From: Christian Mayrhuber (christian.mayrhuber_at_gmx.net)
Date: Mon 20 Sep 2004 - 16:19:31 BST
On Monday 20 September 2004 16:54, Herbert Poetzl wrote:
> On Mon, Sep 20, 2004 at 04:29:37PM +0200, Christian Mayrhuber wrote:
> > Hi,
> >
> > I've got an oops with kernel 2.4.26 and vserver 1.27.
> >
> > ksymoops 2.4.5 on i686 2.4.26-686-smp-vs1.27-hot1. Options used
> > -v vmlinux (specified)
> > -k /proc/ksyms (default)
> > -l /proc/modules (default)
> > -o /lib/modules/2.4.26-686-smp-vs1.27-hot1/ (default)
> > -m System.map (specified)
> >
> > Sep 18 00:50:22 aton kernel: Unable to handle kernel paging request at
virtual
> > address 386c6962
> ~~~~~~~~ userspace
>
> > Sep 18 00:50:22 aton kernel: c0229c62
> > Sep 18 00:50:22 aton kernel: *pde = 00000000
> > Sep 18 00:50:22 aton kernel: Oops: 0000
> > Sep 18 00:50:22 aton kernel: CPU: 1
> > Sep 18 00:50:22 aton kernel: EIP: 0010:[sock_poll+30/40] Not tainted
> > Sep 18 00:50:22 aton kernel: EFLAGS: 00010286
> > Sep 18 00:50:22 aton kernel: eax: 386c6946 ebx: f50b3ce0 ecx: 00000000
> > edx: ca183214
> > Sep 18 00:50:22 aton kernel: esi: f50b3ce0 edi: 00001000 ebp: efca7f74
> > esp: efca7f2c
> > Sep 18 00:50:22 aton kernel: ds: 0018 es: 0018 ss: 0018
> > Sep 18 00:50:22 aton kernel: Process caspeng (pid: 1162,
stackpage=efca7000)
> ~~~~~~~
> Active Server Pages? interresting ...
Yes, Sun chilisoft asp, version 3.6.2.
>
> > Sep 18 00:50:22 aton kernel: Stack: f50b3ce0 ca183214 00000000 00000000
> > c014f704 f50b3ce0 00000000 00000080
> > Sep 18 00:50:22 aton kernel: 00000020 eed93b00 00000000 00000145
> > efca6000 00000000 0000000c 00000000
> > Sep 18 00:50:22 aton kernel: 00000000 d2aba000 00000000 c014fb4a
> > 0000002c efca7fa8 efca7fa4 efca6000
> > Sep 18 00:50:22 aton kernel: Call Trace: [do_select+272/516]
> > [sys_select+810/1132] [system_call+51/56]
> > Sep 18 00:50:22 aton kernel: Code: 8b 40 1c ff d0 83 c4 0c 5b c3 53 8b 5c
24
> > 08 8b 43 08 8b 40
> > Using defaults from ksymoops -t elf32-i386 -a i386
> >
> >
> > >>eax; 386c6946 Before first symbol
> ~~~~~~~~ pointer to some structure?
>
> > >>ebx; f50b3ce0 <_end+34cf5110/388cd490>
> > >>edx; ca183214 <_end+9dc4644/388cd490>
> > >>esi; f50b3ce0 <_end+34cf5110/388cd490>
> > >>edi; 00001000 Before first symbol
> > >>ebp; efca7f74 <_end+2f8e93a4/388cd490>
> > >>esp; efca7f2c <_end+2f8e935c/388cd490>
> >
> > Code; 00000000 Before first symbol
>
> code at 0? hmmm ... maybe some exploit?
>
> > 00000000 <_EIP>:
> > Code; 00000000 Before first symbol
> > 0: 8b 40 1c mov 0x1c(%eax),%eax
> > Code; 00000003 Before first symbol
> > 3: ff d0 call *%eax
> ~~~~~~~~~~
>
> indirect jump via register %eax ... very interesting ...
>
> > Code; 00000005 Before first symbol
> > 5: 83 c4 0c add $0xc,%esp
> > Code; 00000008 Before first symbol
> > 8: 5b pop %ebx
> > Code; 00000009 Before first symbol
> > 9: c3 ret
> > Code; 0000000a Before first symbol
> > a: 53 push %ebx
> > Code; 0000000b Before first symbol
> > b: 8b 5c 24 08 mov 0x8(%esp,1),%ebx
> > Code; 0000000f Before first symbol
> > f: 8b 43 08 mov 0x8(%ebx),%eax
> > Code; 00000012 Before first symbol
> > 12: 8b 40 00 mov 0x0(%eax),%eax
> >
>
> I'd say somebody is using/developing some exploit
> for your ASP or similar ...
How, nice.
It seems the exploit is fully successful.
>
> HTH,
> Herbert
Thanks.
I built a debug version and ran addr2line:
addr2line -f -e vmlinux c0229c62
sock_readv_writev
/usr/src/2.4.26/linux-2.4.26-vs1.27/net/socket.c:636
-- lg, Chris _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver