Currently, the bug cannot be reproduced in the original platform. However, there is another platform has similar symptom. And the bug can be captured by Kasan(Kernel Address Sanitizer) backported on the v3.13.0-52.86.
The source code: http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=kasan_porting_alpha The kernel package: http://kernel.ubuntu.com/~gavinguo/kasan/kasan_alpha_52/linux-image-3.13.0-52-generic_3.13.0-52.86_amd64.deb The Kasan has found some errors related to the kmalloc-1024. The error related to kmalloc-1024 object can be summarized as following(The var/log/kern.log is also attached): BUG: KASan: out of bounds access in pipe_iov_copy_from_user+0x9e/0x100 at addr ffff882044fc8940 BUG: KASan: out of bounds access in iov_fault_in_pages_read+0x67/0xd0 at addr ffff882044fc8940 After some investigation and found the CVE 2015-1805 is the culprit and already included in the Ubuntu-3.13.0-58.96. commit c825e30e2a91fc94540959c16ebbba2ca095ad2c Author: Ben Hutchings <[email protected]> Date: Tue Jun 16 22:11:06 2015 +0100 pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9d58d ("new helper: copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: Ben Hutchings <[email protected]> Acked-by: Stefan Bader <[email protected]> Acked-by: Andy Whitcroft <[email protected]> Signed-off-by: Kamal Mostafa <[email protected]> The kernel 3.13.0-65.105 with backported Kasan enabled has been tested and the bug cannot be reproduced anymore. ** Bug watch added: Red Hat Bugzilla #1202855 https://bugzilla.redhat.com/show_bug.cgi?id=1202855 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-1805 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1403282 Title: General protection fault on c->freelist broken with Trusty Tahr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1403282/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
