[<prev] [next>] [day] [month] [year] [list]
Message-ID: <13c70454.133a.1744c8ad55a.Coremail.hyouyan@126.com>
Date: Wed, 2 Sep 2020 10:00:01 +0800 (CST)
From: youyan <hyouyan@....com>
To: lkrg-users@...ts.openwall.com
Subject: collapse of extreme situations.
Hi lkrg team:
I have ported LKRG0.8 to android 10 which runs on qualcomm qcm2150 chip. When we do some stability test,found some collapse of extreme situations.
1: p_cmp_tasks NULL pointer dereferenc
<Exploit Detection> Detected namespace escape attack!process[1810 | Binder:1310_6] has different 'nsproxy' pointer
72.139577: <6> Unable to handle kernel NULL pointer dereference at virtual address 00000004
72.139582: <6> pgd = 65ae8c4b
72.139587: <6> [00000004] *pgd=00000000
72.139598: <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
72.139602: <6> Modules linked in: sidkm_dlkm(O) wlan(O) machine_ext_dlkm(O) machine_dlkm(O) wcd9335_dlkm(O) cpe_lsm_dlkm(O) wcd_cpe_dlkm(O) analog_cdc_dlkm(O) digital_cdc_dlkm(O) stub_dlkm(O) mbhc_dlkm(O) wsa881x_analog_dlkm(O) wsa881x_dlkm(O) wcd9xxx_dlkm(O) wcd_core_dlkm(O) swr_ctrl_dlkm(O) swr_dlkm(O) pinctrl_wcd_dlkm(O) native_dlkm(O) platform_dlkm(O) usf_dlkm(O) q6_dlkm(O) adsp_loader_dlkm(O) apr_dlkm(O) q6_notifier_dlkm(O) cf1133_ts_dlkm(O) gpio_leds_dlkm(O) lcd_id_dlkm(O) pwm_beep_dlkm(O) beep_dlkm(O) charger_sgm41511_dlkm(O) charger_sy6982n_dlkm(O) cw2017_fuel_gauge_dlkm(O) ftdi_sdio_dlkm(O) at24_dlkm(O) algorithm_dlkm(PO) usbbulk_dlkm(O) cp210x_dlkm(O) ch341_dlkm(O) pl2303_dlkm(O) pin_catcher_dlkm(O) se_key_dlkm(O) epay_se_dlkm(O) [last unloaded: wlan]
72.139678: <6> CPU: 0 PID: 4354 Comm: kworker/u8:11 Tainted: P O 4.9.217-perf #4
72.139682: <6> Hardware name: Qualcomm Technologies, Inc. QM215
72.139737: <6> Workqueue: events_unbound p_check_integrity [sidkm_dlkm]
72.139743: <6> task: ecb8fde0 task.stack: eece352c
72.139787: <2> PC is at p_cmp_tasks+0x56c/0x9f8 [sidkm_dlkm]
72.139831: <2> LR is at p_cmp_tasks+0x53c/0x9f8 [sidkm_dlkm]
72.139837: <2> pc : [<bf0b4f6c>] lr : [<bf0b4f3c>] psr: 800d0013
sp : e0a45e38 ip : 00000000 fp : bf0c5380
72.139843: <2> r10: 00000001 r9 : e8814700 r8 : e8814700
72.139848: <2> r7 : 03254353 r6 : 00000000 r5 : d6ccdac0 r4 : d63dcf00
72.139853: <2> r3 : 00000000 r2 : 000409d9 r1 : 00000000 r0 : 00000000
72.139859: <2> Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
72.139864: <2> Control: 10c0383d Table: 97b8806a DAC: 00000051
<2> [<bf0b4f6c>] (p_cmp_tasks [sidkm_dlkm]) from [<bf0b5984>] (p_ed_enforce_validation_paranoid+0x7c/0x358 [sidkm_dlkm])
72.140320: <2> [<bf0b5984>] (p_ed_enforce_validation_paranoid [sidkm_dlkm]) from [<bf0ac020>] (p_check_integrity+0x2488/0x258c [sidkm_dlkm])
72.140369: <2> [<bf0ac020>] (p_check_integrity [sidkm_dlkm]) from [<c014c790>] (process_one_work+0x240/0x590)
72.140380: <2> [<c014c790>] (process_one_work) from [<c014cee0>] (worker_thread+0x400/0x5b0)
72.140389: <2> [<c014cee0>] (worker_thread) from [<c0151c88>] (kthread+0x154/0x168)
72.140399: <2> [<c0151c88>] (kthread) from [<c01081a8>] (ret_from_fork+0x14/0x2c)
72.140408: <6> Code: e34b0f0b eb43f46d e5950614 e28aa001 (e5901004)
72.140514: <6> ---[ end trace 0e2cc98ad6f58953 ]---
72.140528: <6> Kernel panic - not syncing: Fatal exception
72.140544: <6> CPU2: stopping
72.140553: <6> CPU: 2 PID: 0 Comm: swapper/2 Tainted: P D O 4.9.217-perf #4
72.140557: <6> Hardware name: Qualcomm Technologies, Inc. QM215
72.140569: <2> [<c0110cd8>] (unwind_backtrace) from [<c010d080>] (show_stack+0x10/0x14)
72.140579: <2> [<c010d080>] (show_stack) from [<c04efc00>] (dump_stack+0x88/0xb8)
72.140588: <2> [<c04efc00>] (dump_stack) from [<c010fb28>] (ipi_cpu_stop+0x40/0x68)
72.140596: <2> [<c010fb28>] (ipi_cpu_stop) from [<c010fae8>] (ipi_cpu_stop+0x0/0x68)
72.140603: <2> [<c010fae8>] (ipi_cpu_stop) from [<c5c02000>] (0xc5c02000)
I check the ramdump, found thread (1810 | Binder:1310_6)do not exist. if lkrg detect exploit( Detected namespace escape attack!process),
due to the thread already do no exist)?
2: kill process cause kernel crash
<6> [lkrg] <Exploit Detection> ON process[447 | time_daemon] has corrupted 'off' flag!
43443.007670: <6> [lkrg] <Exploit Detection> Trying to kill process[time_daemon | 447]!
43443.016340: <6> [lkrg] <Exploit Detection> ON process[448 | customconfigsd] has corrupted 'off' flag!
43443.022795: <6> [lkrg] <Exploit Detection> Trying to kill process[customconfigsd | 448]!
43443.040997: <6> [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to unregister r_rmnet_data6
43443.042097: <6> [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to unregister r_rmnet_data7
43443.088853: <6> binder: 861:371 transaction failed 29189/-22, size 40-0 line 3136
43443.120966: <6> [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to unregister r_rmnet_data7
43443.121937: <6> [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to unregister r_rmnet_data8
43443.200806: <6> [RMNET:HI] rmnet_config_notify_cb(): Kernel is trying to unregister r_rmnet_data8
43443.405158: <6> [lkrg] <Exploit Detection> ON process[455 | time_daemon] has corrupted 'off' flag!
43443.405302: <6> [lkrg] <Exploit Detection> Trying to kill process[time_daemon | 455]!
43443.413877: <6> [lkrg] <Exploit Detection> ON process[456 | time_daemon] has corrupted 'off' flag!
43443.420424: <6> [lkrg] <Exploit Detection> Trying to kill process[time_daemon | 456]!
43443.655574: <6> [lkrg] <Exploit Detection> ON process[459 | customconfigsd] has corrupted 'off' flag!
43443.655873: <4> [lkrg] <Exploit Detection> Trying to kill process[???????????????????????????????????????????
43443.663427: <6> binder: undelivered transaction 20666245, process died.
43443.728637: <6> Unable to handle kernel paging request at virtual address aaaaafb2
43443.750943: <6> pgd = 4285aa4f
43443.757997: <6> [aaaaafb2] *pgd=00000000
43443.764044: <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
43443.764371: <6> Modules linked in: sidkm_dlkm(O) wlan(O) machine_ext_dlkm(O) machine_dlkm(O) wcd9335_dlkm(O) cpe_lsm_dlkm(O) wcd_cpe_dlkm(O) analog_cdc_dlkm(O) digital_cdc_dlkm(O) stub_dlkm(O) mbhc_dlkm(O) wsa881x_analog_dlkm(O) wsa881x_dlkm(O) wcd9xxx_dlkm(O) wcd_core_dlkm(O) hdmi_dlkm(O) swr_ctrl_dlkm(O) swr_dlkm(O) pinctrl_wcd_dlkm(O) native_dlkm(O) platform_dlkm(O) usf_dlkm(O) q6_dlkm(O) adsp_loader_dlkm(O) apr_dlkm(O) q6_notifier_dlkm(O) gpio_leds_dlkm(O) lcd_id_dlkm(O) pwm_beep_dlkm(O) beep_dlkm(O) sitronix_ts_dlkm(O) charger_sgm41511_dlkm(O) charger_sy6982n_dlkm(O) cw2017_fuel_gauge_dlkm(O) pl2303_dlkm(O) at24_dlkm(O) algorithm_dlkm(PO) usbbulk_dlkm(O) ch341_dlkm(O) cp210x_dlkm(O) ftdi_sdio_dlkm(O) pin_catcher_dlkm(O) se_key_dlkm(O) epay_se_dlkm(O) [last unloaded: wlan]
43443.837827: <6> CPU: 0 PID: 459 Comm: kworker/u8:6 Tainted: P O 4.9.217 #2
43443.838097: <6> Hardware name: Qualcomm Technologies, Inc. QM215
43443.845542: <6> task: 15301b8f task.stack: 2bb6ef8b
43443.851431: <2> PC is at do_raw_spin_lock+0x24/0x10c
43443.855682: <2> LR is at _raw_spin_lock+0x20/0x24
43443.860537: <2> pc : [<c01b9584>] lr : [<c11622e0>] psr: 200000d3
sp : e2da1d58 ip : 00000000 fp : e2da1d70
43443.864887: <2> r10: bf26a738 r9 : e5156c00 r8 : 00000504
43443.876082: <2> r7 : aaaaafae r6 : aaaaaaaa r5 : c1a0e648 r4 : aaaaafae
43443.881313: <2> r3 : 00000000 r2 : c1a0f1f0 r1 : 00000000 r0 : 000409d9
43443.887908: <2> Flags: nzCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
43443.894427: <2> Control: 10c0383d Table: 9a4a006a DAC: 00000051
I also check the task list of ramdump,also do not found 459 | customconfigsd thread.
for above panic, could you give some suggest to fix them?
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
