Re: [Vserver] oops with 2.4.26-vs1.27:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 20 Sep 2004 - 15:54:02 BST

On Mon, Sep 20, 2004 at 04:29:37PM +0200, Christian Mayrhuber wrote:
> Hi,
>
> I've got an oops with kernel 2.4.26 and vserver 1.27.
>
> ksymoops 2.4.5 on i686 2.4.26-686-smp-vs1.27-hot1. Options used
> -v vmlinux (specified)
> -k /proc/ksyms (default)
> -l /proc/modules (default)
> -o /lib/modules/2.4.26-686-smp-vs1.27-hot1/ (default)
> -m System.map (specified)
>
> Sep 18 00:50:22 aton kernel: Unable to handle kernel paging request at virtual
> address 386c6962
          ~~~~~~~~ userspace

> Sep 18 00:50:22 aton kernel: c0229c62
> Sep 18 00:50:22 aton kernel: *pde = 00000000
> Sep 18 00:50:22 aton kernel: Oops: 0000
> Sep 18 00:50:22 aton kernel: CPU: 1
> Sep 18 00:50:22 aton kernel: EIP: 0010:[sock_poll+30/40] Not tainted
> Sep 18 00:50:22 aton kernel: EFLAGS: 00010286
> Sep 18 00:50:22 aton kernel: eax: 386c6946 ebx: f50b3ce0 ecx: 00000000
> edx: ca183214
> Sep 18 00:50:22 aton kernel: esi: f50b3ce0 edi: 00001000 ebp: efca7f74
> esp: efca7f2c
> Sep 18 00:50:22 aton kernel: ds: 0018 es: 0018 ss: 0018
> Sep 18 00:50:22 aton kernel: Process caspeng (pid: 1162, stackpage=efca7000)
                                       ~~~~~~~
        Active Server Pages? interresting ...

> Sep 18 00:50:22 aton kernel: Stack: f50b3ce0 ca183214 00000000 00000000
> c014f704 f50b3ce0 00000000 00000080
> Sep 18 00:50:22 aton kernel: 00000020 eed93b00 00000000 00000145
> efca6000 00000000 0000000c 00000000
> Sep 18 00:50:22 aton kernel: 00000000 d2aba000 00000000 c014fb4a
> 0000002c efca7fa8 efca7fa4 efca6000
> Sep 18 00:50:22 aton kernel: Call Trace: [do_select+272/516]
> [sys_select+810/1132] [system_call+51/56]
> Sep 18 00:50:22 aton kernel: Code: 8b 40 1c ff d0 83 c4 0c 5b c3 53 8b 5c 24
> 08 8b 43 08 8b 40
> Using defaults from ksymoops -t elf32-i386 -a i386
>
>
> >>eax; 386c6946 Before first symbol
         ~~~~~~~~ pointer to some structure?

> >>ebx; f50b3ce0 <_end+34cf5110/388cd490>
> >>edx; ca183214 <_end+9dc4644/388cd490>
> >>esi; f50b3ce0 <_end+34cf5110/388cd490>
> >>edi; 00001000 Before first symbol
> >>ebp; efca7f74 <_end+2f8e93a4/388cd490>
> >>esp; efca7f2c <_end+2f8e935c/388cd490>
>
> Code; 00000000 Before first symbol

code at 0? hmmm ... maybe some exploit?

> 00000000 <_EIP>:
> Code; 00000000 Before first symbol
> 0: 8b 40 1c mov 0x1c(%eax),%eax
> Code; 00000003 Before first symbol
> 3: ff d0 call *%eax
                                        ~~~~~~~~~~

indirect jump via register %eax ... very interesting ...

> Code; 00000005 Before first symbol
> 5: 83 c4 0c add $0xc,%esp
> Code; 00000008 Before first symbol
> 8: 5b pop %ebx
> Code; 00000009 Before first symbol
> 9: c3 ret
> Code; 0000000a Before first symbol
> a: 53 push %ebx
> Code; 0000000b Before first symbol
> b: 8b 5c 24 08 mov 0x8(%esp,1),%ebx
> Code; 0000000f Before first symbol
> f: 8b 43 08 mov 0x8(%ebx),%eax
> Code; 00000012 Before first symbol
> 12: 8b 40 00 mov 0x0(%eax),%eax
>

I'd say somebody is using/developing some exploit
for your ASP or similar ...

HTH,
Herbert

> --
> lg, Chris
>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 20 Sep 2004 - 15:54:16 BST by hypermail 2.1.3