Re: audit.49 kernel
On Wednesday 25 May 2005 13:29, Steve Grubb wrote:
Try this script with audit-0.9:
This didn't take long...
May 25 13:35:27 localhost kernel: Unable to handle kernel paging request at virtual
address 705f6b6a
May 25 13:35:27 localhost kernel: printing eip:
May 25 13:35:27 localhost kernel: c014bac9
May 25 13:35:27 localhost kernel: *pde = 00000000
May 25 13:35:27 localhost kernel: Oops: 0002 [#1]
May 25 13:35:27 localhost kernel: Modules linked in: parport_pc lp parport autofs4 i2c_dev
i2c_core ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button battery
ac md5 ipv6 uhci_hcd snd_emu10k1 snd_rawmidi snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_seq_device snd_ac97_codec snd_page_alloc snd_util_mem snd_hwdep snd soundcore 3c59x
floppy ext3 jbd
May 25 13:35:27 localhost kernel: CPU: 0
May 25 13:35:27 localhost kernel: EIP: 0060:[<c014bac9>] Not tainted VLI
May 25 13:35:27 localhost kernel: EFLAGS: 00210006 (2.6.9-5.0.3.EL.audit.49)
May 25 13:35:27 localhost kernel: EIP is at cache_alloc_refill+0x146/0x227
May 25 13:35:27 localhost kernel: eax: 705f6b66 ebx: effefba0 ecx: dc974400 edx:
effefbbc
May 25 13:35:27 localhost kernel: esi: 00000002 edi: effefbac ebp: effe30a0 esp:
e5410dd0
May 25 13:35:27 localhost kernel: ds: 007b es: 007b ss: 0068
May 25 13:35:27 localhost kernel: Process metacity (pid: 2598, threadinfo=e5410000
task=e5458660)
May 25 13:35:27 localhost kernel: Stack: 000000d0 effefba0 000000d0 00200246 000000d0
c014c0af ef862880 00001f00
May 25 13:35:27 localhost kernel: e5a64dc0 c02a2971 00000000 00001eb4 ffffffe0
e5a64dc0 00000000 c02a1c31
May 25 13:35:27 localhost kernel: 00001eb4 00001eb4 00001eb4 e5a64b80 e5410e64
e4eb9980 c02a1d98 00000040
May 25 13:35:27 localhost kernel: Call Trace:
May 25 13:35:27 localhost kernel: [<c014c0af>] __kmalloc+0x6b/0x7d
May 25 13:35:27 localhost kernel: [<c02a2971>] alloc_skb+0x33/0xc5
May 25 13:35:27 localhost kernel: [<c02a1c31>] sock_alloc_send_pskb+0x5d/0x1b8
May 25 13:35:27 localhost kernel: [<c02a1d98>] sock_alloc_send_skb+0xc/0xf
May 25 13:35:27 localhost kernel: [<c02fcbdd>] unix_stream_sendmsg+0x14b/0x307
May 25 13:35:27 localhost kernel: [<c029f265>] sock_aio_write+0x106/0x113
May 25 13:35:27 localhost kernel: [<c0163bc9>] do_sync_write+0x97/0xc9
May 25 13:35:27 localhost kernel: [<c01c3afd>] selinux_file_permission+0x114/0x11d
May 25 13:35:27 localhost kernel: [<c011d04b>] autoremove_wake_function+0x0/0x2d
May 25 13:35:27 localhost kernel: [<c01413c5>] audit_syscall_entry+0x125/0x13e
May 25 13:35:27 localhost kernel: [<c0163cc1>] vfs_write+0xc6/0xe2
May 25 13:35:27 localhost kernel: [<c0163d7b>] sys_write+0x3c/0x62
May 25 13:35:27 localhost kernel: [<c0303707>] syscall_call+0x7/0xb
May 25 13:35:27 localhost kernel: Code: af 43 34 03 41 0c 89 44 95 10 ff 45 00 8b 51 10 0f
b7 41 14 42 89 51 10 0f b7 44 41 18 66 89 41 14 3b 53 3c 72 cc 8b 51 04 8b 01 <89>
50 04 89 02 66 83 79 14 ff c7 01 00 01 10 00 c7 41 04 00 02
Then I loaded kernel-debuginfo & started gdb.
(gdb) list *0xc014bac9
0xc014bac9 is in cache_alloc_refill (include/linux/list.h:151).
146 include/linux/list.h: No such file or directory.
in include/linux/list.h
-Steve