banning user... until system restart for ... kernel crash w/ Qemu

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Fri Oct 21, 2016 9:27 pm

title (full): "banning user ... until system restart for suspicious kernel crash" with Qemu script. How?

Hi!

Unsure where to ask about this, at Qemu ML, or the KVM folks, or here at
grsecurity Forums.

I decided for grsec because it is the grsecurity that banned the user as line
53 of the log in the next post, for easier viewing, says:

Code: Select all
grsec: banning user with uid 1000 until system restart for suspicious kernel crash


Here's the script GentooVM.sh:
Code: Select all
#!/bin/sh
exec qemu-system-x86_64 -enable-kvm \
   -cpu host \
   -drive file=$img,if=virtio \
   -netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netdev=vmnic
   -m 1024M \
   -monitor stdio \
   -name "Gentoo VM" \
   $@

which, looking at it, just now while preparing this for posting, I see that I ran the wrong way!

Notice that "-drive file=$img" is not like in the original script. (Obviously, I'm new to Qemu, and only figuring things out slowly...)

And here's what happened. It's almost all in the log in the next post. I first issued:
Code: Select all
qemu-img create -f qcow2 -b install-amd64-minimal-20161020.iso install-amd64-minimal-20161020-S.iso

to create a shapshot.

Then I issued (and I can't find it in the logs):

Code: Select all
$ img=install-amd64-minimal-20161020-S.iso

and checked it:
Code: Select all
$ echo $img
install-amd64-minimal-20161020-S.iso
$

(See below why that was wrong in combination with the script.)

Then I chmod'ed the GentooVM.sh script above to 755. Tried to run it, but couldn't because I have the tpe on.

Then I cp'd it to /usr/local/bin and ran it (without "./" w/o quotes).

What did I do wrong?

I should not have created the snapshot, but run it:
Code: Select all
$ GentooVM.sh install-amd64-minimal-20161020-S.iso
instead, because there's the file=... in the script. In short I should have left it as it was at the Qemu Linux Guest page:
https://wiki.gentoo.org/wiki/QEMU/Linux_guest#Host
an instead I edited it the wrong way, and ran it without arguments:
Code: Select all
$ GentooVM.sh


All went blank. Hardware reset I had to do.

The log I'll give in the separate post for easier viewing.

I'm posting this because I'm trying to grasp how did the recursion happen... Anybody figured it out and can tell us?

---
Regards!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Last edited by timbgo on Fri Oct 21, 2016 10:10 pm, edited 2 times in total.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Fri Oct 21, 2016 9:28 pm

Pls. read the the previous post, if you haven't.
Code: Select all
Oct 22 01:44:38 g0n kernel: [102005.210732] grsec: (miro:U:/bin/cp) exec of /bin/cp (cp -aiv /Cmn/dLo/Gentoo/install-amd64-minimal-20161020.iso . ) by /bin/cp[bash:31211] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:45:00 g0n kernel: [102027.567430] grsec: (miro:U:/) exec of /usr/bin/qemu-img (qemu-img create -f qcow2 -b install-amd64-minimal-20161020.iso install-amd64-minimal-20161020-S.iso ) by /usr/bin/qemu-img[bash:31214] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:45:30 g0n kernel: [102057.330878] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat ) by /bin/cat[bash:31218] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000

And here there were 275 lines that I cut out, starting with ...grsec: exec of /usr/bin/vim...

A sub-question to this topic:

Pls. anybody can give us a quick tip how to filter out very verbose log entries like the good ole Vim program gives?

On with the main issue. Here is what I described in the previous post.
Code: Select all
Oct 22 01:48:38 g0n kernel: [102245.259070] grsec: (miro:U:/) exec of /bin/chmod (chmod 755 GentooVM.sh ) by /bin/chmod[bash:31225] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:48:40 g0n kernel: [102247.386471] grsec: (miro:U:/bin/bash) denied untrusted exec (due to being in untrusted group and file in non-root-owned directory) of /home/miro/GentooVM.sh by /home/miro/GentooVM.sh[bash:31228] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:48:50 g0n kernel: [102257.810046] grsec: (miro:U:/bin/ls) exec of /bin/ls (ls --color=auto -l GentooVM.sh ) by /bin/ls[bash:31229] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:49:02 g0n kernel: [102269.523053] grsec: (admin:S:/) exec of /bin/cp (cp -iav /home/miro/GentooVM.sh /usr/local/bin/ ) by /bin/cp[bash:31232] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4318] uid/euid:0/0 gid/egid:0/0
Oct 22 01:49:07 g0n kernel: [102274.044399] grsec: (miro:U:/) exec of /usr/local/bin/GentooVM.sh (GentooVM.sh ) by /usr/local/bin/GentooVM.sh[bash:31235] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 01:49:07 g0n kernel: [102274.062102] grsec: (miro:U:/usr/bin/qemu-system-x86_64) exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -enable-kvm -cpu host -drive file=,if=virtio -netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netde) by /usr/bin/qemu-system-x86_64[GentooVM.sh:31235] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:23934] uid/euid:1000/1000 gid/egid:1000/1000


Here is the BUG, an the Call Trace:
Code: Select all
Oct 22 01:49:07 g0n kernel: [102274.795004] BUG: unable to handle kernel NULL pointer dereference at            (nil)
Oct 22 01:49:07 g0n kernel: [102274.795061] IP: [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 01:49:07 g0n kernel: [102274.795101] PGD 11d829067 PUD 0
Oct 22 01:49:07 g0n kernel: [102274.795122] Oops: 0000 [#1] PREEMPT SMP
Oct 22 01:49:07 g0n kernel: [102274.795146] Modules linked in:
Oct 22 01:49:07 g0n kernel: [102274.795166] CPU: 1 PID: 31236 Comm: qemu-system-x86 Not tainted 4.7.7-hardened-161020 #4
Oct 22 01:49:07 g0n kernel: [102274.795214] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 01:49:07 g0n kernel: [102274.795273] task: ffff8803d18c1e00 ti: ffff8803d18c2628 task.ti: ffff8803d18c2628
Oct 22 01:49:07 g0n kernel: [102274.795316] RIP: 0010:[<ffffffff8101ec7c>]  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 01:49:07 g0n kernel: [102274.795393] RSP: 0018:ffffc90009d33b68  EFLAGS: 00010047
Oct 22 01:49:07 g0n kernel: [102274.795423] RAX: 0000000000000000 RBX: ffff88016b634000 RCX: 0000000000000001
Oct 22 01:49:07 g0n kernel: [102274.795465] RDX: 0000000000000001 RSI: ffff88040ce6c000 RDI: ffff88016b634a50
Oct 22 01:49:07 g0n kernel: [102274.795506] RBP: ffffc90009d33b80 R08: 0000000000000000 R09: 0000000000000000
Oct 22 01:49:07 g0n kernel: [102274.795549] R10: ffff88040ce6c018 R11: ffff8803a3fb0ff0 R12: ffff88016b634a58
Oct 22 01:49:07 g0n kernel: [102274.795590] R13: ffff88016b634a50 R14: ffff88024c364820 R15: ffff8800d9d26190
Oct 22 01:49:07 g0n kernel: [102274.795632] FS:  00000368068eb700(0000) GS:ffff88041fc80000(0000) knlGS:0000000000000000
Oct 22 01:49:07 g0n kernel: [102274.795679] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 22 01:49:07 g0n kernel: [102274.795713] CR2: 0000000000000000 CR3: 0000000002187000 CR4: 00000000000006f0
Oct 22 01:49:07 g0n kernel: [102274.795754] Stack:
Oct 22 01:49:07 g0n kernel: [102274.795765]  ffff88016b634000 0000000000000008 ffff8800d9808b40 ffffc90009d33b98
Oct 22 01:49:07 g0n kernel: [102274.795808]  ffffffff8101a340 ffff88040ce6c000 ffffc90009d33bd8 ffffffff8119cd84
Oct 22 01:49:07 g0n kernel: [102274.795850]  ffff88040ce6c018 ffff88040ce6c0f0 ffff8803d18c1e00 ffff8803d18c23d8
Oct 22 01:49:07 g0n kernel: [102274.795892] Call Trace:
Oct 22 01:49:07 g0n kernel: [102274.795907]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 01:49:07 g0n kernel: [102274.795941]  [<ffffffff8119cd84>] __fput+0x10f/0x1c0
Oct 22 01:49:07 g0n kernel: [102274.795970]  [<ffffffff8119ce81>] ____fput+0x14/0x25
Oct 22 01:49:07 g0n kernel: [102274.796001]  [<ffffffff810d338e>] task_work_run+0x89/0xb0
Oct 22 01:49:07 g0n kernel: [102274.796034]  [<ffffffff810bb97b>] do_exit+0x406/0x974
Oct 22 01:49:07 g0n kernel: [102274.796064]  [<ffffffff811155f8>] ? futex_wait+0x188/0x24e
Oct 22 01:49:07 g0n kernel: [102274.796097]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 01:49:07 g0n kernel: [102274.796129]  [<ffffffff810c6ee1>] get_signal+0x456/0x48a
Oct 22 01:49:07 g0n kernel: [102274.796161]  [<ffffffff81054586>] do_signal+0x38/0x55d
Oct 22 01:49:07 g0n kernel: [102274.796193]  [<ffffffff810014bf>] prepare_exit_to_usermode+0x67/0xa3
Oct 22 01:49:07 g0n kernel: [102274.796231]  [<ffffffff81001548>] syscall_return_slowpath+0x4d/0x67
Oct 22 01:49:07 g0n kernel: [102274.796269]  [<ffffffff81b64372>] entry_SYSCALL_64_fastpath+0xa1/0xa3
Oct 22 01:49:07 g0n kernel: [102274.796307] Code: 00 00 00 00 55 48 89 e5 41 55 41 54 49 89 fc 4d 8d ac 24 50 0a 00 00 49 81 c4 58 0a 00 00 53 4c 89 ef e8 a3 4e b4 00 49 8b 04 24 <48> 8b 18 48 8d b8 40 ff ff ff 48 81 eb c0 00 00 00 48 8d 87 c0
Oct 22 01:49:07 g0n kernel: [102274.796484] RIP  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 01:49:07 g0n kernel: [102274.796519]  RSP <ffffc90009d33b68>
Oct 22 01:49:07 g0n kernel: [102274.796539] CR2: 0000000000000000
Oct 22 01:49:07 g0n kernel: [102274.802467] ---[ end trace 692f1199258c770a ]---
Oct 22 01:49:07 g0n kernel: [102274.802469] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Oct 22 01:49:07 g0n kernel: [102274.802693] Fixing recursive fault but reboot is needed!
Oct 22 01:49:07 g0n kernel: [102274.802695] BUG: scheduling while atomic: qemu-system-x86/31236/0x00000002
Oct 22 01:49:07 g0n kernel: [102274.802696] Modules linked in:
Oct 22 01:49:07 g0n kernel: [102274.802698] Preemption disabled at:[<ffffffff810da33d>] ffffffff810da33d
Oct 22 01:49:07 g0n kernel: [102274.802700]
Oct 22 01:49:07 g0n kernel: [102274.802702] CPU: 1 PID: 31236 Comm: qemu-system-x86 Tainted: G      D         4.7.7-hardened-161020 #4
Oct 22 01:49:07 g0n kernel: [102274.802704] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 01:49:07 g0n kernel: [102274.802705]  0000000000000086 0000000000000086 ffffc90009d33810 ffffffff81473705
Oct 22 01:49:07 g0n kernel: [102274.802708]  0000000000000003 ffff8803d18c1e00 0000000000000100 ffffc90009d33828
Oct 22 01:49:07 g0n kernel: [102274.802711]  ffffffff810d9ccd ffff88041fc91f00 ffffc90009d33870 ffffffff81b60a95
Oct 22 01:49:07 g0n kernel: [102274.802714] Call Trace:
Oct 22 01:49:07 g0n kernel: [102274.802718]  [<ffffffff81473705>] dump_stack+0x50/0x7b
Oct 22 01:49:07 g0n kernel: [102274.802720]  [<ffffffff810d9ccd>] __schedule_bug+0x91/0xae
Oct 22 01:49:07 g0n kernel: [102274.802722]  [<ffffffff81b60a95>] __schedule+0x68/0x552
Oct 22 01:49:07 g0n kernel: [102274.802724]  [<ffffffff81b61009>] schedule+0x8a/0xac
Oct 22 01:49:07 g0n kernel: [102274.802727]  [<ffffffff810bb67d>] do_exit+0x108/0x974
Oct 22 01:49:07 g0n kernel: [102274.802729]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 01:49:07 g0n kernel: [102274.802731]  [<ffffffff81057d66>] oops_end+0x84/0x98
Oct 22 01:49:07 g0n kernel: [102274.802735]  [<ffffffff8107de6a>] no_context+0x39e/0x409
Oct 22 01:49:07 g0n kernel: [102274.802738]  [<ffffffff8118af3a>] ? unfreeze_partials.isra.64+0xdc/0x119
Oct 22 01:49:07 g0n kernel: [102274.802740]  [<ffffffff8107df4d>] __bad_area_nosemaphore+0x78/0x538
Oct 22 01:49:07 g0n kernel: [102274.802742]  [<ffffffff810da33d>] ? preempt_count_add+0x60/0x71
Oct 22 01:49:07 g0n kernel: [102274.802745]  [<ffffffff8107e440>] bad_area_nosemaphore+0x33/0x43
Oct 22 01:49:07 g0n kernel: [102274.802747]  [<ffffffff8107e816>] __do_page_fault+0x190/0x403
Oct 22 01:49:07 g0n kernel: [102274.802749]  [<ffffffff8118c24f>] ? __slab_free+0x44/0x2b8
Oct 22 01:49:07 g0n kernel: [102274.802751]  [<ffffffff8107ead8>] do_page_fault+0x20/0x30
Oct 22 01:49:07 g0n kernel: [102274.802754]  [<ffffffff81b65882>] page_fault+0x22/0x30
Oct 22 01:49:07 g0n kernel: [102274.802756]  [<ffffffff8101ec7c>] ? kvm_irqfd_release+0x27/0x85
Oct 22 01:49:07 g0n kernel: [102274.802758]  [<ffffffff8101ec78>] ? kvm_irqfd_release+0x23/0x85
Oct 22 01:49:07 g0n kernel: [102274.802760]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 01:49:07 g0n kernel: [102274.802762]  [<ffffffff8119cd84>] __fput+0x10f/0x1c0
Oct 22 01:49:07 g0n kernel: [102274.802764]  [<ffffffff8119ce81>] ____fput+0x14/0x25
Oct 22 01:49:07 g0n kernel: [102274.802766]  [<ffffffff810d338e>] task_work_run+0x89/0xb0
Oct 22 01:49:07 g0n kernel: [102274.802768]  [<ffffffff810bb97b>] do_exit+0x406/0x974
Oct 22 01:49:07 g0n kernel: [102274.802770]  [<ffffffff811155f8>] ? futex_wait+0x188/0x24e
Oct 22 01:49:07 g0n kernel: [102274.802772]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 01:49:07 g0n kernel: [102274.802774]  [<ffffffff810c6ee1>] get_signal+0x456/0x48a
Oct 22 01:49:07 g0n kernel: [102274.802776]  [<ffffffff81054586>] do_signal+0x38/0x55d
Oct 22 01:49:07 g0n kernel: [102274.802779]  [<ffffffff810014bf>] prepare_exit_to_usermode+0x67/0xa3
Oct 22 01:49:07 g0n kernel: [102274.802781]  [<ffffffff81001548>] syscall_return_slowpath+0x4d/0x67
Oct 22 01:49:07 g0n kernel: [102274.802784]  [<ffffffff81b64372>] entry_SYSCALL_64_fastpath+0xa1/0xa3

End of Call Trace above.

Code: Select all
Oct 22 01:49:07 g0n kernel: [102274.838423] grsec: (root:U:/sbin/agetty) exec of /sbin/agetty (/sbin/agetty 38400 tty6 linux ) by /sbin/agetty[init:31237] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.740841] grsec: (root:U:/usr/sbin/crond) chdir to /root by /usr/sbin/crond[crond:31240] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3790] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.741100] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/sh -c test -x /usr/sbin/run-crons && /usr/sbin/run-crons ) by /bin/bash[crond:31240] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3790] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.746245] grsec: (root:U:/usr/sbin/run-crons) exec of /usr/sbin/run-crons (/usr/sbin/run-crons ) by /usr/sbin/run-crons[sh:31240] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3790] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.752161] grsec: (root:U:/bin/mkdir) exec of /bin/mkdir (mkdir -p /var/spool/cron/lastrun ) by /bin/mkdir[run-crons:31243] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.752872] grsec: (root:U:/bin/mkdir) chdir to /var by /bin/mkdir[mkdir:31243] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.752888] grsec: (root:U:/bin/mkdir) chdir to /var/spool by /bin/mkdir[mkdir:31243] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.752900] grsec: (root:U:/bin/mkdir) chdir to /var/spool/cron by /bin/mkdir[mkdir:31243] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.753956] grsec: (root:U:/bin/ln) exec of /bin/ln (ln -sn 31240 /var/spool/cron/lastrun/lock ) by /bin/ln[run-crons:31244] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.755709] grsec: (root:U:/) exec of /usr/bin/find (find /var/spool/cron/lastrun -name cron.hourly -cmin +65 -exec rm {} ; ) by /usr/bin/find[run-crons:31245] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.756707] grsec: (root:U:/) chdir to /root by /usr/bin/find[find:31245] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.757531] grsec: (root:U:/) exec of /usr/bin/find (find /var/spool/cron/lastrun -name cron.daily -cmin +1445 -exec rm {} ; ) by /usr/bin/find[run-crons:31246] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.760285] grsec: (root:U:/) chdir to /root by /usr/bin/find[find:31246] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.761562] grsec: (root:U:/) exec of /usr/bin/find (find /var/spool/cron/lastrun -name cron.weekly -cmin +10085 -exec rm {} ; ) by /usr/bin/find[run-crons:31247] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.763130] grsec: (root:U:/) chdir to /root by /usr/bin/find[find:31247] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.763907] grsec: (root:U:/) exec of /usr/bin/find (find /var/spool/cron/lastrun -name cron.monthly -cmin +44645 -exec rm {} ; ) by /usr/bin/find[run-crons:31248] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.764882] grsec: (root:U:/) chdir to /root by /usr/bin/find[find:31248] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.765548] grsec: (root:U:/bin/touch) exec of /bin/touch (touch /var/spool/cron/lastrun ) by /bin/touch[run-crons:31249] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.766856] grsec: (root:U:/) exec of /usr/bin/find (find /var/spool/cron/lastrun -newer /var/spool/cron/lastrun -exec /bin/rm -f {} ; ) by /usr/bin/find[run-crons:31250] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.767831] grsec: (root:U:/) chdir to /root by /usr/bin/find[find:31250] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0
Oct 22 01:50:01 g0n kernel: [102328.768436] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /var/spool/cron/lastrun/lock ) by /bin/rm[run-crons:31251] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/run-crons[run-crons:31240] uid/euid:0/0 gid/egid:0/0


And regular booting goes on, after, sure, I pressed the reset on the hardware.
Code: Select all
Oct 22 01:55:53 g0n syslog-ng[2831]: syslog-ng starting up; version='3.4.8'
Oct 22 01:55:53 ...[some binary line of chars like "^@" w/o quotes here]... kernel: [    0.541262] pci 0000:00:03.0:   bridge window [mem 0xf0000000-0xf7ffffff 64bit pref]
Oct 22 01:55:53 g0n kernel: [    0.541306] pci 0000:02:00.0: [1b21:1042] type 00 class 0x0c0330
Oct 22 01:55:53 g0n kernel: [    0.541325] pci 0000:02:00.0: reg 0x10: [mem 0xfe400000-0xfe407fff 64bit]
Oct 22 01:55:53 g0n kernel: [    0.541414] pci 0000:02:00.0: PME# supported from D3hot D3cold
Oct 22 01:55:53 g0n kernel: [    0.542697] pci 0000:00:09.0: PCI bridge to [bus 02]
Oct 22 01:55:53 g0n kernel: [    0.542791] pci 0000:00:09.0:   bridge window [mem 0xfe400000-0xfe4fffff]
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Fri Oct 21, 2016 10:58 pm

Unfortunately, I don't think that doing it in the intended way goes w/o rebooting. Banned again!

I did it the right way, followed strictly the advice at the QEMU/Linux guest, as can be seen (or I can explain if parts of my actions can not be deduced from the (shortened by design) grsec log lines), from the system log:


Code: Select all
Oct 22 04:24:20 g0n kernel: [ 8958.132194] grsec: (miro:U:/) exec of /usr/bin/qemu-img (qemu-img create -f qcow2 GentooVM.img 15G ) by /usr/bin/qemu-img[bash:7697] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000
...
Oct 22 04:24:35 g0n kernel: [ 8973.457531] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat GentooVM.sh ) by /bin/cat[bash:7705] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 04:24:40 g0n kernel: [ 8978.148200] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat GentooVM.sh ) by /bin/cat[bash:7706] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 04:24:43 g0n kernel: [ 8980.802412] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat ) by /bin/cat[bash:7707] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000


... [ 139 lines of grsec: ... /usr/bin/vim were here ]...

Pls. anybody can give us a quick tip how to filter out very verbose log entries like the good ole Vim program gives?

Code: Select all
Oct 22 04:25:06 g0n kernel: [ 9003.909478] grsec: (admin:S:/) exec of /bin/cp (cp -iav /home/miro/GentooVM.sh /usr/local/bin/ ) by /bin/cp[bash:7713] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4441] uid/euid:0/0 gid/egid:0/0
Oct 22 04:25:09 g0n kernel: [ 9007.511468] grsec: (admin:S:/) exec of /bin/ls (ls --color=auto -l /home/miro/GentooVM.sh /usr/local/bin/ ) by /bin/ls[bash:7717] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4441] uid/euid:0/0 gid/egid:0/0
Oct 22 04:25:12 g0n kernel: [ 9009.875308] grsec: (admin:S:/) exec of /bin/ls (ls --color=auto -l /home/miro/GentooVM.sh /usr/local/bin/GentooVM.sh ) by /bin/ls[bash:7718] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4441] uid/euid:0/0 gid/egid:0/0
Oct 22 04:25:17 g0n kernel: [ 9014.983067] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat GentooVM.sh ) by /bin/cat[bash:7719] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000


139 lines of grsec: ... /usr/bin/vim were here.

Pls. anybody can give us a quick tip how to filter out very verbose log entries like the good ole Vim program gives?

Code: Select all
Oct 22 04:26:00 g0n kernel: [ 9058.520976] grsec: (admin:S:/) exec of /bin/ls (ls --color=auto -l /home/miro/GentooVM.sh /usr/local/bin/GentooVM.sh ) by /bin/ls[bash:7726] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4441] uid/euid:0/0 gid/egid:0/0
Oct 22 04:26:03 g0n kernel: [ 9061.208022] grsec: (admin:S:/) exec of /bin/cp (cp -iav /home/miro/GentooVM.sh /usr/local/bin/GentooVM.sh ) by /bin/cp[bash:7730] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4441] uid/euid:0/0 gid/egid:0/0
Oct 22 04:26:08 g0n kernel: [ 9066.598954] grsec: (miro:U:/) exec of /usr/local/bin/GentooVM.sh (GentooVM.sh ) by /usr/local/bin/GentooVM.sh[bash:7732] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 04:26:08 g0n kernel: [ 9066.604790] grsec: (miro:U:/usr/bin/qemu-system-x86_64) exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -enable-kvm -cpu host -drive file=GentooVM.img,if=virtio -netdev user,id=vmnic,hostname=gentoovm -device virt) by /usr/bin/qemu-system-x86_64[GentooVM.sh:7732] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4550] uid/euid:1000/1000 gid/egid:1000/1000


Here is the BUG, an the Call Trace:
Code: Select all
Oct 22 04:26:08 g0n kernel: [ 9066.661551] BUG: unable to handle kernel NULL pointer dereference at            (nil)
Oct 22 04:26:08 g0n kernel: [ 9066.661622] IP: [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 04:26:08 g0n kernel: [ 9066.661666] PGD 3d1f1f067 PUD 0
Oct 22 04:26:08 g0n kernel: [ 9066.661691] Oops: 0000 [#1] PREEMPT SMP
Oct 22 04:26:08 g0n kernel: [ 9066.661716] Modules linked in:
Oct 22 04:26:08 g0n kernel: [ 9066.661738] CPU: 0 PID: 7733 Comm: qemu-system-x86 Not tainted 4.7.7-hardened-161020 #4
Oct 22 04:26:08 g0n kernel: [ 9066.661788] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 04:26:08 g0n kernel: [ 9066.661849] task: ffff88040c876400 ti: ffff88040c876c28 task.ti: ffff88040c876c28
Oct 22 04:26:08 g0n kernel: [ 9066.661894] RIP: 0010:[<ffffffff8101ec7c>]  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 04:26:08 g0n kernel: [ 9066.661947] RSP: 0018:ffffc90006c7bb68  EFLAGS: 00010047
Oct 22 04:26:08 g0n kernel: [ 9066.661979] RAX: 0000000000000000 RBX: ffff8803c7dc0000 RCX: 0000000000000001
Oct 22 04:26:08 g0n kernel: [ 9066.662023] RDX: 0000000000000001 RSI: ffff8803d1d33100 RDI: ffff8803c7dc0a50
Oct 22 04:26:08 g0n kernel: [ 9066.662067] RBP: ffffc90006c7bb80 R08: 0000000000000000 R09: 0000000000000000
Oct 22 04:26:08 g0n kernel: [ 9066.662111] R10: ffff8803d1d33118 R11: 0000000000000001 R12: ffff8803c7dc0a58
Oct 22 04:26:08 g0n kernel: [ 9066.662155] R13: ffff8803c7dc0a50 R14: ffff8803bfe03410 R15: ffff88040d5f8c10
Oct 22 04:26:08 g0n kernel: [ 9066.662199] FS:  0000036e23718700(0000) GS:ffff88041fc00000(0000) knlGS:0000000000000000
Oct 22 04:26:08 g0n kernel: [ 9066.662248] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 22 04:26:08 g0n kernel: [ 9066.662282] CR2: 0000000000000000 CR3: 0000000002185000 CR4: 00000000000006f0
Oct 22 04:26:08 g0n kernel: [ 9066.662325] Stack:
Oct 22 04:26:08 g0n kernel: [ 9066.662339]  ffff8803c7dc0000 0000000000000008 ffff88040ec05b00 ffffc90006c7bb98
Oct 22 04:26:08 g0n kernel: [ 9066.662389]  ffffffff8101a340 ffff8803d1d33100 ffffc90006c7bbd8 ffffffff8119cd84
Oct 22 04:26:08 g0n kernel: [ 9066.662438]  ffff8803d1d33118 ffff8803d1d331f0 ffff88040c876400 ffff88040c8769d8
Oct 22 04:26:08 g0n kernel: [ 9066.662488] Call Trace:
Oct 22 04:26:08 g0n kernel: [ 9066.662507]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 04:26:08 g0n kernel: [ 9066.662542]  [<ffffffff8119cd84>] __fput+0x10f/0x1c0
Oct 22 04:26:08 g0n kernel: [ 9066.662601]  [<ffffffff8119ce81>] ____fput+0x14/0x25
Oct 22 04:26:08 g0n kernel: [ 9066.662633]  [<ffffffff810d338e>] task_work_run+0x89/0xb0
Oct 22 04:26:08 g0n kernel: [ 9066.662669]  [<ffffffff810bb97b>] do_exit+0x406/0x974
Oct 22 04:26:08 g0n kernel: [ 9066.662701]  [<ffffffff810e3378>] ? update_load_avg.isra.60+0x220/0x23d
Oct 22 04:26:08 g0n kernel: [ 9066.662743]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 04:26:08 g0n kernel: [ 9066.662777]  [<ffffffff810c6ee1>] get_signal+0x456/0x48a
Oct 22 04:26:08 g0n kernel: [ 9066.662811]  [<ffffffff81054586>] do_signal+0x38/0x55d
Oct 22 04:26:08 g0n kernel: [ 9066.662844]  [<ffffffff811054d3>] ? hrtimer_try_to_cancel+0x94/0xaf
Oct 22 04:26:08 g0n kernel: [ 9066.662884]  [<ffffffff8110a66b>] ? timekeeping_get_ns+0x35/0x59
Oct 22 04:26:08 g0n kernel: [ 9066.662922]  [<ffffffff810014bf>] prepare_exit_to_usermode+0x67/0xa3
Oct 22 04:26:08 g0n kernel: [ 9066.662962]  [<ffffffff81001548>] syscall_return_slowpath+0x4d/0x67
Oct 22 04:26:08 g0n kernel: [ 9066.663003]  [<ffffffff81b64372>] entry_SYSCALL_64_fastpath+0xa1/0xa3
Oct 22 04:26:08 g0n kernel: [ 9066.663043] Code: 00 00 00 00 55 48 89 e5 41 55 41 54 49 89 fc 4d 8d ac 24 50 0a 00 00 49 81 c4 58 0a 00 00 53 4c 89 ef e8 a3 4e b4 00 49 8b 04 24 <48> 8b 18 48 8d b8 40 ff ff ff 48 81 eb c0 00 00 00 48 8d 87 c0
Oct 22 04:26:08 g0n kernel: [ 9066.663266] RIP  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 04:26:08 g0n kernel: [ 9066.663305]  RSP <ffffc90006c7bb68>
Oct 22 04:26:08 g0n kernel: [ 9066.663326] CR2: 0000000000000000
Oct 22 04:26:08 g0n kernel: [ 9066.669453] ---[ end trace f1cb946125f00bd7 ]---
Oct 22 04:26:08 g0n kernel: [ 9066.669456] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Oct 22 04:26:08 g0n kernel: [ 9066.669652] Fixing recursive fault but reboot is needed!
Oct 22 04:26:08 g0n kernel: [ 9066.669654] BUG: scheduling while atomic: qemu-system-x86/7733/0x00000002
Oct 22 04:26:08 g0n kernel: [ 9066.669656] Modules linked in:
Oct 22 04:26:08 g0n kernel: [ 9066.669658] Preemption disabled at:[<ffffffff810da33d>] ffffffff810da33d
Oct 22 04:26:08 g0n kernel: [ 9066.669660]
Oct 22 04:26:08 g0n kernel: [ 9066.669664] CPU: 0 PID: 7733 Comm: qemu-system-x86 Tainted: G      D         4.7.7-hardened-161020 #4
Oct 22 04:26:08 g0n kernel: [ 9066.669665] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 04:26:08 g0n kernel: [ 9066.669667]  0000000000000086 0000000000000086 ffffc90006c7b810 ffffffff81473705
Oct 22 04:26:08 g0n kernel: [ 9066.669671]  0000000000000003 ffff88040c876400 0000000000000100 ffffc90006c7b828
Oct 22 04:26:08 g0n kernel: [ 9066.669675]  ffffffff810d9ccd ffff88041fc11f00 ffffc90006c7b870 ffffffff81b60a95
Oct 22 04:26:08 g0n kernel: [ 9066.669678] Call Trace:
Oct 22 04:26:08 g0n kernel: [ 9066.669683]  [<ffffffff81473705>] dump_stack+0x50/0x7b
Oct 22 04:26:08 g0n kernel: [ 9066.669686]  [<ffffffff810d9ccd>] __schedule_bug+0x91/0xae
Oct 22 04:26:08 g0n kernel: [ 9066.669689]  [<ffffffff81b60a95>] __schedule+0x68/0x552
Oct 22 04:26:08 g0n kernel: [ 9066.669691]  [<ffffffff81b61009>] schedule+0x8a/0xac
Oct 22 04:26:08 g0n kernel: [ 9066.669694]  [<ffffffff810bb67d>] do_exit+0x108/0x974
Oct 22 04:26:08 g0n kernel: [ 9066.669697]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 04:26:08 g0n kernel: [ 9066.669700]  [<ffffffff81057d66>] oops_end+0x84/0x98
Oct 22 04:26:08 g0n kernel: [ 9066.669704]  [<ffffffff8107de6a>] no_context+0x39e/0x409
Oct 22 04:26:08 g0n kernel: [ 9066.669707]  [<ffffffff8118af4f>] ? unfreeze_partials.isra.64+0xf1/0x119
Oct 22 04:26:08 g0n kernel: [ 9066.669710]  [<ffffffff8107df4d>] __bad_area_nosemaphore+0x78/0x538
Oct 22 04:26:08 g0n kernel: [ 9066.669713]  [<ffffffff810da33d>] ? preempt_count_add+0x60/0x71
Oct 22 04:26:08 g0n kernel: [ 9066.669716]  [<ffffffff8107e440>] bad_area_nosemaphore+0x33/0x43
Oct 22 04:26:08 g0n kernel: [ 9066.669719]  [<ffffffff8107e816>] __do_page_fault+0x190/0x403
Oct 22 04:26:08 g0n kernel: [ 9066.669721]  [<ffffffff8118c24f>] ? __slab_free+0x44/0x2b8
Oct 22 04:26:08 g0n kernel: [ 9066.669725]  [<ffffffff8107ead8>] do_page_fault+0x20/0x30
Oct 22 04:26:08 g0n kernel: [ 9066.669727]  [<ffffffff81b65882>] page_fault+0x22/0x30
Oct 22 04:26:08 g0n kernel: [ 9066.669731]  [<ffffffff8101ec7c>] ? kvm_irqfd_release+0x27/0x85
Oct 22 04:26:08 g0n kernel: [ 9066.669733]  [<ffffffff8101ec78>] ? kvm_irqfd_release+0x23/0x85
Oct 22 04:26:08 g0n kernel: [ 9066.669736]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 04:26:08 g0n kernel: [ 9066.669738]  [<ffffffff8119cd84>] __fput+0x10f/0x1c0
Oct 22 04:26:08 g0n kernel: [ 9066.669741]  [<ffffffff8119ce81>] ____fput+0x14/0x25
Oct 22 04:26:08 g0n kernel: [ 9066.669743]  [<ffffffff810d338e>] task_work_run+0x89/0xb0
Oct 22 04:26:08 g0n kernel: [ 9066.669746]  [<ffffffff810bb97b>] do_exit+0x406/0x974
Oct 22 04:26:08 g0n kernel: [ 9066.669748]  [<ffffffff810e3378>] ? update_load_avg.isra.60+0x220/0x23d
Oct 22 04:26:08 g0n kernel: [ 9066.669751]  [<ffffffff810bbf74>] do_group_exit+0x41/0xad
Oct 22 04:26:08 g0n kernel: [ 9066.669753]  [<ffffffff810c6ee1>] get_signal+0x456/0x48a
Oct 22 04:26:08 g0n kernel: [ 9066.669756]  [<ffffffff81054586>] do_signal+0x38/0x55d
Oct 22 04:26:08 g0n kernel: [ 9066.669759]  [<ffffffff811054d3>] ? hrtimer_try_to_cancel+0x94/0xaf
Oct 22 04:26:08 g0n kernel: [ 9066.669761]  [<ffffffff8110a66b>] ? timekeeping_get_ns+0x35/0x59
Oct 22 04:26:08 g0n kernel: [ 9066.669765]  [<ffffffff810014bf>] prepare_exit_to_usermode+0x67/0xa3
Oct 22 04:26:08 g0n kernel: [ 9066.669767]  [<ffffffff81001548>] syscall_return_slowpath+0x4d/0x67
Oct 22 04:26:08 g0n kernel: [ 9066.669770]  [<ffffffff81b64372>] entry_SYSCALL_64_fastpath+0xa1/0xa3


End of Call Trace above.

Code: Select all
Oct 22 04:26:08 g0n kernel: [ 9066.690252] grsec: (root:U:/sbin/agetty) exec of /sbin/agetty (/sbin/agetty 38400 tty6 linux ) by /sbin/agetty[init:7734] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Oct 22 04:26:23 g0n smartd[4219]: Device: /dev/sda [SAT], SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 119 to 116
Oct 22 04:26:31 g0n kernel: [ 9088.751086] grsec: (root:U:/etc/cron.daily) denied open of /var/svc.d/mysql/log/run for reading by /usr/bin/clamscan[clamscan:2500] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:2498] uid/euid:0/0 gid/egid:0/0
Oct 22 04:26:31 g0n kernel: [ 9088.751153] grsec: (root:U:/etc/cron.daily) denied open of /var/svc.d/mysql/run for reading by /usr/bin/clamscan[clamscan:2500] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/yclamscan[yclamscan:2498] uid/euid:0/0 gid/egid:0/0

And regular booting goes on, after, sure, I pressed the reset on the hardware.
Code: Select all
Oct 22 04:28:28 g0n syslog-ng[2824]: syslog-ng starting up; version='3.4.8'
Oct 22 04:28:28 ...[some binary line of chars like "^@" w/o quotes here]... kernel: [    0.541876] pci 0000:00:09.0: PCI bridge to [bus 02]
Oct 22 04:28:28 g0n kernel: [    0.541970] pci 0000:00:09.0:   bridge window [mem 0xfe400000-0xfe4fffff]
Oct 22 04:28:28 g0n kernel: [    0.542025] pci 0000:03:00.0: [1b21:1042] type 00 class 0x0c0330
Oct 22 04:28:28 g0n kernel: [    0.542045] pci 0000:03:00.0: reg 0x10: [mem 0xfe300000-0xfe307fff 64bit]
Oct 22 04:28:28 g0n kernel: [    0.542166] pci 0000:03:00.0: PME# supported from D3hot D3cold
Oct 22 04:28:28 g0n kernel: [    0.543876] pci 0000:00:0a.0: PCI bridge to [bus 03]

I don't know how this happened, nor why. Also, this is pretty expensive operation to reproduce this for me, rebooting every time...

I'll try and ask in the Talk page of that Gentoo Wiki page in question.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Fri Oct 21, 2016 11:17 pm

Just asked about this on Gentoo Wiki. See section:
script GentooVM.sh crashes my system
in:
https://wiki.gentoo.org/wiki/Talk:QEMU/Linux_guest
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Sat Oct 22, 2016 1:13 am

Expensive or not, I need to know what is or is not b0rked in my system.

I'll try and run simply from the command line (this is a literal paste):

Code: Select all
$ qemu-system-x86_64 -enable-kvm \
> -cpu host \
> -drive file=GentooVM.img,if=virtio \
> -netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netdev=vmnic \
> -m 256M \
> -monitor stdio \
> -name "Gentoo VM" \
> install-amd64-minimal-20161020.iso


And here I'll press Enter.
---
Later:

Which I did. And it all happened again. Monitor went blank. Only this time
lots of those characters similar to "^@" where the crash happened, but no Call
Trace at all.

And so here I decide I am going to try with my most carefully Air-Gapped Away
from all and anything internet, the system that I clone onto other system,
such as this one that I'm typing this text in.

In the next post.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Sat Oct 22, 2016 1:16 am

I may have been working under pressure because I decided to learn to use Qemu. Also I, it appears to me successfully, installed libvirt and I am getting familiar with virsh ... And all that is taking me really long... But...

But the fact that in my script that I used, there was a '\' missing (only in the events that I reported in the first two or three posts, I fixed that in the post previous to this), didn't seem to matter as far as the crash. Here's the script just with the corrected missing '\', that I used:

Code: Select all
#!/bin/sh
exec qemu-system-x86_64 -enable-kvm \
      -cpu host \
      -drive file=GentooVM.img,if=virtio \
      -netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netdev=vmnic \
      -m 256M \
      -monitor stdio \
      -name "Gentoo VM" \
      $@


So it is now corrected, but the -netdev line was previosky:

Code: Select all
-netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netdev=vmnic


that is, without '\'. I don't think that mattered at all.

Next, in the hurry from pressure of my own, while I should have run:

Code: Select all
user $./GentooVM -boot d -cdrom install-amd64-minimal-20120621.iso

just as [irl=https://wiki.gentoo.org/wiki/QEMU/Linux_guest#Host]the Wiki page[/url] says, I ran without "-boot d -cdrom", and I don't think that caused the crashes.

Because now I ran it correctly in my master Air-Gapped system, and it crashed in the same fashion.

Look it up for yourself!

So this is from my master system that never sees online, and where I install from my local mirror. Even the copy of my local mirror never sees online, and data is carefully copied, only after checking for viri with Clamav.

Code: Select all
Oct 22 06:30:52 g5n kernel: [123441.206417] grsec: exec of /bin/cat (cat GentooVM ) by /bin/cat[bash:16953] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:10781] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 06:31:04 g5n kernel: [123452.645477] grsec: exec of /usr/bin/diff (diff /home/miro/GentooVM /usr/local/bin/GentooVM ) by /usr/bin/diff[bash:16954] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4008] uid/euid:0/0 gid/egid:0/0
Oct 22 06:31:07 g5n kernel: [123455.795520] grsec: exec of /usr/bin/sha256sum (sha256sum /home/miro/GentooVM /usr/local/bin/GentooVM ) by /usr/bin/sha256sum[bash:16957] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4008] uid/euid:0/0 gid/egid:0/0
Oct 22 06:31:10 g5n kernel: [123458.977011] grsec: exec of /bin/cat (cat /home/miro/GentooVM ) by /bin/cat[bash:16958] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4008] uid/euid:0/0 gid/egid:0/0
Oct 22 06:31:13 g5n kernel: [123461.999780] grsec: exec of /bin/cat (cat /usr/local/bin/GentooVM ) by /bin/cat[bash:16959] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4008] uid/euid:0/0 gid/egid:0/0


... vim lines cut out ...

Code: Select all
Oct 22 06:32:12 g5n kernel: [123521.059597] grsec: exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -monitor help ) by /usr/bin/qemu-system-x86_64[bash:16964] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:10781] uid/euid:1000/1000 gid/egid:1000/1000

...

Code: Select all
Oct 22 06:34:01 g5n kernel: [123630.108649] grsec: exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -boot d -cdrom install-amd64-minimal-20161020.iso ) by /usr/bin/qemu-system-x86_64[bash:16987] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3919] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 06:34:43 g5n kernel: [123671.686504] grsec: exec of /usr/local/bin/GentooVM (GentooVM -boot d -cdrom install-amd64-minimal-20161020.iso ) by /usr/local/bin/GentooVM[bash:16994] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:10781] uid/euid:1000/1000 gid/egid:1000/1000
Oct 22 06:34:43 g5n kernel: [123671.692483] grsec: exec of /usr/bin/qemu-system-x86_64 (qemu-system-x86_64 -enable-kvm -cpu host -drive file=GentooVM.img,if=virtio -netdev user,id=vmnic,hostname=gentoovm -device virt) by /usr/bin/qemu-system-x86_64[GentooVM:16994] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:10781] uid/euid:1000/1000 gid/egid:1000/1000


Here is the BUG, an the Call Trace:
Code: Select all
Oct 22 06:34:43 g5n kernel: [123671.828941] BUG: unable to handle kernel NULL pointer dereference at            (nil)
Oct 22 06:34:43 g5n kernel: [123671.828995] IP: [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 06:34:43 g5n kernel: [123671.829031] PGD 42a45f067 PUD 0
Oct 22 06:34:43 g5n kernel: [123671.829051] Oops: 0000 [#1] PREEMPT SMP
Oct 22 06:34:43 g5n kernel: [123671.829073] Modules linked in:
Oct 22 06:34:43 g5n kernel: [123671.829092] CPU: 1 PID: 16994 Comm: qemu-system-x86 Not tainted 4.7.7-hardened-161020 #4
Oct 22 06:34:43 g5n kernel: [123671.829130] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 06:34:43 g5n kernel: [123671.829177] task: ffff88016eba6e00 ti: ffff88016eba7628 task.ti: ffff88016eba7628
Oct 22 06:34:43 g5n kernel: [123671.829213] RIP: 0010:[<ffffffff8101ec7c>]  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 06:34:43 g5n kernel: [123671.829256] RSP: 0018:ffffc90001d13d88  EFLAGS: 00010047
Oct 22 06:34:43 g5n kernel: [123671.829282] RAX: 0000000000000000 RBX: ffff8801fd748000 RCX: 0000000000000001
Oct 22 06:34:43 g5n kernel: [123671.829316] RDX: 0000000000000001 RSI: ffff8803feb8b900 RDI: ffff8801fd748a50
Oct 22 06:34:43 g5n kernel: [123671.829350] RBP: ffffc90001d13da0 R08: 0000000000000000 R09: 0000000000000000
Oct 22 06:34:43 g5n kernel: [123671.829384] R10: ffff8803feb8b918 R11: 000003382697b000 R12: ffff8801fd748a58
Oct 22 06:34:43 g5n kernel: [123671.829417] R13: ffff8801fd748a50 R14: ffff8803e51a6b60 R15: ffff88042d330190
Oct 22 06:34:43 g5n kernel: [123671.829452] FS:  000003382677bb00(0000) GS:ffff88043fc80000(0000) knlGS:0000000000000000
Oct 22 06:34:43 g5n kernel: [123671.829490] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 22 06:34:43 g5n kernel: [123671.829518] CR2: 0000000000000000 CR3: 0000000002187000 CR4: 00000000000006f0
Oct 22 06:34:43 g5n kernel: [123671.829551] Stack:
Oct 22 06:34:43 g5n kernel: [123671.829562]  ffff8801fd748000 0000000000000008 ffff88042ec90b40 ffffc90001d13db8
Oct 22 06:34:43 g5n kernel: [123671.829602]  ffffffff8101a340 ffff8803feb8b900 ffffc90001d13df8 ffffffff8119cd71
Oct 22 06:34:43 g5n kernel: [123671.829642]  ffff8803feb8b918 ffff8803feb8b9f0 ffff88016eba6e00 ffff88016eba73d8
Oct 22 06:34:43 g5n kernel: [123671.829682] Call Trace:
Oct 22 06:34:43 g5n kernel: [123671.829697]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 06:34:43 g5n kernel: [123671.829726]  [<ffffffff8119cd71>] __fput+0x10f/0x1c0
Oct 22 06:34:43 g5n kernel: [123671.829751]  [<ffffffff8119ce6e>] ____fput+0x14/0x25
Oct 22 06:34:43 g5n kernel: [123671.829777]  [<ffffffff810d3376>] task_work_run+0x89/0xb0
Oct 22 06:34:43 g5n kernel: [123671.829806]  [<ffffffff810bb963>] do_exit+0x406/0x974
Oct 22 06:34:43 g5n kernel: [123671.829832]  [<ffffffff810dc25e>] ? wake_up_state+0x1d/0x2d
Oct 22 06:34:43 g5n kernel: [123671.829861]  [<ffffffff810c4b25>] ? signal_wake_up_state+0x2c/0x4b
Oct 22 06:34:43 g5n kernel: [123671.829892]  [<ffffffff810bbf5c>] do_group_exit+0x41/0xad
Oct 22 06:34:43 g5n kernel: [123671.829919]  [<ffffffff810bbfda>] sys_exit_group+0x12/0x1a
Oct 22 06:34:43 g5n kernel: [123671.829947]  [<ffffffff81b642e4>] entry_SYSCALL_64_fastpath+0x13/0xa3
Oct 22 06:34:43 g5n kernel: [123671.829979] Code: 00 00 00 00 55 48 89 e5 41 55 41 54 49 89 fc 4d 8d ac 24 50 0a 00 00 49 81 c4 58 0a 00 00 53 4c 89 ef e8 a3 4e b4 00 49 8b 04 24 <48> 8b 18 48 8d b8 40 ff ff ff 48 81 eb c0 00 00 00 48 8d 87 c0
Oct 22 06:34:43 g5n kernel: [123671.830185] RIP  [<ffffffff8101ec7c>] kvm_irqfd_release+0x27/0x85
Oct 22 06:34:43 g5n kernel: [123671.830216]  RSP <ffffc90001d13d88>
Oct 22 06:34:43 g5n kernel: [123671.830233] CR2: 0000000000000000
Oct 22 06:34:43 g5n kernel: [123671.834880] ---[ end trace 57033a56fecc2ff6 ]---
Oct 22 06:34:43 g5n kernel: [123671.834882] grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Oct 22 06:34:43 g5n kernel: [123671.835100] Fixing recursive fault but reboot is needed!
Oct 22 06:34:43 g5n kernel: [123671.835102] BUG: scheduling while atomic: qemu-system-x86/16994/0x00000002
Oct 22 06:34:43 g5n kernel: [123671.835103] Modules linked in:
Oct 22 06:34:43 g5n kernel: [123671.835105] Preemption disabled at:[<ffffffff810da325>] ffffffff810da325
Oct 22 06:34:43 g5n kernel: [123671.835107]
Oct 22 06:34:43 g5n kernel: [123671.835109] CPU: 1 PID: 16994 Comm: qemu-system-x86 Tainted: G      D         4.7.7-hardened-161020 #4
Oct 22 06:34:43 g5n kernel: [123671.835111] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./970 Extreme4, BIOS P2.60 11/11/2013
Oct 22 06:34:43 g5n kernel: [123671.835112]  0000000000000086 0000000000000086 ffffc90001d13a30 ffffffff81473705
Oct 22 06:34:43 g5n kernel: [123671.835115]  0000000000000003 ffff88016eba6e00 0000000000000100 ffffc90001d13a48
Oct 22 06:34:43 g5n kernel: [123671.835118]  ffffffff810d9cb5 ffff88043fc91f00 ffffc90001d13a90 ffffffff81b60a95
Oct 22 06:34:43 g5n kernel: [123671.835120] Call Trace:
Oct 22 06:34:43 g5n kernel: [123671.835125]  [<ffffffff81473705>] dump_stack+0x50/0x7b
Oct 22 06:34:43 g5n kernel: [123671.835127]  [<ffffffff810d9cb5>] __schedule_bug+0x91/0xae
Oct 22 06:34:43 g5n kernel: [123671.835128]  [<ffffffff81b60a95>] __schedule+0x68/0x552
Oct 22 06:34:43 g5n kernel: [123671.835130]  [<ffffffff81b61009>] schedule+0x8a/0xac
Oct 22 06:34:43 g5n kernel: [123671.835133]  [<ffffffff810bb665>] do_exit+0x108/0x974
Oct 22 06:34:43 g5n kernel: [123671.835135]  [<ffffffff810bbf5c>] do_group_exit+0x41/0xad
Oct 22 06:34:43 g5n kernel: [123671.835138]  [<ffffffff81057d66>] oops_end+0x84/0x98
Oct 22 06:34:43 g5n kernel: [123671.835141]  [<ffffffff8107de6a>] no_context+0x39e/0x409
Oct 22 06:34:43 g5n kernel: [123671.835144]  [<ffffffff8107df4d>] __bad_area_nosemaphore+0x78/0x538
Oct 22 06:34:43 g5n kernel: [123671.835146]  [<ffffffff8107e440>] bad_area_nosemaphore+0x33/0x43
Oct 22 06:34:43 g5n kernel: [123671.835148]  [<ffffffff8107e816>] __do_page_fault+0x190/0x403
Oct 22 06:34:43 g5n kernel: [123671.835151]  [<ffffffff8118c23c>] ? __slab_free+0x44/0x2b8
Oct 22 06:34:43 g5n kernel: [123671.835153]  [<ffffffff8107ead8>] do_page_fault+0x20/0x30
Oct 22 06:34:43 g5n kernel: [123671.835156]  [<ffffffff81b65882>] page_fault+0x22/0x30
Oct 22 06:34:43 g5n kernel: [123671.835158]  [<ffffffff8101ec7c>] ? kvm_irqfd_release+0x27/0x85
Oct 22 06:34:43 g5n kernel: [123671.835160]  [<ffffffff8101ec78>] ? kvm_irqfd_release+0x23/0x85
Oct 22 06:34:43 g5n kernel: [123671.835162]  [<ffffffff8101a340>] kvm_vm_release+0x17/0x32
Oct 22 06:34:43 g5n kernel: [123671.835164]  [<ffffffff8119cd71>] __fput+0x10f/0x1c0
Oct 22 06:34:43 g5n kernel: [123671.835166]  [<ffffffff8119ce6e>] ____fput+0x14/0x25
Oct 22 06:34:43 g5n kernel: [123671.835167]  [<ffffffff810d3376>] task_work_run+0x89/0xb0
Oct 22 06:34:43 g5n kernel: [123671.835170]  [<ffffffff810bb963>] do_exit+0x406/0x974
Oct 22 06:34:43 g5n kernel: [123671.835172]  [<ffffffff810dc25e>] ? wake_up_state+0x1d/0x2d
Oct 22 06:34:43 g5n kernel: [123671.835174]  [<ffffffff810c4b25>] ? signal_wake_up_state+0x2c/0x4b
Oct 22 06:34:43 g5n kernel: [123671.835177]  [<ffffffff810bbf5c>] do_group_exit+0x41/0xad
Oct 22 06:34:43 g5n kernel: [123671.835179]  [<ffffffff810bbfda>] sys_exit_group+0x12/0x1a
Oct 22 06:34:43 g5n kernel: [123671.835181]  [<ffffffff81b642e4>] entry_SYSCALL_64_fastpath+0x13/0xa3
Oct 22 06:34:43 g5n kernel: [123671.918159] grsec: exec of /sbin/agetty (/sbin/agetty 38400 tty6 linux ) by /sbin/agetty[init:16998] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

End of Call Trace above. And no more logs in this master system of mine.

And regular booting goes on, after, sure, I pressed the reset on the hardware.
Code: Select all
Oct 22 06:36:38 g5n syslog-ng[2842]: syslog-ng starting up; version='3.4.8'
Oct 22 06:36:38 ...[some binary line of chars like "^@" w/o quotes here]... kernel: [    0.538451] pci 0000:00:16.2: reg 0x10: [mem 0xfe504000-0xfe5040ff]
Oct 22 06:36:38 g5n kernel: [    0.538538] pci 0000:00:16.2: supports D1 D2
Oct 22 06:36:38 g5n kernel: [    0.538540] pci 0000:00:16.2: PME# supported from D0 D1 D2 D3hot
Oct 22 06:36:38 g5n kernel: [    0.538603] pci 0000:00:16.2: System wakeup disabled by ACPI
Oct 22 06:36:38 g5n kernel: [    0.538803] pci 0000:00:18.0: [1022:1200] type 00 class 0x060000
Oct 22 06:36:38 g5n kernel: [    0.538898] pci 0000:00:18.1: [1022:1201] type 00 class 0x060000


What could this be?

Regards!
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Sat Oct 22, 2016 3:32 am

I strongly suspect it is the kernel. Another bug in 4.7.7 has just last night been found by PaX Team:
linux-grsec-4.7.7 locks up within 30 minutes
viewtopic.php?f=3&t=4586#p16672

and after rebooting into:
Code: Select all
$ uname -r
4.7.5-hardened-160929
$

I was able to run the script and get qemu running just fine. On my master machine.
---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: banning user... until system restart for ... kernel crash w/ Qemu

Postby timbgo » Sat Oct 22, 2016 6:50 am

It's a KVM bug. It is being worked by experts here:
https://bugs.gentoo.org/show_bug.cgi?id=597554#c11
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to grsecurity support