| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Sep 2021 16:20:51 +0200 From: Udo van den Heuvel <udovdh@...all.nl> To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: 5.14.6: what happened here? Hello, Found this in dmesg: [108333.097816] ------------[ cut here ]------------ [108333.097821] Buffer overflow detected (8 < 192)! [108333.097827] WARNING: CPU: 5 PID: 180717 at include/linux/thread_info.h:200 ethtool_rxnfc_copy_to_user+0x11/0x20 [108333.097832] Modules linked in: snd_seq_dummy mq_deadline xt_MASQUERADE iptable_nat nf_nat ipt_REJECT nf_reject_ipv4 xt_u32 xt_multiport iptable_filter nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6 xt_tcpudp xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 k10temp nf_defrag_ipv4 it87 ip6table_filter hwmon_vid msr ip6_tables snd_hda_codec_realtek snd_hda_codec_generic uvcvideo snd_hda_intel snd_intel_dspcfg videobuf2_vmalloc snd_usb_audio videobuf2_memops snd_hda_codec snd_hwdep videobuf2_v4l2 snd_hda_core snd_usbmidi_lib videodev lzo_rle snd_rawmidi snd_seq videobuf2_common cdc_acm lzo_compress snd_seq_device snd_pcm snd_timer i2c_piix4 snd bfq evdev acpi_cpufreq p_lkrg binfmt_misc fuse configfs zram zsmalloc ip_tables x_tables hid_generic amdgpu sr_mod cdrom usbhid aesni_intel drm_ttm_helper ttm gpu_sched i2c_dev autofs4 [108333.097862] CPU: 5 PID: 180717 Comm: pool Not tainted 5.14.6 #5 [108333.097864] Hardware name: Gigabyte Technology Co., Ltd. X570 AORUS PRO/X570 AORUS PRO, BIOS F34 07/08/2021 [108333.097865] RIP: 0010:ethtool_rxnfc_copy_to_user+0x11/0x20 [108333.097867] Code: eb 94 b8 f4 ff ff ff eb 8d e8 7b a0 12 00 66 66 2e 0f 1f 84 00 00 00 00 00 be 08 00 00 00 48 c7 c7 b8 68 e5 82 e8 a7 0c 0f 00 <0f> 0b b8 f2 ff ff ff c3 0f 1f 80 00 00 00 00 41 56 41 55 41 54 55 [108333.097869] RSP: 0018:ffffadbd8638bb30 EFLAGS: 00010286 [108333.097870] RAX: 0000000000000000 RBX: ffffffff82cca7c0 RCX: 0000000000000000 [108333.097872] RDX: 0000000000000001 RSI: ffffffff82e7739c RDI: 00000000ffffffff [108333.097872] RBP: ffffa04087eae000 R08: ffffa047be2b0c28 R09: 00000000ffffdfff [108333.097873] R10: ffffa047be14d000 R11: ffffa047be14d000 R12: 0000000000000000 [108333.097874] R13: 00007f3bfd70e7e0 R14: 0000000000000000 R15: ffffadbd8638bb40 [108333.097875] FS: 00007f3bfd70f640(0000) GS:ffffa047bdd40000(0000) knlGS:0000000000000000 [108333.097876] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [108333.097877] CR2: 00007f3bec016148 CR3: 000000010ba38000 CR4: 0000000000750ee0 [108333.097878] PKRU: 55555554 [108333.097878] Call Trace: [108333.097880] ethtool_get_rxnfc+0xc1/0x1b0 [108333.097883] dev_ethtool+0xb7a/0x2950 [108333.097885] ? dev_ethtool+0x1c6/0x2950 [108333.097887] ? _copy_to_user+0x1c/0x30 [108333.097890] ? dev_ethtool+0x1c6/0x2950 [108333.097892] ? netdev_name_node_lookup_rcu+0x58/0x70 [108333.097894] dev_ioctl+0x18c/0x4f0 [108333.097896] sock_ioctl+0x271/0x3c0 [108333.097899] __x64_sys_ioctl+0x415/0x930 [108333.097901] ? exit_to_user_mode_prepare+0x19/0xf0 [108333.097904] do_syscall_64+0x5c/0x80 [108333.097907] ? task_work_run+0x57/0x90 [108333.097909] ? exit_to_user_mode_prepare+0x5e/0xf0 [108333.097910] ? syscall_exit_to_user_mode+0x1d/0x40 [108333.097911] ? __x64_sys_close+0x8/0x40 [108333.097913] ? do_syscall_64+0x69/0x80 [108333.097915] ? do_syscall_64+0x69/0x80 [108333.097916] ? do_syscall_64+0x69/0x80 [108333.097917] ? __x64_sys_socket+0xe/0x20 [108333.097918] ? do_syscall_64+0x69/0x80 [108333.097919] ? do_syscall_64+0x69/0x80 [108333.097920] ? exit_to_user_mode_prepare+0x19/0xf0 [108333.097921] entry_SYSCALL_64_after_hwframe+0x44/0xae [108333.097923] RIP: 0033:0x7f3c111e80ab [108333.097924] Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 9d bd 0c 00 f7 d8 64 89 01 48 [108333.097925] RSP: 002b:00007f3bfd70e778 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [108333.097927] RAX: ffffffffffffffda RBX: 000000003b9aca00 RCX: 00007f3c111e80ab [108333.097927] RDX: 00007f3bfd70e7b0 RSI: 0000000000008946 RDI: 0000000000000009 [108333.097928] RBP: 0000000000000009 R08: 0000000000000000 R09: 00007f3bfd70e7b0 [108333.097928] R10: 00007f3bec015fcc R11: 0000000000000246 R12: 0000000000000001 [108333.097929] R13: 00007f3bec015450 R14: 00007f3bec015f68 R15: 00007f3bec01600c [108333.097930] ---[ end trace ef16fbb48219a61f ]--- Yes, a buffer overflow. But is this a bug or due to somethin that I was doing? Udo
Powered by blists - more mailing lists