From: Tom <to...@le...> - 2002-08-16 10:34:14
|
Hi everyone, After compiling a uml kernel (2.4.18-52), only changes to the default config being removing modules and host FS (since jailmode requires them to be off), this is what I get when I fire up the kernel: ./linux honeypot fake_ide fakehd mem=64M eth0=tuntap,,,213.191.86.23 devfs=mount tracing thread pid = 28377 Linux version 2.4.18-52um (ro...@no...) (gcc version 2.95.4 20011002 (Debian prerelease)) #1 Fri Aug 16 12:17:36 CEST 2002 On node 0 totalpages: 16384 zone(0): 16384 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: honeypot fake_ide fakehd mem=64M eth0=tuntap,,,213.191.86.23 devfs=mount root=/dev/ubd0 fakehd : Changing ubd_gendisk.major_name to "hd". [..] Kernel panic: protect_vm_page : protect failed, errno = -12 I found a similiar problem in the archives, but with no real solution. In the archived case, the problem went away after using a non-RH kernel on the host. My host is a Debian with self-compiled kernel (2.4.19) so the problem is definitely not any RH modifications. Anything I can do to help tracking down and ultimately solving this problem (and getting my jail running) ? -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <to...@le...> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 |
From: David C. <da...@da...> - 2002-08-16 10:53:44
|
Tom wrote: > Kernel panic: protect_vm_page : protect failed, errno = -12 I get that too with 'jail'. -12 is -ENOMEM, which is an Alan Cox thing. You might want to try running vanilla 2.4.18 to see if it works. I personally have never managed to get jail working here on about five different boxes, running different kernels, because of this. Jeff says it's a host kernel issue, so he must be right. David -- David Coulson http://davidcoulson.net/ d...@vi... http://journal.davidcoulson.net/ |
From: Tom <to...@le...> - 2002-08-16 11:56:38
|
On Fri, Aug 16, 2002 at 11:53:30AM +0100, David Coulson wrote: > Tom wrote: > > Kernel panic: protect_vm_page : protect failed, errno = -12 > > I get that too with 'jail'. -12 is -ENOMEM, which is an Alan Cox thing. > You might want to try running vanilla 2.4.18 to see if it works. > > I personally have never managed to get jail working here on about five > different boxes, running different kernels, because of this. Jeff says > it's a host kernel issue, so he must be right. looks like it. I just tried on a different machine (2.4.10, standard suse kernel) and it breaks up with a message "I'm tracing myself and I can't get out" - does that help in any way? does anyone have a host kernel that's working in jail mode and would care to share the config? -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <to...@le...> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 |
From: David C. <da...@da...> - 2002-08-16 12:05:29
|
Tom wrote: > looks like it. I just tried on a different machine (2.4.10, standard > suse kernel) and it breaks up with a message "I'm tracing myself and I > can't get out" - does that help in any way? I don't think so, but I'm sure Jeff would love a backtrace of that. David -- David Coulson http://davidcoulson.net/ d...@vi... http://journal.davidcoulson.net/ |
From: Jeff D. <jd...@ka...> - 2002-08-16 15:31:47
|
to...@le... said: > My host is a Debian with self-compiled kernel (2.4.19) so the problem > is definitely not any RH modifications. No, but the problem is that the so-called RH mods made it into 2.4.19. Try this patch - it gets me past the panic I saw (my current UML panics for a different reason, so I'm in no shape to boot it all the way atm :-): --- ../../cvs/linux/arch/um/kernel/tlb.c Thu Jul 18 17:51:58 2002 +++ arch/um/kernel/tlb.c Fri Aug 16 11:29:33 2002 @@ -142,7 +142,7 @@ err = protect(addr, PAGE_SIZE, 1, w, 1, must_succeed); if(err == 0) return; - else if(err == -EFAULT){ + else if((err == -EFAULT) || (err == -ENOMEM)){ flush_kernel_vm_range(addr, addr + PAGE_SIZE, 1); protect_vm_page(addr, w, 1); } Jeff |
From: Tom <to...@le...> - 2002-08-19 11:17:38
|
On Fri, Aug 16, 2002 at 11:35:07AM -0500, Jeff Dike wrote: > Try this patch - it gets me past the panic I saw (my current UML panics > for a different reason, so I'm in no shape to boot it all the way atm :-): yepp, it gets me past the panic. afterwards it goes all the way to the "I'm tracing myself and I can't get out" dead end. :) so I applied the other patch you posted, and lo and behold, it boots. there does seem to be still another bug, though. it hangs when it tries to bring up the eth0 interface. and my ps output on the host machine looks like a serious bug: 21154 pts/2 S 0:00 [linux] 21156 pts/2 S 0:00 [linux] 21158 pts/2 S 0:00 [linux] 21160 pts/2 S 0:00 [linux] 21162 pts/2 S 0:00 [linux] 21164 pts/2 S 0:00 [linux] 21166 pts/2 S 0:00 [linux] 21167 pts/2 S 0:00 [linux] 21168 pts/2 S 0:00 [linux] 21170 pts/2 S 0:00 [linux] 21182 pts/2 S 0:00 21376 pts/2 S 0:00 [linux] 21687 pts/2 S 0:00 Á?@¦V?@LÁ?@À¬?@À¬?@?_?@? ?"??? àùÿ¿A\??ÈÇ??Ȭ?@ ö 21711 pts/2 S 0:00 é???"?? 21965 pts/2 S 0:00 F?@? 21969 pts/2 S 0:00 [??? 22070 pts/2 S 0:00 J?@p??@ ?òá??? ?? ?ûÿ¿À???? Düÿ¿ ?úÿ¿?úÿ¿?û what kind of debug do you need to help finding this one? -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <to...@le...> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 |
From: Jeff D. <jd...@ka...> - 2002-08-19 21:50:30
|
to...@le... said: > it hangs when it tries to bring up the eth0 interface. Figured this one out. UML is trying to run the uml_net helper, which it execs with execvp, which searches $PATH for it. That ps garbage you noticed comes into play here. 'honeypot' puts the process stacks at 0xc0000000 growing downward, just like the host. This is necessary for stack smash exploits to work against UML. However, that's where the UML args and environment used to be (and where the host kernel still expects to find them, hence the ps garbage). getenv segfaults on the garbage that's supposed to be the environment, but is really the ifconfig stack. Things go downhill from there. The helper ends up in the UML segfault handler because it hasn't execed yet, and that completely confuses things. The easy fix is to not set up networking such that you need uml_net. In a honeypot, you shouldn't be anyway. That's providing a setuid helper to a nasty character. You should be using an already set up TUN/TAP device for networking. Jeff |
From: Tom <to...@le...> - 2002-08-20 08:08:02
|
On Mon, Aug 19, 2002 at 05:53:14PM -0500, Jeff Dike wrote: > The easy fix is to not set up networking such that you need uml_net. In > a honeypot, you shouldn't be anyway. That's providing a setuid helper to > a nasty character. You should be using an already set up TUN/TAP device > for networking. step by step, closing in on a working system. :) it no longer hangs when trying to bring up the interface. however, there is still garbage in the ps output, even before it sets up eth0: 11909 pts/1 S 0:00 À¬?@À¬?@?_?@? ?"??? àùÿ¿A\??ÈÇ??Ȭ?@ ö??Ȭ?@LÁ?@? 11933 pts/1 S 0:00 !?? 12188 pts/1 S 0:00 [linux] 12192 pts/1 S 0:00 À¬?@¸è???è??¦V?@LÁ?@À¬?@À¬?@@è???£??Ȭ?@¦V?@LÁ?@À¬?@À 12226 pts/1 S 0:00 À¬?@¸è???è??¦V?@LÁ?@À¬?@À¬?@@è???£??Ȭ?@¦V?@LÁ?@À¬?@À 12228 pts/1 R 0:00 [linux] it also fails to bring up the network, the error message is: Bringing up interface lo [ OK ] Bringing up interface eth0 [ OK ] SIOCADDRT: Network is unreachable Starting portmapper: [ OK ] though that may be my mistake in setting up the network: #!/bin/sh # # this requires the tap0 device to be ready. example (as root): # nox:~# tunctl tom # nox:~# ifconfig tap0 213.191.86.23 up # nox:~# echo 1 > /proc/sys/net/ipv4/ip_forward # nox:~# route add -host 213.191.86.23 dev tap0 # nox:~# echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp # nox:~# arp -Ds 213.191.86.23 eth0 pub # nox:~# chmod 660 /dev/net/tun ./linux honeypot fake_ide fakehd mem=128M eth0=tuntap,tap0 devfs=mount -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <to...@le...> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 |