search

CamFlow / camflow-dev

Generates kernel patch for CamFlow Linux Provenance Capture.
http://camflow.org/
GNU General Public License v2.0
27 stars 15 forks source link

Error and crash during boot #103

Closed tfjmp closed 4 years ago

tfjmp commented 4 years ago

This does not always occur, but under certain circumstances (cannot reliably reproduce at this point), security_sock_recv_msg_always create an issue in the kmemcache_alloc (exhausting resources?) that leads to crash during boot.

tfjmp commented 4 years ago 
Nov 26 03:36:02 localhost.localdomain kernel: kernel BUG at security/provenance/include/provenance_relay.h:68!
Nov 26 03:36:02 localhost.localdomain kernel: invalid opcode: 0000 [#3] SMP PTI
Nov 26 03:36:02 localhost.localdomain kernel: CPU: 0 PID: 809 Comm: systemd-journal Tainted: G      D           5.3.11camflow0.6.4+ #3
Nov 26 03:36:02 localhost.localdomain kernel: Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Nov 26 03:36:02 localhost.localdomain kernel: RIP: 0010:provenance_socket_recvmsg_always+0x3afe/0x3c20
Nov 26 03:36:02 localhost.localdomain kernel: Code: ff 41 89 4c 24 20 e9 86 fe ff ff e8 fc 49 be ff 0f 0b 89 54 24 58 be d8 00 00 00 4c 89 >
Nov 26 03:36:02 localhost.localdomain kernel: RSP: 0018:ffffbd0ec0577b58 EFLAGS: 00010086
Nov 26 03:36:02 localhost.localdomain kernel: RAX: a54b14d459145aff RBX: ffff946db375b118 RCX: 0000000000000015
Nov 26 03:36:02 localhost.localdomain kernel: RDX: 0000000000000000 RSI: 0000000000000092 RDI: 0000000000000092
Nov 26 03:36:02 localhost.localdomain kernel: RBP: ffff946db1ae3b90 R08: ffff946dd7a2e6a0 R09: ffff946da0af60e0
Nov 26 03:36:02 localhost.localdomain kernel: R10: ffff946dadb41400 R11: ffff946dae20f800 R12: 0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: R13: ffffbd0ec0577c68 R14: ffff946db375b400 R15: ffff946db0e41200
Nov 26 03:36:02 localhost.localdomain kernel: FS:  00007f59af17e940(0000) GS:ffff946dd7a00000(0000) knlGS:0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 26 03:36:02 localhost.localdomain kernel: CR2: 00007f59b007b190 CR3: 00000001f2632006 CR4: 00000000000606f0
Nov 26 03:36:02 localhost.localdomain kernel: Call Trace:
Nov 26 03:36:02 localhost.localdomain kernel:  ? d_add+0xd1/0x170
Nov 26 03:36:02 localhost.localdomain kernel:  security_socket_recvmsg_always+0x38/0x50
Nov 26 03:36:02 localhost.localdomain kernel:  sock_recvmsg+0x36/0x80
Nov 26 03:36:02 localhost.localdomain kernel:  sock_read_iter+0x94/0xf0
Nov 26 03:36:02 localhost.localdomain kernel:  new_sync_read+0x12a/0x1c0
Nov 26 03:36:02 localhost.localdomain kernel:  vfs_read+0x91/0x140
Nov 26 03:36:02 localhost.localdomain kernel:  ksys_read+0x59/0xd0
Nov 26 03:36:02 localhost.localdomain kernel:  do_syscall_64+0x5f/0x1a0
Nov 26 03:36:02 localhost.localdomain kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Nov 26 03:36:02 localhost.localdomain kernel: RIP: 0033:0x7f59aff7bc34
Nov 26 03:36:02 localhost.localdomain kernel: Code: c3 0f 1f 44 00 00 41 54 49 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 7b fc ff ff 4c 89 >
Nov 26 03:36:02 localhost.localdomain kernel: RSP: 002b:00007ffee1c2ee80 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: RAX: ffffffffffffffda RBX: 0000000000000011 RCX: 00007f59aff7bc34
Nov 26 03:36:02 localhost.localdomain kernel: RDX: 0000000000000801 RSI: 000055b4ac3923e0 RDI: 0000000000000011
Nov 26 03:36:02 localhost.localdomain kernel: RBP: 000055b4ac3923e0 R08: 0000000000000000 R09: 00007f59aff652e0
Nov 26 03:36:02 localhost.localdomain kernel: R10: 000055b4ac38c010 R11: 0000000000000246 R12: 0000000000000801
Nov 26 03:36:02 localhost.localdomain kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: Modules linked in: intel_rapl_msr intel_rapl_common joydev crct10dif_pclmul snd_intel8x0(+) c>
Nov 26 03:36:02 localhost.localdomain kernel: ---[ end trace 501d9bd4c4e0fb62 ]---
Nov 26 03:36:02 localhost.localdomain kernel: RIP: 0010:provenance_socket_recvmsg_always+0x3afe/0x3c20
Nov 26 03:36:02 localhost.localdomain kernel: Code: ff 41 89 4c 24 20 e9 86 fe ff ff e8 fc 49 be ff 0f 0b 89 54 24 58 be d8 00 00 00 4c 89 >
Nov 26 03:36:02 localhost.localdomain kernel: RSP: 0018:ffffbd0ec0527b58 EFLAGS: 00010086
Nov 26 03:36:02 localhost.localdomain kernel: RAX: ffffffff8d03ff00 RBX: ffff946daf99a318 RCX: 0000000000000011
Nov 26 03:36:02 localhost.localdomain kernel: RDX: 0000000000000000 RSI: 0000000000000092 RDI: 0000000000000092
Nov 26 03:36:02 localhost.localdomain kernel: RBP: ffff946daaf26380 R08: ffff946dd7a2e6a0 R09: ffff946daace9620
Nov 26 03:36:02 localhost.localdomain kernel: R10: ffff946daaacfc00 R11: ffff946dad650c00 R12: 0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: R13: ffffbd0ec0527c68 R14: ffff946db4b19600 R15: ffff946dadbc6600
Nov 26 03:36:02 localhost.localdomain kernel: FS:  00007f59af17e940(0000) GS:ffff946dd7a00000(0000) knlGS:0000000000000000
Nov 26 03:36:02 localhost.localdomain kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 26 03:36:02 localhost.localdomain kernel: CR2: 00007f59b007b190 CR3: 00000001f2632006 CR4: 00000000000606f0

Still cannot reproduce, but got my hands on some error. Trying to understand why/when this happens.

https://github.com/CamFlow/camflow-dev/blob/74b21c4bebff5ebf8a913eba701240dd1cc4e857/security/provenance/include/provenance_relay.h#L68

Somehow a relation is being passed through the internal API as a node (or could be a symptom of use after free).

tfjmp commented 4 years ago

Should be fixed in the current release. Closing.