Kernel crash - WhatApp Tainted

asef

My pixel 9 crashed after behaving strangely and looking at the logs I found an odd entry related to WhatsApp.

Would anyone here with more knowledge please have a quick look at the log?

[  193.127498][ T5675]  exynos_pmu_if(OE) exynos_pd_el3(OE)
[  193.127504][ T5675] CPU: 5 PID: 5675 Comm: com.whatsapp Tainted: G S      W  OE   T  6.1.112-android14-11-ge5bfa48ad203 #1
[  193.127508][ T5675] Hardware name: ZUMA PRO TOKAY MP board based on ZUMA PRO (DT)
[  193.127510][ T5675] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  193.127513][ T5675] pc : kmem_cache_free_bulk+0x878/0x918
[  193.127527][ T5675] lr : kmem_cache_alloc_bulk+0x3b4/0x408
[  193.127531][ T5675] sp : ffff80002a75b4b0
[  193.127533][ T5675] x29: ffff80002a75b500 x28: 0000000000000002 x27: ffff1c0dc2803e00
[  193.127537][ T5675] x26: ffff1c17ccbd7200 x25: 0000000000000000 x24: ffff1c17ccbd6200
[  193.127540][ T5675] x23: ffff1c16ec1c9300 x22: 0000000000000000 x21: 0000000000000001
[  193.127543][ T5675] x20: ffff1c17ccbd6200 x19: ffff1c17ccbd7200 x18: ffff80000f237070
[  193.127546][ T5675] x17: 0000c8bffbd8a000 x16: 0000000000000000 x15: 8000000000000000
[  193.127549][ T5675] x14: 0000000000000001 x13: aeb800cf9f6eb900 x12: 449a6076f79bdb55
[  193.127552][ T5675] x11: bb657c613b26b800 x10: 0000000000000108 x9 : 0000000000000080
[  193.127555][ T5675] x8 : 0000000000000100 x7 : 0000000000000000 x6 : 000000000000003f
[  193.127558][ T5675] x5 : 0000000000000000 x4 : ffff1c17ff9a7210 x3 : 000000000000000b
[  193.127561][ T5675] x2 : ffff1c17ff9a7210 x1 : 0000000000000009 x0 : ffff1c0dc2803e00
[  193.127565][ T5675] Call trace:
[  193.127567][ T5675]  kmem_cache_free_bulk+0x878/0x918
[  193.127570][ T5675]  kmem_cache_alloc_bulk+0x3b4/0x408
[  193.127573][ T5675]  mas_alloc_nodes+0x168/0x20c
[  193.127584][ T5675]  mas_wr_spanning_store+0xf8/0x794
[  193.127587][ T5675]  mas_wr_store_entry+0x284/0x2dc
[  193.127590][ T5675]  mas_store_gfp+0xa0/0x1ec
[  193.127594][ T5675]  do_mas_align_munmap+0x43c/0x77c
[  193.127606][ T5675]  __vm_munmap+0x1f4/0x2dc
[  193.127610][ T5675]  __arm64_sys_munmap+0xc0/0xec
[  193.127613][ T5675]  invoke_syscall+0x8c/0x11c
[  193.127621][ T5675]  el0_svc_common+0x90/0x104
[  193.127624][ T5675]  do_el0_svc+0x34/0xd8
[  193.127627][ T5675]  el0_svc+0x34/0xac
[  193.127636][ T5675]  el0t_64_sync_handler+0x8c/0xfc
[  193.127639][ T5675]  el0t_64_sync+0x1a4/0x1a8
[  193.127644][ T5675] Code: 9102c3ff d50323bf f85f8e5e d65f03c0 (d4210000) 
[  193.127647][ T5675] ---[ end trace 0000000000000000 ]---
[  193.127654][ T5675] Kernel panic - not syncing: Oops - BUG: Fatal exception
[  193.127668][ T5675] SMP: stopping secondary CPUs
[  193.127684][    C0] debug-snapshot dss: context saved(CPU:0)
[  193.127692][    C1] debug-snapshot dss: context saved(CPU:1)
[  193.127698][    C7] debug-snapshot dss: context saved(CPU:7)
[  193.127706][    C3] debug-snapshot dss: context saved(CPU:3)
[  193.127714][    C2] debug-snapshot dss: context saved(CPU:2)
[  193.127720][    C6] debug-snapshot dss: context saved(CPU:6)
[  193.127726][    C4] debug-snapshot dss: context saved(CPU:4)
[  193.128787][ T5675] s3c2410-wdt 10060000.watchdog_cl0: watchdog reset is started to 30secs
[  193.128810][ T5675] s3c2410-wdt 10070000.watchdog_cl1: s3c2410wdt_multistage_wdt_stop: cluster 1 stop done, WTCON 00115718
[  193.128815][ T5675] s3c2410-wdt 10060000.watchdog_cl0: Watchdog cluster 0 stop done, WTCON = 115718
[  193.128821][ T5675] s3c2410-wdt 10070000.watchdog_cl1: s3c2410wdt_multistage_wdt_stop: cluster 1 stop done, WTCON 00115718
[  193.128826][ T5675] s3c2410-wdt 10070000.watchdog_cl1: s3c2410wdt_multistage_wdt_start: count=0x0000cc8c, wtcon=0011573c
[  193.128831][ T5675] s3c2410-wdt 10060000.watchdog_cl0: Watchdog cluster 0 start, WTCON = 115739
[  193.128834][ T5675] s3c2410-wdt 10070000.watchdog_cl1: s3c2410wdt_multistage_wdt_stop: cluster 1 stop done, WTCON 00115718
[  193.128845][ T5675] Kernel Offset: 0x3d6ee6600000 from 0xffff800008000000
[  193.128848][ T5675] PHYS_OFFSET: 0xffffe3f2c0000000
[  193.128850][ T5675] CPU features: 0x00,00180000,000d0dd7,663e7667
[  193.128853][ T5675] Memory Limit: none
[  193.128860][ T5675] group NOCL1A_D frz_support NO
[  193.128864][ T5675] group NOCL1B_D frz_support NO
[  193.128867][ T5675] group NOCL2AA_D frz_support NO
[  193.128871][ T5675] group NOCL2AB_D frz_support NO
[  193.128872][ T5675] group NOCL0_D frz_support NO
[  193.128875][ T5675] group NOCL1A_P frz_support NO
[  193.128877][ T5675] group NOCL1B_P frz_support NO
[  193.128880][ T5675] group NOCL2AA_P frz_support NO
[  193.128882][ T5675] group NOCL2AB_P frz_support NO
[  193.128884][ T5675] group NOCL0_P frz_support NO
[  193.128886][ T5675] exynos-itmon-v2 exynos-itmon: No errors found itmon_logging_panic_handler
[  193.128901][ T5675] EHLD trace requires SJTAG authentication
[  193.128903][ T5675] cpu0: pmu_val:0xc2, ehld_stat:0x0
[  193.128906][ T5675] cpu1: pmu_val:0xc2, ehld_stat:0x0
[  193.128908][ T5675] cpu2: pmu_val:0xc2, ehld_stat:0x0
[  193.128910][ T5675] cpu3: pmu_val:0xc2, ehld_stat:0x0
[  193.128912][ T5675] cpu4: pmu_val:0xc2, ehld_stat:0x0
[  193.128914][ T5675] cpu5: pmu_val:0xc2, ehld_stat:0x0
[  193.128915][ T5675] cpu6: pmu_val:0xc2, ehld_stat:0x0
[  193.128918][ T5675] cpu7: pmu_val:0xc2, ehld_stat:0x0
[  193.128921][ T5675] Hardlockup CPU mask: 0x0
[  193.128924][ T5675] cpif: s5100_send_panic_noti_ext: Send CMD_KERNEL_PANIC message to CP
[  193.128928][ T5675] cpif: pcie_send_ap2cp_irq: Reserve doorbell interrupt: PCI not powered on
[  193.128999][ T5675] item - log_kevents is disabled
[  193.129001][ T5675] 
[  193.129002][ T5675]  current proc : 5675 com.whatsapp

Any help is greatly appreciated!

other8026

asef might be more helpful to share the WhatsApp logs

asef

other8026
Hi can you please change the tags for this post to reflect the case that it doesn't just relate to a 3rd party app?

asef

Wasn't aware that WhatsApp had logs TBH that I could check.
Definitely would've been helpful.

I was hoping that this Logcat could shed light on how WhatsApp managed to crash the whole phone.

argante

asef Kernel space is isolated from user space. So the app should crash, not the whole kernel. This certainly looks like a memory error, but from the logs you provided, it's a bit difficult to tell what exactly is causing this.

asef

argante

Could this be an indication of an exploited vulnerability.
Following your logic the app has corrupted memory outside of its standard address space, or have I misunderstood.
Also GOS said that WhatsApp was "tainted"
Also if I remember rightly memory tagging has to be disabled for WhatsApp to run on GOS.

ryrona

I don't think WhatsApp logs would help here.

WhatsApp seem to have called munmap(), which seems fine. Execution has switched to kernel space to handle the munmap() call, as expected. And then something goes wrong. For some reason it reached a BUG() point in the kernel code for kmem_cache_free_bulk(). That sounds to me like kernel memory probably has already been corrupted, or something like that. And that is probably not WhatsApp's doing. WhatsApp was just the innocent process that happened to be executing when the memory corruption was detected and the kernel rightly aborted execution right away.

I thought Pixel 9 was supposed to have MTE enabled, and be able to catch all kernel memory corruptions when they occur?

dhhdjbd

Not sure if it is related, but i believe i got today a "whatsapp crashed due to mte"-type notification...
maybe its a issue with some kind of update/

asef

dhhdjbd

Just to let you know that this log is from November last year.

ryrona

TGOS Next to kernel crash I sent this logcat from whatspp

What do you mean "next to". When is this log from compared to when the crash happened. Because I don't see any signs of any crash in that log file.

asef I do have a verbose logcat file from the same time

asef Sorry that link didn't work.
The below link should work now.

osVersion: google/tokay/tokay:15/BP1A.250405.007.D1/2025041100:user/release-keys
04-25 06:01:46.206

asef Just to let you know that this log is from November last year.

I am confused. From when is the kernel crash log you originally posted, and from when is this log file you sent? There are no signs of any kernel crash in that log file, nor any mentions of WhatsApp. There are plenty of other crashes though, from user space and various apps.

TGOS

asef
I run it with MT enabled
But had a kernel crash recently while on that app and reported via mail to devs. Few weeks but no answer yet

argante

asef Could this be an indication of an exploited vulnerability.
Following your logic the app has corrupted memory outside of its standard address space, or have I misunderstood.

Exactly. That's why this case is so interesting, that an application from userspace causes the kernel to crash. See Openwall's LTRG, which protect against such attacks. SELinux, seccomp, etc. act more as a syscall's firewall. LTRG protects the kernel space when the application starts making unauthorized modifications in this space (in kernel structures). Of course, it can also be an MTE error.

ryrona

asef I was also hoping someone else may give their thoughts

Yeah, no app should be able to cause memory corruption is kernel space, nor crash the kernel. That should be impossible. If it is possible, there is an issue with the OS itself, not the app.

asef I am considered a high risk target for this sort of thing but thought that GOS + good sense (hard earned) would make it difficult/expensive enough.

Using GrapheneOS absolutely helps to protect yourself if you are a high risk target, but as is evident from the logs here, it is not always enough.

asef I stopped using WhatsApp, reinstalled GOS and decided to only use Signal/Molly.

Although this is a good choice in general, I see nothing here that indicates WhatsApp caused the kernel space memory corruption. It was merely detected, by the kernel, while WhatsApp was the process running. There is no reason to suspect WhatsApp has anything to do with this memory corruption from the logs you have provided.

other8026 I'm confused. It's a crash that has only occurred while using WhatsApp, right?

Irrelevant what process it was that was currently running. It is a memory corruption in the kernel, and a kernel crash.

asef Could this be an indication of an exploited vulnerability.

Could be. Possible attack vectors that can have caused this memory corruption are vulnerabilities in Wifi driver, if you had Wifi enabled, 4G/5G drivers, if you had 4G/5G enabled, Bluetooth drivers, if you had Bluetooth enabled, but in that case you were probably quite close to the attacker physically, USB-C drivers, if you at any point connected your phone to a charger or other USB device during the current boot cycle. It could also be a malicious app you have installed, or an app that has been compromised, even WhatsApp, if your attacker likely have exploits against WhatsApp and know your phone number.

It is also quite possible it is just a bug in the kernel that caused some random memory corruption, and that this all is not a sign of an attack at all.

Still, any memory corruption in the kernel is a very serious issue, as it is possibly exploitable.

Unfortunately, the provided logs and information is not enough to find the cause of the memory corruption. MTE should have caught it, so I am confused why it didn't.

asef

TGOS
Ahh then my memory doesn't serve me well, and makes the memory corruption even more intriguing.

asef

argante
I have another system log from the same time if that would help at all.
I am considered a high risk target for this sort of thing but thought that GOS + good sense (hard earned) would make it difficult/expensive enough.

asef

argante LRTG looks interesting, but can it be used with GOS?

argante

asef Theoretically yes, but it's a long way off. LRTG works as a kernel module, so ideally it would be part of GOS. LRTG creates a hash database of kernel structures (SipHash). If a system call is activated, LRTG checks the integrity of the hashes in the database with kernel structures and if it detects a difference, it kills the process that made such a change. LRTG takes action when it theoretically managed to break the kernel's security. LRTG is therefore a kind of final line of defense. I can add that Metasploit, if it only detects LRTG, does not even try to test its exploits :) GOS uses SELinux. LRTG has special support for SELinux protection, so it would be a nice complement to GOS.

asef

argante
Maybe [they] will consider it.
Metasploit devs will no doubt work out a way to circumvent LRTG once it becomes worth it.

Personally I'm now worried that my phone has been compromised yet again despite my best efforts.
I stopped using WhatsApp, reinstalled GOS and decided to only use Signal/Molly.
Now I may just not use even sandboxed Google services and just run all my standand Android stuff in Genymotion on a PC.

Initially it was almost fun contending with this issue, now I'm finding it more than a little exhausting.

Mod note: Removed mention of a specific member of the project.

other8026

asef I'm confused. It's a crash that has only occurred while using WhatsApp, right?

asef

other8026

Hi Other8026,

I should have prefaced my previous post with an "if appropriate" however I thought that since it seems that a userspace app had managed to crash the kernel and cause the phone to reboot, that this issue may be worthy of tags other than just the "3rd party app" tag?

I was also hoping someone else may give their thoughts and maybe either augment @argante comments or perhaps present a different perspective and that having the extra tags may get more views?

Thanks Other8026

asef

ryrona
Thank you for your thoughts Ryrona. Everything you say makes sense and is mostly depressing :)
I do however acknowledge that there is a possibility that this whole thing could be benign.

ryrona Possible attack vectors that can have caused this memory corruption are vulnerabilities in Wifi driver, if you had Wifi enabled, 4G/5G drivers

Yes on all counts I'd well imagine, as I can't remember when I had Wifi and BT turn off automatically.
Also if I remember rightly the Baseband is sandboxed, not sure if Wifi and BT are treated to the same sandboxing.

ryrona USB-C drivers, if you at any point connected your phone to a charger or other USB device during the current boot cycle

I only use wireless to charge and have the USB-C port disabled.

ryrona It is also quite possible it is just a bug in the kernel that caused some random memory corruption, and that this all is not a sign of an attack at all.

Yes always a possibility.

ryrona MTE should have caught it

I thought the app crashed with Memory Tagging on so it could've been off.

ryrona , the provided logs and information is not enough

I do have a verbose logcat file from the same time
[https://www.dropbox.com/scl/fi/gbnifkpkbxyecj3z9885c/System-log-43278271226e.txt?rlkey=7da25qkew52njheaokgdfxjrq&st=g7xo78m1&dl=0](https://)