Kernel panic on systems with Interstage Application Server
技術的な記事 ID:
KB90157
最終更新: 3/6/2020
最終更新: 3/6/2020
言語:
この記事は、次の言語で表示可能です:
English United StatesSpanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Kernel panic on systems with Interstage Application Server
技術的な記事 ID:
KB90157
最終更新: 3/6/2020 環境
McAfee Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x Interstage Application Server Enterprise Edition Community Enterprise Operating System (CentOS) Red Hat Enterprise Linux (RHEL) 問題
When shutting down Linux systems running Interstage Application Server Enterprise Edition, the system might occasionally experience a kernel panic with the following stack text: #1 [ffff8800a71fbb70] crash_kexec at ffffffff810c5d92 #2 [ffff8800a71fbc40] oops_end at ffffffff8152b510 #3 [ffff8800a71fbc70] no_context at ffffffff8104a00b #4 [ffff8800a71fbcc0]__bad_area_nosemaphore at ffffffff8104a295 #5 [ffff8800a71fbd10] bad_area_nosemaphore at ffffffff8104a363 #6 [ffff8800a71fbd20]__do_page_fault at ffffffff8104aabf #7 [ffff8800a71fbe40] do_pahe_fault at ffffffff8152d45e #8 [ffff8800a71fbe70] page_fault at ffffffff8152a815 [exception ROP: unknown or invalid address] RIP: ffffffffa0158fa0 RSP: ffff8800a71fbf28 RFLAGS: 00010296 RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 0000000000000020 RDX: 0000000000000008 RSI: ffff8801195cb000 RDI: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 00000000006735a0 R14: 0000000001b1d100 R15: 0000000000454ae2 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #9 [ffff8800a71fbf80] system_call_fastpath at ffffffff8100b072 RIP: 0000003b04e0f050 RSP: 00007fffbe906218 RFLAGS: 00010206 RAX: 0000000000000002 RBX: ffffffff8100b072 RCX: 00007fffbe9063b0 RDX: 0000000001b1d100 RSI: 0000000000000000 RDI: 00000000006735a0 RBX: 0000000001b1b128 R8: 0000000001b5de30 R9: 0000000000000000 R10: 00007fffbe905fa0 R11: 0000000000000246 R12: 0000000000454ae2 R13: 0000000001b49450 R14: 00007fffbe906738 R15: 00007fffbe906548 ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b 原因Antimalware software that does real-time scanning needs to perform file I/O interception. ENSLTP uses system call patching to achieve this interception. That means it changes the memory reference of the system calls (open and close) in the system call table. These memory addresses are valid until the point the kernel module is loaded.
While stopping antimalware services (for a shutdown), the memory references are reverted to the original value. Further calls to open and close system calls by an application get the original address. At this point, the new patched memory addresses are still valid. After the kernel module is unloaded, any further reference by applications to these patched memory addresses result in a kernel panic.
One way of reducing the chance of the kernel panic during shutdown is to delay the module unloading after the memory addresses are unpatched. Then, any older references to the patched memory addresses are still processed. The ENSLTP kernel module already has a considerable wait between memory address unpatching and unload of the modules.
When using the Interstage Application Server, the application is holding the reference to the new patched addresses for a longer period, even after the ENSLTP kernel module is unloaded, which results in a kernel panic. In summary, whether a kernel panic occurs depends on what point the application references patched memory addresses. There is no way to find out in the kernel whether any application is holding an old memory reference, and so no way to determine with certainty how long to wait.
回避策
Stop the Interstage Application Server services before shutdown of the Linux system.
言語:この記事は、次の言語で表示可能です: English United StatesSpanish Spain French Italian Japanese Portuguese Brasileiro 技術用語集 |
|