From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter@vger.kernel.org
Subject: Re: PaX killing conntrackd (strange "execution attempt")
Date: Fri, 14 Nov 2008 13:03:51 +0100 [thread overview]
Message-ID: <491D6927.3010701@netfilter.org> (raw)
In-Reply-To: <20081113201042.GN26975@bla.fasel.org>
Wolfram Schlich wrote:
> * Wolfram Schlich <lists@wolfram.schlich.org> [2008-11-13 18:41]:
>> * Wolfram Schlich <lists@wolfram.schlich.org> [2008-11-13 14:27]:
>>> Here's the answer from the PaX team, for those who might be interested:
>>> * pageexec@freemail.hu <pageexec@freemail.hu> [2008-11-13 14:18]:
>>>> [...]
>>>> this is a null function pointer dereference problem on the surface and you'll have to
>>>> debug it to get more info. i wonder why nothing shows up in the stack dump however,
>>>> maybe there's more corruption here behind the scenes. once you get the coredumps (and
>>>> i hope you have debug info saved away ;) we can get a backtrace and other things. also
>>>> disable randomization in /proc/sys/... so that results are comparable. best would be
>>>> to find a way to directly trigger this crash, then you could have a live gdb session
>>>> instead of coredump analysis.
>>> I'll take care of these suggestions now and let you know
>>> about any news.
>> I've now recompiled conntrack-tools using these CFLAGS:
>>
>> -march=nocona -O0 -ggdb -DDEBUG
>>
>> Also, the binaries were not stripped anymore:
>>
>> /usr/sbin/conntrackd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, not stripped
>>
>> (I forgot to mention I'm on a 64bit kernel + userland).
My testbed for stress testing is also a 64 bit platform.
>> I'm now stressing the firewalls with packets.
>
> Damnit, it doesn't break! :)
So it seems that it is only triggered with PaX enabled.
> Been stressing the firewall with gigabytes of packets...
> Last time it crashed, it hadn't receive a hundred megabytes
> of packets at all... *sigh*
Probably you can run conntrackd inside valgrind to see if it complains
about any invalid memory access.
BTW, I'm interested in whatever benchmark results of conntrackd, just
for the record.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2008-11-14 12:03 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-13 10:03 PaX killing conntrackd (strange "execution attempt") Wolfram Schlich
2008-11-13 13:27 ` Wolfram Schlich
2008-11-13 14:42 ` Pablo Neira Ayuso
2008-11-13 16:01 ` Wolfram Schlich
2008-11-13 17:41 ` Wolfram Schlich
2008-11-13 20:10 ` Wolfram Schlich
2008-11-14 12:03 ` Pablo Neira Ayuso [this message]
2008-11-14 15:09 ` Wolfram Schlich
2008-11-14 14:36 ` pageexec
2008-11-17 12:44 ` Pablo Neira Ayuso
2008-11-17 13:09 ` Wolfram Schlich
2008-11-17 12:57 ` pageexec
2008-11-20 11:48 ` pageexec
2008-11-23 14:07 ` Wolfram Schlich
2008-11-23 14:24 ` Pablo Neira Ayuso
2008-11-23 14:29 ` Wolfram Schlich
2008-11-23 14:36 ` Pablo Neira Ayuso
2008-11-23 22:03 ` pageexec
2008-11-24 13:28 ` Pablo Neira Ayuso
2008-11-14 15:54 ` Wolfram Schlich
2008-11-14 16:18 ` Wolfram Schlich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491D6927.3010701@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox