driver in kernels 4.8-rc1/5

On Thu, Sep 22, 2016 at 04:40:50PM +0200, Oliver Neukum wrote:
> 
> dmesg -c
> echo 9 > /proc/sysrq-trigger
> modprobe cdc_acm
> echo "module cdc_acm +mpf" > /sys/kernel/debug/dynamic_debug/control
> 
> [plug your device in]
> 
> and provide the full output of dmesg after that.

After some experimenting I succeeded in grabbing it over the serial port.
The console was immedately frozen, but the serial port kept working:

[  407.859834] sysrq: SysRq : Changing Loglevel
[  407.908433] sysrq: Loglevel set to 9
[  407.980538] usbcore: registered new interface driver cdc_acm
[  408.044439] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[  410.480711] usb 6-1: new full-speed USB device number 2 using uhci_hcd
[  410.696717] usb 6-1: New USB device found, idVendor=0572, idProduct=1340
[  410.700739] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  410.704738] usb 6-1: Product: USB Modem
[  410.708735] usb 6-1: Manufacturer: Conexant
[  410.708738] usb 6-1: SerialNumber: 12345678
[  410.763492] cdc_acm:acm_probe: cdc_acm 6-1:1.0: interfaces are valid
[  410.763515] BUG: unable to handle kernel NULL pointer dereference at 00000249
[  410.763522] IP: [<e08dfc77>] acm_probe+0x4ee/0xc8c [cdc_acm]
[  410.763524] *pde = 00000000 
[  410.763526] Oops: 0000 [#1] SMP
[  410.763562] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usb_storage usbnet snd_hda_codec_generic mii snd_hda_intel snd_hda_codec tg3 snd_hwdep ptp snd_hda_core pps_core snd_pcm gpio_ich libphy firmware_class pcspkr ohci_pci lpc_ich ppdev snd_timer mfd_core ohci_hcd snd uhci_hcd wmi parport_pc floppy ehci_pci soundcore parport ehci_hcd acpi_cpufreq button processor
[  410.763565] CPU: 0 PID: 429 Comm: kworker/0:1 Not tainted 4.8.0-rc8 #1
[  410.763567] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  410.763572] Workqueue: usb_hub_wq hub_event
[  410.763574] task: df523f00 task.stack: dec30000
[  410.763576] EIP: 0060:[<e08dfc77>] EFLAGS: 00010202 CPU: 0
[  410.763579] EIP is at acm_probe+0x4ee/0xc8c [cdc_acm]
[  410.763581] EAX: 00000246 EBX: decff000 ECX: e08e1854 EDX: 00000000
[  410.763582] ESI: 00000100 EDI: 00000000 EBP: dec31c18 ESP: dec31b80
[  410.763584]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  410.763586] CR0: 80050033 CR2: 00000249 CR3: 13edd000 CR4: 00000690
[  410.763587] Stack:
[  410.763592]  00003a20 00003d01 0000000f df4a9d50 00000000 00000000 00000010 00000040
[  410.763597]  00000080 00000246 df650ec0 dee42800 da86f470 00000001 df7d2e80 df7d2eb8
[  410.763601]  da86f400 dee42600 dee42800 00000000 da95f000 00000004 00000246 dec31c00
[  410.763602] Call Trace:
[  410.763609]  [<c04cee8d>] ? __mutex_unlock_slowpath+0xf4/0xfc
[  410.763614]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[  410.763616]  [<c03cda6c>] ? usb_probe_interface+0x17b/0x1f6
[  410.763620]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763622]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763625]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763627]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763629]  [<c0360e3e>] ? __device_attach+0x91/0x105
[  410.763631]  [<c0361324>] ? driver_allows_async_probing+0x2f/0x2f
[  410.763634]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763636]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763638]  [<c035eb98>] ? device_add+0x289/0x4be
[  410.763641]  [<c03cc3d1>] ? usb_set_configuration+0x5a6/0x5e9
[  410.763643]  [<c03cc3d1>] ? usb_set_configuration+0x5a6/0x5e9
[  410.763647]  [<c03d3bc0>] ? generic_probe+0x3b/0x67
[  410.763649]  [<c03d3bc0>] ? generic_probe+0x3b/0x67
[  410.763652]  [<c03cd8d8>] ? usb_probe_device+0x49/0x62
[  410.763654]  [<c03cd88f>] ? usb_suspend+0xcd/0xcd
[  410.763656]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763658]  [<c0361090>] ? driver_probe_device+0x17b/0x30e
[  410.763661]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763663]  [<c035f78a>] ? bus_for_each_drv+0x59/0x68
[  410.763665]  [<c0360e3e>] ? __device_attach+0x91/0x105
[  410.763667]  [<c0361324>] ? driver_allows_async_probing+0x2f/0x2f
[  410.763670]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763672]  [<c0360412>] ? bus_probe_device+0x27/0x6b
[  410.763674]  [<c035eb98>] ? device_add+0x289/0x4be
[  410.763677]  [<c03598a4>] ? add_device_randomness+0x84/0x9c
[  410.763680]  [<c03c477c>] ? usb_new_device+0x29d/0x3b5
[  410.763681]  [<c03c477c>] ? usb_new_device+0x29d/0x3b5
[  410.763684]  [<c03c5eab>] ? hub_event+0xb32/0xed8
[  410.763686]  [<c03c5eab>] ? hub_event+0xb32/0xed8
[  410.763689]  [<c03c5268>] ? usb_remote_wakeup+0x6f/0x7d
[  410.763693]  [<c0148318>] ? process_one_work+0x174/0x2bc
[  410.763695]  [<c0148318>] ? process_one_work+0x174/0x2bc
[  410.763698]  [<c01488f4>] ? worker_thread+0x22c/0x2f6
[  410.763700]  [<c01486c8>] ? rescuer_thread+0x23f/0x23f
[  410.763703]  [<c014bcc9>] ? kthread+0xa4/0xa9
[  410.763706]  [<c04d06a2>] ? ret_from_kernel_thread+0xe/0x24
[  410.763708]  [<c014bc25>] ? kthread_create_on_node+0x101/0x101
[  410.763734] Code: 14 89 83 b4 04 00 00 8b 45 94 89 43 04 8b 45 ac 89 43 08 8b 85 7c ff ff ff 89 83 c0 04 00 00 8b 45 a8 89 03 8b 45 c0 85 c0 74 0a <0f> b6 40 03 89 83 c8 04 00 00 f6 45 9c 04 74 07 83 a3 c8 04 00
[  410.763738] EIP: [<e08dfc77>] acm_probe+0x4ee/0xc8c [cdc_acm] SS:ESP 0068:dec31b80
[  410.763739] CR2: 0000000000000249
[  410.763742] ---[ end trace 6872abde65b2c9e1 ]---
[  410.763838] BUG: unable to handle kernel paging request at ffffffec
[  410.763841] IP: [<c014c16b>] kthread_data+0xf/0x13
[  410.763844] *pde = 00770067 *pte = 00000000 
[  410.763846] Oops: 0000 [#2] SMP
[  410.763875] Modules linked in: cdc_acm nouveau video drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm agpgart i2c_algo_bit cfg80211 rfkill binfmt_misc snd_pcm_oss snd_mixer_oss fbcon bitblit softcursor font tileblit sr9700 dm9601 usb_storage usbnet snd_hda_codec_generic mii snd_hda_intel snd_hda_codec tg3 snd_hwdep ptp snd_hda_core pps_core snd_pcm gpio_ich libphy firmware_class pcspkr ohci_pci lpc_ich ppdev snd_timer mfd_core ohci_hcd snd uhci_hcd wmi parport_pc floppy ehci_pci soundcore parport ehci_hcd acpi_cpufreq button processor
[  410.763878] CPU: 0 PID: 429 Comm: kworker/0:1 Tainted: G      D         4.8.0-rc8 #1
[  410.763880] Hardware name: Hewlett-Packard HP xw4300 Workstation/0A00h, BIOS 786D3 v01.08 03/10/2006
[  410.763888] task: df523f00 task.stack: dec30000
[  410.763890] EIP: 0060:[<c014c16b>] EFLAGS: 00010002 CPU: 0
[  410.763892] EIP is at kthread_data+0xf/0x13
[  410.763893] EAX: 00000000 EBX: dec32000 ECX: b3d25f6d EDX: df523f00
[  410.763895] ESI: df5241b4 EDI: dfb94940 EBP: dec31f48 ESP: dec31f44
[  410.763896]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[  410.763898] CR0: 80050033 CR2: 00000014 CR3: 1ee16000 CR4: 00000690
[  410.763899] Stack:
[  410.763904]  c0148a1c dec31f6c c04cd2e4 00000000 00000000 df523f00 00000246 dec32000
[  410.763909]  dec31d50 dec31f98 dec31f78 c04cd6a9 df523f00 dec31fac c013967e df524288
[  410.763913]  01000000 df52412c df4e0000 00000001 00000000 dec31f98 dec31f98 00000009
[  410.763914] Call Trace:
[  410.763917]  [<c0148a1c>] ? wq_worker_sleeping+0xd/0x75
[  410.763919]  [<c04cd2e4>] ? __schedule+0xcc/0x424
[  410.763922]  [<c04cd6a9>] ? schedule+0x6d/0x7a
[  410.763925]  [<c013967e>] ? do_exit+0x74d/0x775
[  410.763929]  [<c04d16b9>] ? rewind_stack_do_exit+0x11/0x13
[  410.763931]  [<c014bc25>] ? kthread_create_on_node+0x101/0x101
[  410.763957] Code: 8d 44 b0 4d c0 8d 0c 95 00 00 00 00 29 cb b9 02 00 00 00 89 da 5b 5d e9 f5 fd ff ff 55 89 e5 3e 8d 74 26 00 8b 80 84 02 00 00 5d <8b> 40 ec c3 55 89 e5 52 3e 8d 74 26 00 b9 04 00 00 00 8b 90 84
[  410.763960] EIP: [<c014c16b>] kthread_data+0xf/0x13 SS:ESP 0068:dec31f44
[  410.763961] CR2: 00000000ffffffec
[  410.763964] ---[ end trace 6872abde65b2c9e2 ]---
[  410.763965] Fixing recursive fault but reboot is needed!


Regards, Wim.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ