Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

OSS specific Linux discussion (x86/amd64)

Moderators: cesium, dev, kodachi, hannu

Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby o01eg » Sat Feb 19, 2011 9:32 am

Get kernel panic when jabber client play multiple sounds about new messages:
Code: Select all
[46165.423882] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[46165.423900] IP: [<ffffffffa0e8cb05>] vmix_detach_audiodev+0x1f5/0x2e0 [osscore]
[46165.423915] PGD 3c9a7067 PUD 3c95b067 PMD 0
[46165.423925] Oops: 0000 [#1] PREEMPT SMP
[46165.423933] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/model
[46165.423939] CPU 3

Full log: http://paste.pocoo.org/show/341196/
o01eg
New Member
 
Posts: 8
Joined: Sat Feb 19, 2011 9:19 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby cesium » Sat Feb 19, 2011 10:58 am

A) Can you paste the output of 'ossinfo -v3'?
B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby igorzwx » Sat Feb 19, 2011 11:01 am

o01eg wrote:Get kernel panic when jabber client play multiple sounds about new messages:
Code: Select all
[46165.423882] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030


Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

Clever attack exploits fully-patched Linux kernel
'NULL pointer' bug plagues even super max versions
http://www.theregister.co.uk/2009/07/17 ... l_exploit/
Last edited by igorzwx on Sat Feb 19, 2011 11:12 am, edited 1 time in total.
igorzwx
Supporter
 
Posts: 998
Joined: Sun Jun 28, 2009 9:31 pm

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby o01eg » Sat Feb 19, 2011 11:11 am

cesium wrote:A) Can you paste the output of 'ossinfo -v3'?

http://paste.pocoo.org/show/341229/
cesium wrote:B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).

Yes, I have got it already four times, but only now try to get logs.
igorzwx wrote:Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

I have PulseAudio installed, but I don't use it. I also don't use SELinux.
o01eg
New Member
 
Posts: 8
Joined: Sat Feb 19, 2011 9:19 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby igorzwx » Sat Feb 19, 2011 11:14 am

o01eg wrote:
cesium wrote:A) Can you paste the output of 'ossinfo -v3'?

http://paste.pocoo.org/show/341229/
cesium wrote:B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).

Yes, I have got it already four times, but only now try to get logs.
igorzwx wrote:Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

I have PulseAudio installed, but I don't use it. I also don't use SELinux.


If you have PulseAudio installed, it may explain the phenomenon.
Have you tried to remove it?
igorzwx
Supporter
 
Posts: 998
Joined: Sun Jun 28, 2009 9:31 pm

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby o01eg » Sat Feb 19, 2011 11:25 am

PulseAudio don't work in kernel-mode, it cann't crash kernel. As I see in logs, crash caused in "play" process from sox-14.3.0.
It look as conncurency bug.
o01eg
New Member
 
Posts: 8
Joined: Sat Feb 19, 2011 9:19 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby igorzwx » Sat Feb 19, 2011 12:02 pm

o01eg wrote:PulseAudio don't work in kernel-mode


It seems that it does:

Clever attack exploits fully-patched Linux kernel
'NULL pointer' bug plagues even super max versions

...The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.
http://www.theregister.co.uk/2009/07/17 ... l_exploit/
igorzwx
Supporter
 
Posts: 998
Joined: Sun Jun 28, 2009 9:31 pm

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby cesium » Sat Feb 19, 2011 12:07 pm

Yea, I'm sure Pulse has nothing to do with it.

o01eg: Can you try a small experiment?
A) Add "vmix_no_autoattach=1" line to /usr/lib/oss/conf/osscore.conf
B) Add "vmixctl attach -c8 /dev/oss/oss_hdaudio0/pcm0 /dev/oss/oss_hdaudio0/pcmin0" line (before the "exit 0", of course) to /usr/lib/oss/soundon.user
C) Do "sudo chmod +x /usr/lib/oss/soundon.user"
D) Restart OSS, with "sudo soundoff" and "sudo soundon" commands.
E) Test again if it crashes.
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby o01eg » Sat Feb 19, 2011 12:10 pm

Do I need to get kernel crash?
o01eg
New Member
 
Posts: 8
Joined: Sat Feb 19, 2011 9:19 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby cesium » Sat Feb 19, 2011 12:22 pm

Nope. Just want to know if it crashes.
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby igorzwx » Sat Feb 19, 2011 12:32 pm

cesium wrote:Yea, I'm sure Pulse has nothing to do with it.


If it has nothing to do with PulseAudio, it might be a security problem of OSS4, which might be exploited by botnets
http://www.google.com/search?q=linux%20 ... 8&oe=UTF-8
http://www.theregister.co.uk/2009/07/17 ... l_exploit/

If I am not mistaken, you have already told something about innovations in vmix, which make it similar to PulseAudio. Right?

See also: http://www.theregister.co.uk/2011/02/09 ... _problems/
Watch the video clip: http://www.youtube.com/watch?v=ovfYBa1EHm4
read the discussion on the forum: http://forums.theregister.co.uk/forum/1 ... _problems/
and a blog post here: http://blogs.iss.net/archive/Shmoocon2011.html
Last edited by igorzwx on Sat Feb 19, 2011 12:39 pm, edited 1 time in total.
igorzwx
Supporter
 
Posts: 998
Joined: Sun Jun 28, 2009 9:31 pm

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby cesium » Sat Feb 19, 2011 12:38 pm

There is a difference between "crash/panic" to "exploitable hole". I don't think there's a way a userland program can get its own code executed here.
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby igorzwx » Sat Feb 19, 2011 12:43 pm

cesium wrote:There is a difference between "crash/panic" to "exploitable hole". I don't think there's a way a userland program can get its own code executed here.


Imagine a scenario: "provoke a kernel crash and utilize it to compromise the system".
You may ask the IMB security experts, e.g. Jon Larimer, of IBM's X-Force security division http://www.theregister.co.uk/2011/02/09 ... _problems/
igorzwx
Supporter
 
Posts: 998
Joined: Sun Jun 28, 2009 9:31 pm

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby o01eg » Sat Feb 19, 2011 12:49 pm

Can I or you get more detailed information about crash with this backtrace? I have kernel and modules binary and .map files.
o01eg
New Member
 
Posts: 8
Joined: Sat Feb 19, 2011 9:19 am

Re: Kernel panic in osscore. (2.6.36-gentoo-r5 SMP PREEMPT)

Postby cesium » Sat Feb 19, 2011 1:01 pm

Perhaps, but I am no expert (or dev - the OSS devs are at the oss-devel mailing list). Right now, I'm curious to find out whether it's a sync issue or an overflow issue (very likely the first, but I want to make sure). We could add calls to print out output to dmesg around the last function in the trace, but I don't know if you could recover the dmesg after the panic (I guess serial console would work, but requires some hw? And you'll have to rebuild OSS to allow this):

Code: Select all
diff -r 09a210f84f55 kernel/framework/vmix_core/vmix_core.c
--- a/kernel/framework/vmix_core/vmix_core.c   Thu Jan 06 07:55:36 2011 +0200
+++ b/kernel/framework/vmix_core/vmix_core.c   Sat Feb 19 14:59:17 2011 +0200
@@ -2246,6 +2246,7 @@
   vmix_portc_t *portc;
   vmix_mixer_t *mixer = mixer_;

+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, mixer_, num_clientdevs);
   if (mixer->disabled) /* Vmix is disabled for the time being */
      return OSS_ENXIO;

@@ -2266,6 +2267,7 @@
     break;
   }
   MUTEX_EXIT_IRQRESTORE (mixer->mutex, flags);
+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, portc, engine_num);
 
/*
  * Create a new engine and use it
@@ -2284,6 +2286,7 @@
      }

   portc = audio_engines[engine_num]->portc;
+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, portc, engine_num);

   /* portc->open_pending = 1; // This was done already by create_vmix_engine() */
   return engine_num;
cesium
Developer
 
Posts: 902
Joined: Sun Aug 12, 2007 12:51 am

Next

Return to Linux

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest