Re: [PROBLEM] interrupt 24 happens

From: qiaonuohan
Date: Wed May 10 2017 - 06:13:04 EST


I tried to use "inI tried to use "int 24" and "apic->send_IPI" to trigger vector 24.
1. "int 24" is only available to trigger vector 24 on the same cpu
2. "apic->send_IPI" doesn't work when trying to trigger vector 24

Could anyone give some hint about how to trigger vector 24?t 24" and "apic->send_IPI" to trigger vector 24.
1. "int 24" is only available to trigger vector 24 on the same cpu
2. "apic->send_IPI" doesn't work when trying to trigger vector 24

Could anyone give some hint about how to trigger vector 24?

On 2017/5/9 14:58, qiaonuohan wrote:
Hi,

Recently, when I trying to destroy a virtual machine, I came across
a panic. The stack is listed at the end of this mail.

After analyze, I think it is a problem of cpu, it generate an interrupt
of vector 24.

SS/ESP/EFLAGS/CS/RIP are push into stack. and EFLAGS is changed from 0x286
to 0x10086, IF is cleared.
And the interrupt came after "HLT" (native_safe_halt+0x6/0x10)

RIP is ffffffff81aa00d8, which is set to vector 24 during boot, but then freed.

I would like to confirm if it is the problem of kernel or CPU. Could anyone give
some help?


P.S.
The problem happened on a machine with:
CPU: Intel(R) Xeon(R) CPU E5-2658 v4 @ 2.30GHz
Memory: Micron 36ASF2G72PZ-2G1A2 DDR4 2133 MHz



--------------------------------------------------------------------------------------
[681483.002217] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[681483.010107] BUG: unable to handle kernel paging request at ffffffff81aa00d8
[681483.017338] IP: [<ffffffff81aa00d8>] early_idt_handlers+0xd8/0x120
[681483.023790] PGD 195d067 PUD 195e063 PMD 3fcdcca063 PTE 8000000001aa0163
[681483.030716] Oops: 0011 [#1] SMP
[681483.072006] Modules linked in: vfat fat loop scsi_transport_iscsi sch_htb 8021q garp stp mrp llc xt_multiport xt_conntrack iptable_filter ip6table_filter ip6_tables softdog dev_connlimit(O) binfmt_misc bum(O) ip_set nfnetlink prio(O) nat(O) vport_vxlan(O) openvswitch(O) nf_defrag_ipv6 gre ib_uverbs(OVE) kboxdriver(O) kbox(O) hotpatch(OE) pmcint(O) signo_catch(O) ipmi_devintf ipmi_si uio ipmi_msghandler bonding mlx4_ib(OVE) mlx4_en(OVE) ib_sa(OVE) ib_mad(OVE) ib_core(OVE) ib_addr(OVE) ib_netlink(OVE) kvm_intel(O) kvm(O) ixgbe(O) coretemp intel_rapl crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul mlx4_core(OVE) vxlan ip6_udp_tunnel udp_tunnel ptp pps_core dca glue_helper ablk_helper cryptd pcspkr mei_me compat(OVE) lpc_ich mfd_core sb_edac edac_core i2c_i801 i2c_core mei acpi_power_meter
[681483.146336] sg shpchp vhost_net(O) tun(O) vhost(O) macvtap macvlan nf_nat_proto_sctp nf_nat ip_tables ext3 mbcache jbd sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common ahci libahci mpt3sas libata raid_class scsi_transport_sas dm_mod nf_conntrack_ipv4 nf_defrag_ipv4 vfio_pci irqbypass vfio_iommu_type1 vfio xt_sctp nf_conntrack_proto_sctp nf_conntrack sctp libcrc32c [last unloaded: nxup]
[681483.182672] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G OE ----V------- 3.10.0-327.36.58.10_2.x86_64 #1
[681483.200539] task: ffffffff81961440 ti: ffffffff8194c000 task.ti: ffffffff8194c000
[681483.208428] RIP: 0010:[<ffffffff81aa00d8>] [<ffffffff81aa00d8>] early_idt_handlers+0xd8/0x120
[681483.217410] RSP: 0018:ffffffff8194fe78 EFLAGS: 00010086
[681483.222968] RAX: 00000000ffffffed RBX: ffffffff8194c000 RCX: 0100000000000000
[681483.230510] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000046
[681483.238050] RBP: ffffffff8194fea0 R08: 0000000000000000 R09: 0000000000000002
[681483.245540] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[681483.256972] R13: ffffffff8194c000 R14: ffffffff8194c000 R15: ffffffff8194ffa8
[681483.264519] FS: 0000000000000000(0000) GS:ffff881fffa00000(0000) knlGS:0000000000000000
[681483.273007] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[681483.278993] CR2: ffffffff81aa00d8 CR3: 0000001fc77b7000 CR4: 00000000003427f0
[681483.286530] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[681483.294077] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[681483.301613] Stack:
[681483.303853] ffffffff81058ee6 0000000000000010 0000000000000286 ffffffff8194fea0
[681483.311725] 0000000000000018 ffffffff8194fec0 ffffffff8101dd6f ffffffff8194c000
[681483.319588] ffffffff81a79a20 ffffffff8194fed0 ffffffff8101e686 ffffffff8194ff28
[681483.327456] Call Trace:
[681483.330164] [<ffffffff81058ee6>] ? native_safe_halt+0x6/0x10
[681483.336162] [<ffffffff8101dd6f>] default_idle+0x1f/0xc0
[681483.341725] [<ffffffff8101e686>] arch_cpu_idle+0x26/0x30
[681483.347346] [<ffffffff810d7085>] cpu_startup_entry+0x245/0x290
[681483.353521] [<ffffffff816320dc>] rest_init+0x7c/0x80
[681483.358816] [<ffffffff81aa1057>] start_kernel+0x429/0x44a
[681483.364551] [<ffffffff81aa0a37>] ? repair_env_string+0x5c/0x5c
[681483.370716] [<ffffffff81aa0120>] ? early_idt_handlers+0x120/0x120
[681483.377130] [<ffffffff81aa05ee>] x86_64_start_reservations+0x2a/0x2c
[681483.383812] [<ffffffff81aa0742>] x86_64_start_kernel+0x152/0x175
[681483.390117] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[681483.410777] RIP [<ffffffff81aa00d8>] early_idt_handlers+0xd8/0x120
[681483.417312] RSP <ffffffff8194fe78>
[681483.421047] CR2: ffffffff81aa00d8
[681483.425086] ---[ end trace c26409feeec75903 ]---
--------------------------------------------------------------------------------------

--
Regards
NuoHan Qiao