Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kernel panic not anymore logged as it used to be
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Sun Mar 27, 2016 10:49 am    Post subject: kernel panic not anymore logged as it used to be Reply with quote

Originally I tried to post a very short digression, in my topic:

A Firewalled Internet Access to Internal Subnet
https://forums.gentoo.org/viewtopic-t-1041028.html#7897958

, and I started like this:

Skip this if you don't have time and are only interested in the bridge and firewall for a case like mine. This post only touches upon it because what I briefly describe here happened because I tried to familiarize more with the necessary tools...

(Chenging this a few minutes later, and opening a new topic, and not making adigression there.)

This happened when I tried to familiarize more with the necessary tools, and after "man ip", I tried:

Code:

# ip monitor all


And in another terminal I simply tried:
Code:

# ping 192.168.1.1


And right there and then the system froze, and the, I think it's NumLock or CapsLock or sum such on the top right side of the keyboard started flashing.

Obviously, the kernel panicked.

However, nothing anymore whatsoever in tho logs, as it used to be....

It used to be.... Have a look at:

grsec: halting the system due to suspicious kernel crash
http://forums.grsecurity.net/viewtopic.php?f=3&t=3709

where find transcriptions and pictures of the panic posted by me and also the use-after-free bug in action confirmed by spender.

Code:

Mar 27 09:13:39 g0n kernel: [51920.101120] grsec: (admin:S:/) exec of /bin/ip (ip -a route show ) by /bin/ip[bash:3775] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0
Mar 27 09:13:44 g0n kernel: [51924.953681] grsec: (admin:S:/) exec of /bin/ip (ip route show ) by /bin/ip[bash:3776] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0
Mar 27 09:13:53 g0n kernel: [51934.051701] grsec: (admin:S:/) exec of /bin/ip (ip route monitor ) by /bin/ip[bash:3777] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0
Mar 27 09:14:18 g0n kernel: [51959.880329] grsec: (admin:S:/) exec of /bin/ip (ip monitor ) by /bin/ip[bash:3778] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4980] uid/euid:0/0 gid/egid:0/0
Mar 27 09:16:37 g0n syslog-ng[2338]: syslog-ng starting up; version='3.4.8'
Mar 27 09:16:37  kernel: [    0.000000] Linux version 4.4.4-hardened-160326 (root@g0n) (gcc version 5.3.0 (Gentoo Hardened 5.3.0 p1.0, pie-0.6.5) ) #4 SMP PREEMPT Sat Mar 26 17:33:25 CET 2016
Mar 27 09:16:37 g0n kernel: [    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.4.4-hardened-160326 root=/dev/sda3 ro
Mar 27 09:16:37 g0n kernel: [    0.000000] tseg: 00df800000
Mar 27 09:16:37 g0n kernel: [    0.000000] x86/fpu: Legacy x87 FPU detected.
Mar 27 09:16:37 g0n kernel: [    0.000000] x86/fpu: Using 'lazy' FPU context switches.
Mar 27 09:16:37 g0n kernel: [    0.000000] e820: BIOS-provided physical RAM map:
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000de1f3fff] usable
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000de1f4000-0x00000000de4f2fff] reserved
Mar 27 09:16:37 g0n kernel: [    0.000000] BIOS-e820: [mem 0x00000000de4f3000-0x00000000de8ddfff] ACPI NVS

So, the panic can not be caught anymore, it's hidden, prevented from being logged... Looks intentional to me, like the things that you can read from my signature.

Just pls. let me tell you upfront, that I am consumed by the task in that other topic linked at the top. I might be slow to reply here.
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Mon Mar 28, 2016 12:10 pm    Post subject: Reply with quote

title: kernel panic not anymore logged as it used to be
---
first posted on kernel panic not anymore logged as it used to be, formatted for phpBB

To follow here, download:

http://www.croatiafidelis.hr/foss/cap/cap-160327-nft/dLo.sh

and run it to download the rest of files from cap-160327-nft/ .

There is also the yesterday morning's freeze dumpcap and corresponding messages lines:

dump_160327_0902_g0n.pcap
dump_160327_0902_g0n.messages

The system froze again (but I think I know what it may be, in was in the post for me, but I had been all over, and kept forgetting about it; later below I tell all).

First I checked carefully if there was no login information of mine in:

dump_160327_1916_g0n.pcap

and where it froze, can be seen in the excerpt from my /var/log/messages:

dump_160327_1916_g0n.messages

How did I check if there wasn't any login info in the PCAP? By mere rolling the entire PCAP in Wireshark? Would take really long. No. I used the script tshark-http-uri.sh and after I ran it, I grep'ed the extracted text files for string 'login' and looked up those frame numbers in the PCAP.

Then I tried to find in the PCAP a possible reason for the freeze of the system. Entering in the filter link:

ip.src == 216.58.214.234 || (ip.src == 77.238.163.222) || (ip.dst == 64.233.184.95) || (ip.dst == 68.232.35.121) || (ip.dst == 54.239.158.19)

didn't help (but I'm not an expert at all). (The mornings freeze will tell even less. There was no connecting to the internet at all.)

This is also significant. You get it when you open to read the file in Wireshark, or with tshark.
Code:

tshark: The file "dump_160327_1916_g0n.pcap" appears to be damaged or corrupt.
(pcapng_read_unknown_block: total block length 0 of an unknown block type is less than the minimum block size 12)


But I'm afraid not even people from Netfilter could help. Because I didn't have the debugging of netfiler on (I remember vaguely seeing it in the kernel config, and I remember how some wrote somewhere it wasn't safe, and how people from Netfilter took care to point out, somewhere in their docs, that it was safe... Vaguely, sorry, working all over...).

And so it'll probably remain mistery not solved for me.

Because I figured out it probably was just:

the code that I set up my Nftables with, the one from Archlinux (pls see that other topic: A Firewalled Internet Access to Internal Subnet for this discussion about nft code files, was just an example... I should have reverted, and I did before I went on to post this, to the Nftables Gentoo Wiki Typical Workstation example instead.

If you look up, there's e.g. the bootpc in that code. Completely no point using it in my system, I don't boot this machine from elsewhere on the network ;-) ...

I wanted to tell more about what happened, as much as I could.

But why no panic recorded in the logs? I really have no idea. Everything all of sudden quit working. Total freeze...

And since it happened the two times (or even one more other time, but I didn't look up carefully back then) only after I 'nft -f <that example file>' in... And if it does not occur again, now that I reverted to Gentoo's Workstation example, I guess my assumption will stand.

Regards!
--
Ah, I forgot. Let me see...
Code:

$ grep ssl.keylog_file ~/.wireshark/preferences
ssl.keylog_file: /home/miro/.sslkey.log
$
... If you want to see the traffic on the evening dumpcap, even if don't have your machine configured as per:
Secure Socket Layer (SSL)
https://wiki.wireshark.org/SSL

you can do it with:
Code:

$ wireshark -o "ssl.keylog_file: dump_160327_1916_g0n_SSLKEYLOGFILE.log" dump_160327_1916_g0n.pcap
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum