[rsbac] kernel oops accessing /dev/log
Amon Ott
ao at rsbac.org
Thu Feb 9 08:39:34 CET 2006
On Donnerstag 09 Februar 2006 02:15, Vincent Danen wrote:
> > Hi everyone. I've got a bit of a problem with rsbac 1.2.5.1 and
kernel
> > 2.4.32. When I try to "ls /dev/log" or run initlog (which a
number of
> > initscripts do), I'm getting a segfault of the application and a
kernel
> > oops printed to the screen:
> >
> >
> > <1>Unable to handle kernel NULL pointer dereference at virtual
address
> > 00000001
> > printing eip:
> > c0146885
> > *pde = 2f042067
> > *pte = 00000000
> > Oops: 0000
> > CPU: 0
> > EIP: 0010:[<c0146885>] Not tainted
> > EFLAGS: 00010202
> > eax: 00000001 ebx: 0000000f ecx: ef0c845c edx: ef1c0f60
> > esi: 00000000 edi: bffffa0c ebp: ece63fbc esp: ece63f40
> > ds: 0018 es: 0018 ss: 0018
> > Process initlog (pid: 827, stackpage=ece63000)
> > Stack: f0bc2d99 ef1d7238 00000002 ef4cf800 ef1d7238 c0146b49
08051380
> > 00000000
> > ef195860 ece63f98 f0bbf987 ef1d7258 ef195840 08051380
00000292
> > ef190901
> > 0000009e ef6ec2c0 ef195860 ef195840 ef1c0f60 effe9360
ef6ec2c0
> > ef195840
> > Call Trace: [<f0bc2d99>] [<c0146b49>] [<f0bbf987>] [<c0108bf3>]
> >
> > Code: 83 38 01 0f 84 47 ff ff ff 8d 81 20 01 00 00 bb 0b 00 00 00
Do you still have the System.map for this kernel, so that we can
translate the addresses to functions?
> > Now, syslog still seems to work properly. Ie. these errors are
being
> > properly logged to syslog. And if I do "logger mark" I get the
> > appropriate:
> >
> > Feb 8 15:15:57 cerberus vdanen: mark
> >
> > in syslog. So I'm not sure if rsbac is protecting /dev/log in
some way
> > that's preventing initlog from playing nice with it. The strange
thing
> > is only one machine is exhibiting this behaviour (with or without
> > rsbac_softmode). I tested this same kernel (well, compiled with
same
> > options and patches) in vmware (one x86, another x86_64), and on
an
> > athlon (the one that fails) and an opteron, but the others work
ok. The
> > rest of the system seems fine.
Version 1.2.x does not particularly protect socket special files, only
when opening them you get requests with NETOBJ targets.
> > Has anyone come across anything like this before?
Nothing like this has ever been reported.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list