[Bug 1745169] Re: Kernel tried to execute NX-protected page - exploit attempt?

2018-01-29 Thread Damien Cuenot 
I retried this morning, and problem solved!
Thanks

** Changed in: linux-azure (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1745169

Title:
  Kernel tried to execute NX-protected page - exploit attempt?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-azure/+bug/1745169/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [External] [Bug 1745169] Re: Kernel tried to execute NX-protected page - exploit attempt?

2018-01-26 Thread Damien Cuenot 
Thanks for the update, I will try it on next Monday.

Envoyé de mon iPhone

> Le 26 janv. 2018 à 17:02, Joshua R. Poulson  a écrit :
>
> A new round of kernels was released last night, including Linux-
> azure-4.13.0-1007... are you still seeing this trace?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_bugs_1745169=DwIFaQ=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=z5XGstltxu4cfsKdlKwB7UfMhixnkYaDErhbw48DYF8=F0JqNyJ_FUcXTRZn6vZl3whHJGoJdnyD07nC65IlkGI=lFf-ooj63oLgALjU1iqZ0HKBPEVfO4HM_dPlbd9F9Zo=
>
> Title:
>  Kernel tried to execute NX-protected page - exploit attempt?
>
> Status in linux-azure package in Ubuntu:
>  Confirmed
> Status in linux-meta-hwe-edge package in Ubuntu:
>  New
>
> Bug description:
>  Hi,
>
>  This morning I had an issue in the install of elasticsearch-2.4.6, and
>  when I have a look in journalctl, I have this BUG: unable to handle
>  kernel paging request at 7f7d7d67e7a0
>
>  My configuration:
>  elasticsearch@es-usb:~$ uname -r
>  4.13.0-1006-azure
>
>  When I do the downgrade on the 4.11.0-1016-azure kernel version,
>  everything is working well.
>
>  More information of my journalctl:
>  Jan 24 12:12:53 es-usb systemd[1]: Starting Elasticsearch...
>  Jan 24 12:12:53 es-usb systemd[1]: Started Elasticsearch.
>  Jan 24 12:12:53 es-usb sudo[18774]: pam_unix(sudo:session): session closed 
> for user root
>  Jan 24 12:12:55 es-usb kernel: kernel tried to execute NX-protected page - 
> exploit attempt? (uid: 1000)
>  Jan 24 12:12:55 es-usb kernel: BUG: unable to handle kernel paging request 
> at 7f7d7d67e7a0
>  Jan 24 12:12:55 es-usb kernel: IP: 0x7f7d7d67e7a0
>  Jan 24 12:12:55 es-usb kernel: PGD 8001b6e97067
>  Jan 24 12:12:55 es-usb kernel: P4D 8001b6e97067
>  Jan 24 12:12:55 es-usb kernel: PUD 1b55fd067
>  Jan 24 12:12:55 es-usb kernel: PMD 1b55fc067
>  Jan 24 12:12:55 es-usb kernel: PTE 8001aa5ac867
>  Jan 24 12:12:55 es-usb kernel:
>  Jan 24 12:12:55 es-usb kernel: Oops: 0011 [#7] SMP PTI
>  Jan 24 12:12:55 es-usb kernel: Modules linked in: xt_nat xt_tcpudp veth 
> ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink 
> xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype nf_nat br_netfilter 
> bridge stp llc overlay xt_multiport iptable_filter nf_conntrack_ipv4 n
>  Jan 24 12:12:55 es-usb kernel:  hyperv_keyboard hid cfbimgblt cfbcopyarea 
> hv_utils ptp pps_core hv_netvsc
>  Jan 24 12:12:55 es-usb kernel: CPU: 0 PID: 18809 Comm: java Tainted: G  
> D 4.13.0-1006-azure #8-Ubuntu
>  Jan 24 12:12:55 es-usb kernel: Hardware name: Microsoft Corporation Virtual 
> Machine/Virtual Machine, BIOS 090007  06/02/2017
>  Jan 24 12:12:55 es-usb kernel: task: 9c04b5e42e80 task.stack: 
> b490c5aa
>  Jan 24 12:12:55 es-usb kernel: RIP: 0010:0x7f7d7d67e7a0
>  Jan 24 12:12:55 es-usb kernel: RSP: 0018:b490c5aa3f50 EFLAGS: 00010202
>  Jan 24 12:12:55 es-usb kernel: RAX: 03e7 RBX:  
> RCX: 7f7d7cf914d9
>  Jan 24 12:12:55 es-usb kernel: RDX: 7f7d7d67ef50 RSI: 7f7d7d67f030 
> RDI: 
>  Jan 24 12:12:55 es-usb kernel: RBP:  R08:  
> R09: 000c
>  Jan 24 12:12:55 es-usb kernel: R10: 7f7d7d67e7a0 R11: 9c04b5e42e80 
> R12: 
>  Jan 24 12:12:55 es-usb kernel: R13:  R14:  
> R15: 
>  Jan 24 12:12:55 es-usb kernel: FS:  7f7d7d680700() 
> GS:9c04b9e0() knlGS:
>  Jan 24 12:12:55 es-usb kernel: CS:  0010 DS:  ES:  CR0: 
> 80050033
>  Jan 24 12:12:55 es-usb kernel: CR2: 7f7d7d67e7a0 CR3: 0001a33b8000 
> CR4: 001406f0
>  Jan 24 12:12:55 es-usb kernel: Call Trace:
>  Jan 24 12:12:55 es-usb kernel:  ? entry_SYSCALL_64_fastpath+0x33/0xa3
>  Jan 24 12:12:55 es-usb kernel: Code:  Bad RIP value.
>  Jan 24 12:12:55 es-usb kernel: RIP: 0x7f7d7d67e7a0 RSP: b490c5aa3f50
>  Jan 24 12:12:55 es-usb kernel: CR2: 7f7d7d67e7a0
>  Jan 24 12:12:55 es-usb kernel: ---[ end trace 3100a53c6de7c0c4 ]---
>
>  Thanks for your help
>
>  Damien
>
> To manage notifications about this bug go to:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.launchpad.net_ubuntu_-2Bsource_linux-2Dazure_-2Bbug_1745169_-2Bsubscriptions=DwIFaQ=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU=z5XGstltxu4cfsKdlKwB7UfMhixnkYaDErhbw48DYF8=F0JqNyJ_FUcXTRZn6vZl3whHJGoJdnyD07nC65IlkGI=Dfglu8DyAAB981lxLWbAgJD8wnGaDgG5E3nqOQU2EaY=



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and

[Bug 1745169] [NEW] Kernel tried to execute NX-protected page - exploit attempt?

2018-01-24 Thread Damien Cuenot 
Public bug reported:

Hi,

This morning I had an issue in the install of elasticsearch-2.4.6, and
when I have a look in journalctl, I have this BUG: unable to handle
kernel paging request at 7f7d7d67e7a0

My configuration:
elasticsearch@es-usb:~$ uname -r
4.13.0-1006-azure

When I do the downgrade on the 4.11.0-1016-azure kernel version,
everything is working well.

More information of my journalctl:
Jan 24 12:12:53 es-usb systemd[1]: Starting Elasticsearch...
Jan 24 12:12:53 es-usb systemd[1]: Started Elasticsearch.
Jan 24 12:12:53 es-usb sudo[18774]: pam_unix(sudo:session): session closed for 
user root
Jan 24 12:12:55 es-usb kernel: kernel tried to execute NX-protected page - 
exploit attempt? (uid: 1000)
Jan 24 12:12:55 es-usb kernel: BUG: unable to handle kernel paging request at 
7f7d7d67e7a0
Jan 24 12:12:55 es-usb kernel: IP: 0x7f7d7d67e7a0
Jan 24 12:12:55 es-usb kernel: PGD 8001b6e97067
Jan 24 12:12:55 es-usb kernel: P4D 8001b6e97067
Jan 24 12:12:55 es-usb kernel: PUD 1b55fd067
Jan 24 12:12:55 es-usb kernel: PMD 1b55fc067
Jan 24 12:12:55 es-usb kernel: PTE 8001aa5ac867
Jan 24 12:12:55 es-usb kernel:
Jan 24 12:12:55 es-usb kernel: Oops: 0011 [#7] SMP PTI
Jan 24 12:12:55 es-usb kernel: Modules linked in: xt_nat xt_tcpudp veth 
ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user 
xfrm_algo iptable_nat nf_nat_ipv4 xt_addrtype nf_nat br_netfilter bridge stp 
llc overlay xt_multiport iptable_filter nf_conntrack_ipv4 n
Jan 24 12:12:55 es-usb kernel:  hyperv_keyboard hid cfbimgblt cfbcopyarea 
hv_utils ptp pps_core hv_netvsc
Jan 24 12:12:55 es-usb kernel: CPU: 0 PID: 18809 Comm: java Tainted: G  D   
  4.13.0-1006-azure #8-Ubuntu
Jan 24 12:12:55 es-usb kernel: Hardware name: Microsoft Corporation Virtual 
Machine/Virtual Machine, BIOS 090007  06/02/2017
Jan 24 12:12:55 es-usb kernel: task: 9c04b5e42e80 task.stack: 
b490c5aa
Jan 24 12:12:55 es-usb kernel: RIP: 0010:0x7f7d7d67e7a0
Jan 24 12:12:55 es-usb kernel: RSP: 0018:b490c5aa3f50 EFLAGS: 00010202
Jan 24 12:12:55 es-usb kernel: RAX: 03e7 RBX:  RCX: 
7f7d7cf914d9
Jan 24 12:12:55 es-usb kernel: RDX: 7f7d7d67ef50 RSI: 7f7d7d67f030 RDI: 

Jan 24 12:12:55 es-usb kernel: RBP:  R08:  R09: 
000c
Jan 24 12:12:55 es-usb kernel: R10: 7f7d7d67e7a0 R11: 9c04b5e42e80 R12: 

Jan 24 12:12:55 es-usb kernel: R13:  R14:  R15: 

Jan 24 12:12:55 es-usb kernel: FS:  7f7d7d680700() 
GS:9c04b9e0() knlGS:
Jan 24 12:12:55 es-usb kernel: CS:  0010 DS:  ES:  CR0: 80050033
Jan 24 12:12:55 es-usb kernel: CR2: 7f7d7d67e7a0 CR3: 0001a33b8000 CR4: 
001406f0
Jan 24 12:12:55 es-usb kernel: Call Trace:
Jan 24 12:12:55 es-usb kernel:  ? entry_SYSCALL_64_fastpath+0x33/0xa3
Jan 24 12:12:55 es-usb kernel: Code:  Bad RIP value.
Jan 24 12:12:55 es-usb kernel: RIP: 0x7f7d7d67e7a0 RSP: b490c5aa3f50
Jan 24 12:12:55 es-usb kernel: CR2: 7f7d7d67e7a0
Jan 24 12:12:55 es-usb kernel: ---[ end trace 3100a53c6de7c0c4 ]---

Thanks for your help

Damien

** Affects: linux-azure (Ubuntu)
 Importance: Undecided
 Status: New

** Description changed:

  Hi,
  
  This morning I had an issue in the install of elasticsearch-2.4.6, and
  when I have a look in journalctl, I have this BUG: unable to handle
  kernel paging request at 7f7d7d67e7a0
  
- 
  My configuration:
- elasticsearch@ife-es-usb-prod-master:~$ uname -r
+ elasticsearch@es-usb:~$ uname -r
  4.13.0-1006-azure
  
  When I do the downgrade on the 4.11.0-1016-azure kernel version,
  everything is working well.
  
- 
  More information of my journalctl:
- Jan 24 12:12:53 ife-es-usb-prod-master systemd[1]: Starting Elasticsearch...
- Jan 24 12:12:53 ife-es-usb-prod-master systemd[1]: Started Elasticsearch.
- Jan 24 12:12:53 ife-es-usb-prod-master sudo[18774]: pam_unix(sudo:session): 
session closed for user root
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: kernel tried to execute 
NX-protected page - exploit attempt? (uid: 1000)
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: BUG: unable to handle kernel 
paging request at 7f7d7d67e7a0
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: IP: 0x7f7d7d67e7a0
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: PGD 8001b6e97067
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: P4D 8001b6e97067
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: PUD 1b55fd067
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: PMD 1b55fc067
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: PTE 8001aa5ac867
- Jan 24 12:12:55 ife-es-usb-prod-master kernel:
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: Oops: 0011 [#7] SMP PTI
- Jan 24 12:12:55 ife-es-usb-prod-master kernel: Modules linked in: xt_nat 
xt_tcpudp veth ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink 
nfnetlink xfrm_user