Re: woody - crash.

To: qba <qba@gepard.f-net.pl>
Cc: debian-user@lists.debian.org
Subject: Re: woody - crash.
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 16 Dec 2003 18:20:46 -0800
Message-id: <[🔎] 20031217022046.GC17370@ix.netcom.com>
Mail-followup-to: qba <qba@gepard.f-net.pl>, debian-user@lists.debian.org
In-reply-to: <[🔎] 20031211155506.GA14840@gepard.f-net.pl>
References: <[🔎] 20031211155506.GA14840@gepard.f-net.pl>

on Thu, Dec 11, 2003 at 04:55:06PM +0100, qba (qba@gepard.f-net.pl) wrote:
> Helo.
> 
> My woody - with 2.4.22 crashed today.
> 
> When i came to see it , keyboard was blinking with diodes.
> What i had on the monitor was kdb debugging sth. that Oops'ed.
> Unfortunaetly due to lack of  time ( i had to reboot it immediately) and
> lack of knowlegde i didnt analized what it was debugging.
> 
> It seems that there is nothing interesting in logs except
> 
> syslog
> -------------
> Dec 11 12:21:39 gepard tpop3d[3242]: listeners_post_select: client
> [6]80.51.233.34/gepard: connected
> Dec 11 12:21:40 gepard tpop3d[3242]: authcontext_new_user_pass: began
> session for `pawlowicz@f-net.pl' with my
> sql; uid 8, gid 8
> Dec 11 12:21:40 gepard tpop3d[3242]: fork_child:
> [6]pawlowicz@f-net.pl(80.51.233.34): successfully authenticat
> ed with mysql
> Dec 11 12:21:40 gepard tpop3d[3242]: fork_child: new child is PID 15962
> Dec 11 12:21:40 gepard tpop3d[15962]: maildir_new: scanned maildir
> /var/mail/virt2/f-net.pl/pawlowicz/Maildir/
>  (0 messages) in 0.000s
>  Dec 11 12:21:41 gepard tpop3d[15962]: connections_post_select: client
>  [6]pawlowicz@f-net.pl(80.51.233.34): dis
>  connected; 53/144 bytes read/written
>  Dec 11 12:21:41 gepard tpop3d[15962]: authcontext_delete: finished
>  session for `pawlowicz@f-net.pl' with mysql
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Dec 11 12:53:46 gepard syslogd
>  1.4.1#10: restart (remote reception).
>  Dec 11 12:53:46 gepard kernel: klogd 1.4.1#10, log source = /proc/kmsg
>  started.
>  Dec 11 12:53:46 gepard kernel: Cannot find map file.
>  Dec 11 12:53:46 gepard kernel: Loaded 14 symbols from 2 modules.
>  Dec 11 12:53:46 gepard kernel: Linux version 2.4.22-ow1 (root@gepard)
>  (gcc version 2.95.4 20011002 (Debian pre
>  release)) #4 ?ro gru 10 17:08:10 CET 2003
>  Dec 11 12:53:46 gepard kernel: BIOS-provided physical RAM map:
>  Dec 11 12:53:46 gepard kernel:  BIOS-e820: 0000000000000000 -
>  00000000000a0000 (usable)
> 
>  #######################################
> 
>  daemonlog
>  -------------------
>  ec 11 12:15:22 gepard dhcpd: DHCPACK on 192.168.40.116 to
>  00:30:4f:29:b1:55 via eth2
>  Dec 11 12:15:52 gepard sslwrap[15665]: connect from 192.168.60.103
>  Dec 11 12:16:29 gepard oidentd[15693]: Connection from irc.Prison.NET
>  (208.178.231.190):41438
>  Dec 11 12:16:46 gepard oidentd[15708]: Connection from irc.Prison.NET
>  (208.178.231.190):40585
>  Dec 11 12:16:59 gepard oidentd[15693]: Timeout for request.  Closing
>  connection.
>  Dec 11 12:17:16 gepard oidentd[15708]: Timeout for request.  Closing
>  connection.
>  Dec 11 12:20:54 gepard sslwrap[15924]: connect from 192.168.60.103
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
>  ^@^@^@^@^@^@^@^@^@^@^@Dec 11 11:53:47 gepard named[413]: starting BIND
>  9.2.1 -u nobody -t /var/lib/named
>  Dec 11 11:53:47 gepard named[413]: using 1 CPU
>  Dec 11 11:53:47 gepard named[417]: loading configuration from
>  '/etc/bind/named.conf'
>  Dec 11 11:53:47 gepard named[417]: no IPv6 interfaces found
>  Dec 11 11:53:47 gepard named[417]: listening on IPv4 interface lo,
>  127.0.0.1#53
>  Dec 11 11:53:47 gepard named[417]: listening on IPv4 interface eth0,
>  212.244.107.162#53
>  Dec 11 11:53:48 gepard named[417]: listening on IPv4 interface eth1,
>  212.244.107.163#53
> 
>  su-2.05a# sysctl -a | grep kdb
>   kernel/kdb = 1
> 
>   qba@gepard:~$ uname -a
>   Linux gepard 2.4.22-ow1 #4 ?ro gru 10 17:08:10 CET 2003 i686 unknown
> 
>    patches -> imq , htb , xfs , esfq , owl.
>  
>  cpu pIV , 1GB ram , disks wdc80GB
>  4 nic eepro100
> the machine is running
> tpop3d + mysql , exim4.20 + mysql , squirelmail, proftpd + mysql
>    lstat , ipfm , squid ,  dhcp , apache , apache-ssl , sshd ,
>    portsentry , named , courier + sql.
>    
> 
> What does the quite big number od '@' ? Successful try of string oveflow
> or buffer overflow that resulted in crash ?
> 
> The problem is that i dont know what actually Oopsed. There is nothing
> about it in logs.
> 
> Thank You for all sugestions and help.

Well, you're running a brk() vulnerable kernel (2.4.22).  You want a
backported patched 2.4.18-12, or 2.4.23, to get around the userspace
kernel buffer overflow.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The black hat community is drooling over the possibility of a secure
    execution environment that would allow applications to run in a
    secure area which cannot be attached to via debuggers.
    - Jason Spence, on Palladium aka NGCSB aka "Trusted Computing"

Attachment: pgp3rfbQUaijA.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: woody - crash.
  - From: "Lucas Albers" <albersl@cs.montana.edu>

References:
- woody - crash.
  - From: qba <qba@gepard.f-net.pl>

Prev by Date: Re: debootstrap
Next by Date: Re: Nautilus won't die
Previous by thread: woody - crash.
Next by thread: Re: woody - crash.
Index(es):
- Date
- Thread