[grsec] bonding module causes kernel oops when "mode" option used

Natanael Copa natanael.copa at gmail.com
Mon Aug 17 04:32:19 EDT 2009


Hi,

A user reported an issue with the bonding module. I could not reproduce
in my qemu/kvm box but I could on my laptop.

The bad stuff happens only when the "mode" parameter is specified to the
bonding module. Without parameter things seems to work.

Example to trigger it: modprobe bonding mode=5

I tested on a 2.6.30.4 vanilla kernel and it does not Oops on me.

Kernel config:
http://dev.alpinelinux.org/~ncopa/pax/config-200908132040

vmlinux:
http://dev.alpinelinux.org/~ncopa/pax/vmlinux-200908132040

And grsecurity patch is:
grsecurity-2.1.14-2.6.30.4-200908132040.patch

Original bugreport (i think he used 20090812 patch):
http://redmine.alpinelinux.org/issues/show/135


PAX: modprobe:1606, uid/euid: 0/0, attempted to modify kernel code
BUG: unable to handle kernel paging request at c0d09ac8
IP: [<000314db>] 0x0314db
*pde = 00c001e1 
Oops: 0003 [#1] SMP 
last sysfs file: /sys/devices/pci0000:80/0000:80:01.0/resource
Modules linked in: bonding(+) via drm ipv6 af_packet joydev uvcvideo videodev v4l1_compat psmouse serio_raw pcspkr tg3 libphy shpchp pci_hotplug i2c_viapro i2c_core snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_pcm snd_page_alloc snd_timer snd_hwdep snd soundcore via_agp agpgart evdev wmi battery rtc_cmos rtc_core rtc_lib video backlight output thermal button hp_accel led_class lis3lv02d processor ac btusb bluetooth sd_mod ssb pcmcia pcmcia_core crc32 firmware_class ide_pci_generic ide_core ata_generic sata_via pata_acpi libata scsi_mod ehci_hcd uhci_hcd usbcore cramfs loop ext3 mbcache jbd

Pid: 1606, comm: modprobe Not tainted (2.6.30.4-grsec #1) HP 2133
EIP: 0060:[<000314db>] EFLAGS: 00010202 CPU: 0
EAX: 00000001 EBX: c0d09ac4 ECX: 00000001 EDX: c0d09ac4
ESI: f69db42d EDI: f807045c EBP: f6b57ee0 ESP: f6b57ed4
 DS: 0068 ES: 0068 FS: 00d8 GS: 0000 SS: 0068
Process modprobe (pid: 1606, ti=f6b56000 task=f70bae50 task.ti=f6b56000)
Stack:
 f69db428 f69db42d f69db400 f6b57f14 00031050 f69db42d c0d09ac4 c0d09a24
 00000283 c0d056b8 f80702b8 f69db42f 00000008 f80702ac f69db428 c09fef5d
 f6b57f9c 000417ac 00000010 00000000 f6b57f84 f80c2de4 f80c91a4 00000021
Call Trace:
 [<00031050>] ? 0x031050
 [<000417ac>] ? 0x0417ac
 [<00041982>] ? 0x041982
 [<00003ac5>] ? 0x003ac5
 [<0001a160>] ? 0x01a160
 [<0001a160>] ? 0x01a160
Code: c0 e8 62 02 19 00 b8 e4 ff ff ff 5b 5e eb 40 83 7b 04 00 79 0a 8b 43 10 8b 00 e8 f7 1d 03 00 e8 48 17 03 00 8b 7b 10 85 c0 74 20 <81> 4b 04 00 00 00 80 ba d0 00 00 00 89 f0 e8 ff 27 02 00 89 07 
EIP: [<000314db>]  SS:ESP 0068:f6b57ed4
CR2: 00000000c0d09ac8
---[ end trace 018284ba5d29b725 ]---





More information about the grsecurity mailing list