Bug#917533: linux-image-4.9.0-8-marvell: nfs-kernel-server leaks ports and triggers rkhunter/unhide-tcp
Package: src:linux
Version: 4.9.130-2
Severity: normal
Tags: upstream
Dear Maintainer,
Every few days rkhunter starts reporting in its daily report:
Warning: Hidden ports found:
Port number: TCP:697
Which corresponds to running unhide-tcp:
# unhide-tcp --lsof
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
Used options: use_lsof
[*]Starting TCP checking
Found Hidden port that not appears in ss: 697
lsof reports :
[*]Starting UDP checking
root@armitage:~# unhide-tcp --netstat
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
Used options: use_netscape
[*]Starting TCP checking
Found Hidden port that not appears in netstat: 697
Running `service nfs-kernel-server restart` clears it up for a day or two. I
think this corresponds to the report at https://lwn.net/Articles/648417/.
This report was gathered while running 4.9.130-2 but I had already installed
(but not rebooted into) a new locally rebooted version (4.9.144-1~hellion.0)
which corresponds to pkg-kernel git's stretch branch at d9cfad89feb2 ('Revert
"tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()"') plus
backports of:
8d1b8c62e080 SUNRPC: Refactor TCP socket timeout code into a helper function
3ffbc1d65583 net/sunrpc/xprt_sock: fix regression in connection error reporting.
9b30889c548a SUNRPC: Ensure we always close the socket after a connection shuts down
Where the first two are needed for a clean backport of the third which is:
commit 9b30889c548a4d45bfe6226e58de32504c1d682f
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date: Mon Feb 5 10:20:06 2018 -0500
SUNRPC: Ensure we always close the socket after a connection shuts down
Ensure that we release the TCP socket once it is in the TCP_CLOSE or
TCP_TIME_WAIT state (and only then) so that we don't confuse rkhunter
and its ilk.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
I have a second system, also armel, running the same kernel and also serving
NFS where this is not happening. It's logs lack the:
[83135.994133] nfsd: last server has exited, flushing export cache
[83137.951143] NFSD: starting 90-second grace period (net c0590248)
which is seen on this system and which I think might correspond to the issue
recurring. The other system is perhaps bit busier with NFS traffic overall.
One final piece of information is that I was previously running (for about a
month if my logs are to be believed) linux-image-4.9.0-0.bpo.8-marvell:armel
4.9.110-3+deb9u5~deb8u1 on Jessie userspace and this was not happening. It only
started when I upgraded to Stretch's userspace and kernel (4.9.130-2). I don't
immediately see anything in `git log v4.9.110..v4.9.130 -- net/sunrpc/` which
would explain the change though. The upgrade to stretch took rkhunter from
1.4.2-0.4+deb8u1 to 1.4.2-6+deb9u1, which did include a bump to the default
configuration file, although I also can't see a smoking gun there based on what
etckeeper says changed (but if I were a betting many I would guess it was a
change to the detection process which exposed this rather than a kernel
regression).
I'm next going to reboot into my locally built kernel with the (likely/hopeful)
fix applied. I'll follow up in a few days (maybe a week to be sure) if I don't
see this issue recurring. If it is looking positive at that point I'll also
ping davem and Trond to requests upstream backports.
Thanks,
Ian.
-- Package-specific info:
** Version:
Linux version 4.9.0-8-marvell (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 Debian 4.9.130-2 (2018-10-27)
** Command line:
console=ttyS0,115200 root=/dev/ram initrd=0xa00000,0x900000 ramdisk=32768
** Not tainted
** Kernel log:
[ 7.882180] raid6: using intx1 recovery algorithm
[ 7.903700] async_tx: api initialized (async)
[ 7.911087] xor: measuring software checksum speed
[ 7.955195] arm4regs : 725.000 MB/sec
[ 7.999190] 8regs : 435.000 MB/sec
[ 8.043196] 32regs : 633.000 MB/sec
[ 8.047417] xor: using function: arm4regs (725.000 MB/sec)
[ 8.097711] md: raid6 personality registered for level 6
[ 8.103102] md: raid5 personality registered for level 5
[ 8.108456] md: raid4 personality registered for level 4
[ 8.154600] md: raid10 personality registered for level 10
[ 8.423667] random: crng init done
[ 8.427094] random: 7 urandom warning(s) missed due to ratelimiting
[ 9.166444] EXT4-fs (dm-0): mounting ext3 file system using the ext4 subsystem
[ 9.200619] EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
[ 12.160956] input: gpio_keys as /devices/platform/gpio_keys/input/input0
[ 12.306034] m25p80 spi0.0: m25p128 (16384 Kbytes)
[ 12.341652] 6 ofpart partitions found on MTD device spi0.0
[ 12.347210] Creating 6 MTD partitions on "spi0.0":
[ 12.421067] 0x000000000000-0x000000080000 : "U-Boot"
[ 12.438235] orion_wdt: Initial timeout 21 sec
[ 12.472711] 0x000000200000-0x000000400000 : "Kernel"
[ 12.520437] libphy: Fixed MDIO Bus: probed
[ 12.552453] 0x000000400000-0x000000d00000 : "RootFS1"
[ 12.561247] usbcore: registered new interface driver usbfs
[ 12.618585] 0x000000d00000-0x000001000000 : "RootFS2"
[ 12.626039] usbcore: registered new interface driver hub
[ 12.647114] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 12.663302] marvell-cesa f1030000.crypto: CESA device successfully registered
[ 12.683455] usbcore: registered new device driver usb
[ 12.689706] 0x000000080000-0x0000000c0000 : "U-Boot Config"
[ 12.701587] sd 1:0:0:0: Attached scsi generic sg1 type 0
[ 12.707513] libphy: orion_mdio_bus: probed
[ 12.747388] 0x0000000c0000-0x000000200000 : "NAS Config"
[ 12.790155] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 12.832300] mv643xx_eth: MV-643xx 10/100/1000 ethernet driver version 1.4
[ 12.899888] ehci-orion: EHCI orion driver
[ 12.910719] orion-ehci f1050000.ehci: EHCI Host Controller
[ 13.446421] orion-ehci f1050000.ehci: new USB bus registered, assigned bus number 1
[ 13.506757] orion-ehci f1050000.ehci: irq 32, io mem 0xf1050000
[ 13.563271] orion-ehci f1050000.ehci: USB 2.0 started, EHCI 1.00
[ 13.582114] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[ 13.589084] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 13.596375] usb usb1: Product: EHCI Host Controller
[ 13.601320] usb usb1: Manufacturer: Linux 4.9.0-8-marvell ehci_hcd
[ 13.607555] usb usb1: SerialNumber: f1050000.ehci
[ 13.778736] hub 1-0:1.0: USB hub found
[ 13.803399] hub 1-0:1.0: 1 port detected
[ 14.159267] usb 1-1: new high-speed USB device number 2 using orion-ehci
[ 14.767449] mv643xx_eth_port mv643xx_eth_port.0 eth0: port 0 with MAC address 00:08:9b:c3:2f:77
[ 14.785014] usb 1-1: New USB device found, idVendor=05e3, idProduct=0608
[ 14.791807] usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
[ 14.799218] usb 1-1: Product: USB2.0 Hub
[ 14.806657] hub 1-1:1.0: USB hub found
[ 14.811397] hub 1-1:1.0: 4 ports detected
[ 15.111229] usb 1-1.2: new full-speed USB device number 3 using orion-ehci
[ 16.157649] usb 1-1.2: New USB device found, idVendor=0403, idProduct=6001
[ 16.164698] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 16.172088] usb 1-1.2: Product: USB Serial Converter
[ 16.177200] usb 1-1.2: Manufacturer: FTDI
[ 16.181514] usb 1-1.2: SerialNumber: ftCB0QUT
[ 16.262299] usbcore: registered new interface driver usbserial
[ 16.279461] usbcore: registered new interface driver usbserial_generic
[ 16.291390] usbserial: USB Serial support registered for generic
[ 16.337751] usbcore: registered new interface driver ftdi_sio
[ 16.355398] usbserial: USB Serial support registered for FTDI USB Serial Device
[ 16.366992] ftdi_sio 1-1.2:1.0: FTDI USB Serial Device converter detected
[ 16.378359] usb 1-1.2: Detected FT232BM
[ 16.384669] usb 1-1.2: FTDI USB Serial Device converter now attached to ttyUSB0
[ 18.658529] mv643xx_eth_port mv643xx_eth_port.0 eth0: link up, 1000 Mb/s, full duplex, flow control disabled
[ 23.471324] EXT4-fs (dm-0): re-mounted. Opts: errors=remount-ro
[ 24.887757] loop: module loaded
[ 25.695352] Adding 3903484k swap on /dev/mapper/mirrorvg-swap. Priority:-1 extents:1 across:3903484k FS
[ 38.240440] EXT4-fs (dm-6): mounting ext3 file system using the ext4 subsystem
[ 38.347031] EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: (null)
[ 38.373841] EXT4-fs (dm-2): mounting ext3 file system using the ext4 subsystem
[ 38.460677] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[ 38.480371] EXT4-fs (dm-3): mounting ext3 file system using the ext4 subsystem
[ 38.577286] EXT4-fs (dm-3): mounted filesystem with ordered data mode. Opts: (null)
[ 38.597053] EXT4-fs (dm-4): mounting ext3 file system using the ext4 subsystem
[ 38.770222] EXT4-fs (dm-4): mounted filesystem with ordered data mode. Opts: (null)
[ 38.794328] EXT4-fs (dm-7): mounting ext3 file system using the ext4 subsystem
[ 38.871839] EXT4-fs (dm-7): mounted filesystem with ordered data mode. Opts: (null)
[ 40.818535] NET: Registered protocol family 10
[ 41.629930] RPC: Registered named UNIX socket transport module.
[ 41.635932] RPC: Registered udp transport module.
[ 41.640677] RPC: Registered tcp transport module.
[ 41.645419] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 41.698888] FS-Cache: Loaded
[ 41.815463] FS-Cache: Netfs 'nfs' registered for caching
[ 41.914249] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[ 44.672294] NFSD: starting 90-second grace period (net c0590248)
[82972.119017] ip_tables: (C) 2000-2006 Netfilter Core Team
[82975.452444] nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
[83135.973681] lockd: couldn't shutdown host module for net c0590248!
[83135.994133] nfsd: last server has exited, flushing export cache
[83137.951143] NFSD: starting 90-second grace period (net c0590248)
[431771.763910] lockd: couldn't shutdown host module for net c0590248!
[431771.784277] nfsd: last server has exited, flushing export cache
[431774.001391] NFSD: starting 90-second grace period (net c0590248)
** Model information
Hardware : Marvell Kirkwood (Flattened Device Tree)
Revision : 0000
Device Tree model: QNAP TS219 family
** Loaded modules:
iptable_nat
nf_conntrack_ipv4
nf_defrag_ipv4
nf_nat_ipv4
nf_nat
nf_conntrack
iptable_filter
ip_tables
x_tables
udp_diag
tcp_diag
inet_diag
nfsd
auth_rpcgss
oid_registry
nfs_acl
nfs
lockd
grace
fscache
sunrpc
ipv6
loop
ftdi_sio
usbserial
evdev
ehci_orion
marvell
ehci_hcd
sg
mv643xx_eth
mvmdio
of_mdio
fixed_phy
libphy
usbcore
marvell_cesa
usb_common
des_generic
orion_wdt
m25p80
spi_nor
gpio_keys
ext4
crc16
jbd2
fscrypto
ecb
mbcache
raid10
raid456
libcrc32c
crc32c_generic
async_raid6_recov
async_memcpy
async_pq
async_xor
xor
async_tx
raid6_pq
raid0
multipath
linear
dm_mod
raid1
md_mod
sd_mod
sata_mv
libata
scsi_mod
** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.64
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:08:9b:c3:2f:77 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.64/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::208:9bff:fec3:2f77/64 scope link
valid_lft forever preferred_lft forever
*** Device statistics:
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 618544 9374 0 0 0 0 0 0 618544 9374 0 0 0 0 0 0
eth0: 2822540153 19371100 10 288 0 0 0 0 2173792584 11274427 0 23117 0 0 0 0
*** Protocol statistics:
Ip:
Forwarding: 2
16027218 total packets received
0 forwarded
0 incoming packets discarded
16027218 incoming packets delivered
11297604 requests sent out
Icmp:
220 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
destination unreachable: 27
echo requests: 193
220 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 27
echo replies: 193
IcmpMsg:
InType3: 27
InType8: 193
OutType0: 193
OutType3: 27
Tcp:
966 active connection openings
6000 passive connection openings
7 failed connection attempts
2 connection resets received
5 connections established
15951243 segments received
56549551 segments sent out
420651 segments retransmitted
0 bad segments received
30 resets sent
Udp:
3437 packets received
1 packets to unknown port received
0 packet receive errors
3449 packets sent
0 receive buffer errors
0 send buffer errors
IgnoredMulti: 72317
UdpLite:
TcpExt:
5 resets received for embryonic SYN_RECV sockets
1153 TCP sockets finished time wait in fast timer
63375 delayed acks sent
1511 delayed acks further delayed because of locked socket
Quick ack mode was activated 212 times
36 packets directly queued to recvmsg prequeue
TCPDirectCopyFromPrequeue: 811
2712771 packet headers predicted
2 packet headers predicted and directly queued to user
7142816 acknowledgments not containing data payload received
7031642 predicted acknowledgments
TCPSackRecovery: 25306
Detected reordering 223 times using time stamp
78 congestion windows fully recovered without slow start
56 congestion windows partially recovered using Hoe heuristic
TCPLostRetransmit: 157
TCPSackFailures: 2065
10 timeouts in loss state
349717 fast retransmits
315 forward retransmits
67846 retransmits in slow start
TCPTimeouts: 182
TCPLossProbes: 2348
TCPLossProbeRecovery: 4
TCPSackRecoveryFail: 267
TCPDSACKOldSent: 212
TCPDSACKRecv: 12
5 connections reset due to unexpected data
2 connections reset due to early user close
3 connections aborted due to timeout
TCPDSACKIgnoredNoUndo: 3
TCPSackShifted: 32734
TCPSackMerged: 28985
TCPSackShiftFallback: 31846
TCPRetransFail: 5917
TCPRcvCoalesce: 436952
TCPOFOQueue: 1712
TCPSpuriousRtxHostQueues: 296
TCPAutoCorking: 54407
TCPFromZeroWindowAdv: 6128
TCPToZeroWindowAdv: 6128
TCPWantZeroWindowAdv: 1299
TCPOrigDataSent: 56158821
TCPHystartTrainDetect: 315
TCPHystartTrainCwnd: 6873
TCPHystartDelayDetect: 2
TCPHystartDelayCwnd: 83
TCPKeepAlive: 31
IpExt:
InBcastPkts: 72319
InOctets: 6585632703
OutOctets: 75577078590
InBcastOctets: 12479940
InNoECTPkts: 19243183
** PCI devices:
00:01.0 PCI bridge [0604]: Marvell Technology Group Ltd. 88F6281 [Kirkwood] ARM SoC [11ab:6281] (rev 03) (prog-if 00 [Normal decode])
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
Prefetchable memory behind bridge: 00000000-000fffff
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR- NoISA- VGA- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
** USB devices:
Bus 001 Device 003: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC
Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
-- System Information:
Debian Release: 9.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: armel (armv5tel)
Kernel: Linux 4.9.0-8-marvell
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages linux-image-4.9.0-8-marvell depends on:
ii initramfs-tools [linux-initramfs-tool] 0.130
ii kmod 23-2
ii linux-base 4.5
Versions of packages linux-image-4.9.0-8-marvell recommends:
ii firmware-linux-free 3.4
ii u-boot-tools 2016.11+dfsg1-4
Versions of packages linux-image-4.9.0-8-marvell suggests:
pn debian-kernel-handbook <none>
pn linux-doc-4.9 <none>
Versions of packages linux-image-4.9.0-8-marvell is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: