Hi!

I've re-emerged libpcap and run this:

$ gdb dumpcap --batch --quiet -ex 'run' -ex 'thread apply all bt full' -ex quit

What's next? Recompile glibc with same CFLAGS/FEATURES and try again?


[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb75fd152 in readdir64 () from /lib/libc.so.6

Thread 1 (Thread 0xb754f6c0 (LWP 829)):
#0 0xb75fd152 in readdir64 () from /lib/libc.so.6
No symbol table info available.
#1 0xb76fb7ea in scan_sys_class_net (devlistp=0xbfffe758, errbuf=0xbfffe7ac "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
sys_class_net_d = 0x0
fd = 9
ent = <optimized out>
p = <optimized out>
name = "261~d267234344377277.204q267304345377277254347377 277000000002343443772773770000000120025537 3254347377277254347377277254347377277254347377277a 350377277253350377277254347377277253350377277", '00' <repeats 20 times>, "3023000004000000T256k26700000000000 00000ٜ21126733522253U230b211267Ԝ2112670000 0000`234r26720200211267220h]267h345377277211%p267202002112673773770000325<^ 267(Pp267v000000271~i267�i267270303k26700251k 26700000000Ԝ21126733522253U`234r26720200211 267300306k267320200000200303k267T256k267200303k 267Ԝ211267x345377277243235]26725034537727733522253U`234r2672020021126725034 5377277Z)p26720200211267Ԝ211267250345377277330}d 267254347377277000100000100000033522253U` 234r26720200211267346377277A+p2672020021126700 01000001000000377377377377.204q267Ԝ2112673 70177q267642012112670000000000000000D00 0000254347377277T256k26700000000331Be2673352 2253U20Ee26727434637727734223211267`234r267000 00000Ԝ211267x346377277341-p267Ԝ211267D000000364W]2670000000025434737727705000000214265i2672 34~i267271~i267220201i267254303k267"...
q = <optimized out>
ifrflags = {ifr_ifrn = {ifrn_name = "T256k267<345377277254347377277210345377277"}, ifr_ifru = {ifru_addr = {sa_family = 32433, sa_data = "d267<345377277254347377277210345377277"}, ifru_dstaddr = {sa_family = 32433, sa_data = "d267<345377277254347377277210345377277"}, ifru_broadaddr = {sa_family = 32433, sa_data = "d267<345377277254347377277210345377277"}, ifru_netmask = {sa_family = 32433, sa_data = "d267<345377277254347377277210345377277"}, ifru_hwaddr = {sa_family = 32433, sa_data = "d267<345377277254347377277210345377277"}, ifru_flags = 32433, ifru_ivalue = -1218150735, ifru_mtu = -1218150735, ifru_map = {mem_start = 3076816561, mem_end = 3221218620, base_addr = 59308, irq = 255 '377', dma = 191 '277', port = 136 '210'}, ifru_slave = "261~d267<345377277254347377277210345377277", ifru_newname = "261~d267<345377277254347377277210345377277", ifru_data = 0xb7647eb1, ifru_settings = {type = 3076816561, size = 3221218620, ifs_ifsu = {raw_hdlc = 0xbfffe7ac, cisco = 0xbfffe7ac, fr = 0xbfffe7ac, fr_pvc = 0xbfffe7ac, fr_pvc_info = 0xbfffe7ac, sync = 0xbfffe7ac, te1 = 0xbfffe7ac}}}}
ret = 1
#2 0xb76fefff in pcap_platform_finddevs (alldevsp=0xbfffe758, errbuf=0xbfffe7ac "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:2081
ret = <optimized out>
#3 0xb7701232 in pcap_findalldevs (alldevsp=0xbfffe7a8, errbuf=0xbfffe7ac "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./fad-getad.c:275
devlist = 0x0
ifap = 0xb7899328
ifa = 0x0
addr = <optimized out>
netmask = <optimized out>
broadaddr = <optimized out>
dstaddr = <optimized out>
addr_size = <optimized out>
broadaddr_size = <optimized out>
dstaddr_size = <optimized out>
ret = 0
p = <optimized out>
q = <optimized out>
#4 0xb788969d in get_interface_list_findalldevs (err=0xbfffe978, err_str=0xbfffe974) at capture-pcap-util.c:174
il = 0x0
alldevs = 0xb789629c
dev = <optimized out>
if_info = <optimized out>
errbuf = "tun0: You don't have permission to capture on that device (socket: Operation not permitted)00000020326734271y267Pi21126700i211 26717000000�w26701000000f000000Sni267B 254l267</20426700s]267h3503772776600204267010000000100G_220 000000400000060i21126701000000020000 00 0000000200000001000000335177i26724y267 306177i2670000G_271~i267�i267270303k26720000 0002000000000000000200303k26701000000 260303k267T256"...
#5 0xb78879c0 in get_interface_list (err=0xbfffe978, err_str=0xbfffe974) at capture-pcap-util-unix.c:110
No locals.
#6 0xb788d9d2 in capture_interface_list (err=0xbfffe978, err_str=0xbfffe974) at dumpcap.c:797
No locals.
#7 0xb7889345 in capture_opts_trim_iface (capture_opts=0xb7895060, capture_device=0x0) at capture_opts.c:770
if_list = <optimized out>
if_info = <optimized out>
err = <optimized out>
err_str = <optimized out>
options = {name = 0x0, descr = 0x0, cfilter = 0x0, snaplen = -1217671968, linktype = 0, promisc_mode = -1217679788, buffer_size = -1073746668, monitor_mode = -1073747560}
#8 0xb788e6cd in main (argc=<optimized out>, argv=<optimized out>) at dumpcap.c:3850
opt = <optimized out>
arg_error = 0
action = {__sigaction_handler = {sa_handler = 0xb788b392 <capture_cleanup_handler>, sa_sigaction = 0xb788b392 <capture_cleanup_handler>}, sa_mask = {__val = {0 <repeats 32 times>}}, sa_flags = 0, sa_restorer = 0}
oldaction = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {0, 0, 5, 1598488576, 7, 1437274845, 14, 1598488577, 16, 3078868144, 0, 1, 3221219528, 3078170014, 8, 0, 4, 1437274845, 3079230456, 3078868144, 3221219576, 1437274845, 3078869408, 3078868144, 3221219576, 3078868144, 3078869408, 1, 3221219576, 3078278760, 3077292928, 3079221340}}, sa_flags = 0, sa_restorer = 0xaa71a380}
start_capture = 1
stats_known = 0
stats = {ps_recv = 0, ps_drop = 0, ps_ifdrop = 0}
list_interfaces = 0
list_link_layer_types = 0
print_bpf_code = 0
machine_readable = 0
print_statistics = 0
status = <optimized out>
run_once_args = 0
i = <optimized out>
A debugging session is active.

Inferior 1 [process 829] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]

--
WBR, Alex.

On 28 Jan 2012 at 2:11, Alex Efros wrote:

> Hi!
>
> On Sat, Jan 28, 2012 at 01:07:43AM +0200, pageexec@freemail.hu wrote:
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0xb75fd152 in readdir64 () from /lib/libc.so.6
> > x/16i $pc
> > x/16x $sp

gosh i knew i'd forgot something:

info reg

> > and based on the disasm i'll need more info later.

x/8x $esi

Hi!

On Sat, Jan 28, 2012 at 01:07:43AM +0200, pageexec@freemail.hu wrote:
> > Program received signal SIGSEGV, Segmentation fault.
> > 0xb75fd152 in readdir64 () from /lib/libc.so.6
> x/16i $pc
> x/16x $sp
>
> and based on the disasm i'll need more info later.

Program received signal SIGSEGV, Segmentation fault.
0xb74f9152 in readdir64 () from /lib/libc.so.6
(gdb) bt
#0 0xb74f9152 in readdir64 () from /lib/libc.so.6
#1 0xb75f77ea in scan_sys_class_net (devlistp=0xbfffd868,
errbuf=0xbfffd8bc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
#2 0xb75fafff in pcap_platform_finddevs (alldevsp=0xbfffd868,
errbuf=0xbfffd8bc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:2081
#3 0xb75fd232 in pcap_findalldevs (alldevsp=0xbfffd8b8,
errbuf=0xbfffd8bc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./fad-getad.c:275
#4 0xb778569d in get_interface_list_findalldevs (err=0xbfffda88, err_str=0xbfffda84)
at capture-pcap-util.c:174
#5 0xb77839c0 in get_interface_list (err=0xbfffda88, err_str=0xbfffda84)
at capture-pcap-util-unix.c:110
#6 0xb77899d2 in capture_interface_list (err=0xbfffda88, err_str=0xbfffda84) at dumpcap.c:797
#7 0xb7785345 in capture_opts_trim_iface (capture_opts=0xb7791060, capture_device=0x0)
at capture_opts.c:770
#8 0xb778a6cd in main (argc=<optimized out>, argv=<optimized out>) at dumpcap.c:3850
(gdb) x/16i $pc
=> 0xb74f9152 <readdir64+54>: cmpxchg %ecx,0x4(%esi)
0xb74f9156 <readdir64+58>: jne 0xb74f91dc
0xb74f915c <readdir64+64>: mov 0x10(%esi),%eax
0xb74f915f <readdir64+67>: lea 0x18(%esi),%edi
0xb74f9162 <readdir64+70>: jmp 0xb74f917d <readdir64+97>
0xb74f9164 <readdir64+72>: lea (%edi,%eax,1),%edx
0xb74f9167 <readdir64+75>: movzwl 0x10(%edx),%ecx
0xb74f916b <readdir64+79>: add %ecx,%eax
0xb74f916d <readdir64+81>: mov %eax,0x10(%esi)
0xb74f9170 <readdir64+84>: mov 0x8(%edx),%ecx
0xb74f9173 <readdir64+87>: mov %ecx,0x14(%esi)
0xb74f9176 <readdir64+90>: mov 0x4(%edx),%ecx
0xb74f9179 <readdir64+93>: or (%edx),%ecx
0xb74f917b <readdir64+95>: jne 0xb74f91b1 <readdir64+149>
0xb74f917d <readdir64+97>: cmp 0xc(%esi),%eax
0xb74f9180 <readdir64+100>: jb 0xb74f9164 <readdir64+72>
(gdb) x/16x $sp
0xbfffd508: 0x00000000 0xb7625c60 0xbfffd8bc 0xbfffd868
0xbfffd518: 0xbfffd7a8 0xb75f77ea 0x00000000 0x00000002
0xbfffd528: 0x00000000 0xb7625c60 0x00000000 0xb761385c
0xbfffd538: 0xbfffd558 0x75ab49e0 0xbfffd868 0xbfffd8bc
(gdb)

--
WBR, Alex.

Hi!

On Sat, Jan 28, 2012 at 01:48:01AM +0200, pageexec@freemail.hu wrote:
> gosh i knew i'd forgot something:

btw, glibc with debug has merged


(gdb) run
Starting program: /usr/bin/dumpcap
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
45 ../sysdeps/unix/readdir.c: No such file or directory.
in ../sysdeps/unix/readdir.c
(gdb)

(gdb) thread apply all bt full

Thread 1 (Thread 0xb73f16c0 (LWP 19994)):
#0 0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
dp = <optimized out>
saved_errno = <optimized out>
#1 0xb759d7ea in scan_sys_class_net (devlistp=0xbfffe488,
errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
sys_class_net_d = 0x0
fd = 7
ent = <optimized out>
p = <optimized out>
name = "261236N267314341377277.244[2673643423772773343443772770000000031434137727 7377000000012002553733343443772773343443772773 3434437727733434437727767345377277333345377277334 344377277333345377277", '00' <repeats 20 times>, "3023000004000000T316U26700000000000 00000331274s26720303(03230202s267324274s26700 000000`27426720240s267220210G26723034237727721 1EZ26720240s2673773770000325H267(pZ267v00000 0271236S267304241S267270343U26700311U267000000 00324274s26720303(03`27426720240s267300346U267 320200000200343U267T316U267200343U267324274s267 250342377277243275G26733034237727720303(03`27426 720240s267330342377277ZIZ26720240s267324274s2673 30342377277330235N26733434437727700010000010 0000020303(03`27426720240s26770343377277AKZ2 6720240s2670001000001000000377377377377.2 44[267324274s267370237[26764241s2670000000000000000D000000334 344377277T316U26700000000331bO26720303(0320 eO26735434337727734263s267`274267000000003242 74s267250343377277341MZ267324274s267D000000364w G2670000000033434437727705000000214325S267 234236S267"...
q = <optimized out>
ifrflags = {ifr_ifrn = {
ifrn_name = "T316U267l342377277334344377277270342377277"}, ifr_ifru = {
ifru_addr = {sa_family = 40625,
---Type <return> to continue, or q <return> to quit---
sa_data = "N267l342377277334344377277270342377277"}, ifru_dstaddr = {
sa_family = 40625, sa_data = "N267l342377277334344377277270342377277"},
ifru_broadaddr = {sa_family = 40625,
sa_data = "N267l342377277334344377277270342377277"}, ifru_netmask = {
sa_family = 40625, sa_data = "N267l342377277334344377277270342377277"},
ifru_hwaddr = {sa_family = 40625,
sa_data = "N267l342377277334344377277270342377277"},
ifru_flags = -24911, ifru_ivalue = -1219584335, ifru_mtu = -1219584335, ifru_map = {
mem_start = 3075382961, mem_end = 3221217900, base_addr = 58588, irq = 255 '377',
dma = 191 '277', port = 184 '270'},
ifru_slave = "261236N267l342377277334344377277270342377277" ,
ifru_newname = "261236N267l342377277334344377277270342377277" ,
ifru_data = 0xb74e9eb1, ifru_settings = {type = 3075382961, size = 3221217900,
ifs_ifsu = {raw_hdlc = 0xbfffe4dc, cisco = 0xbfffe4dc, fr = 0xbfffe4dc,
fr_pvc = 0xbfffe4dc, fr_pvc_info = 0xbfffe4dc, sync = 0xbfffe4dc,
te1 = 0xbfffe4dc}}}}
ret = 1
#2 0xb75a0fff in pcap_platform_finddevs (alldevsp=0xbfffe488,
errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:2081
ret = <optimized out>
#3 0xb75a3232 in pcap_findalldevs (alldevsp=0xbfffe4d8,
errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./fad-getad.c:275
devlist = 0x0
ifap = 0xb773b328
ifa = 0x0
addr = <optimized out>
netmask = <optimized out>
broadaddr = <optimized out>
dstaddr = <optimized out>
---Type <return> to continue, or q <return> to quit---
addr_size = <optimized out>
broadaddr_size = <optimized out>
dstaddr_size = <optimized out>
ret = 0
p = <optimized out>
q = <optimized out>
#4 0xb772b69d in get_interface_list_findalldevs (err=0xbfffe6a8, err_str=0xbfffe6a4)
at capture-pcap-util.c:174
il = 0x0
alldevs = 0xb773829c
dev = <optimized out>
if_info = <optimized out>
errbuf = "tun0: You don't have permission to capture on that device (socket: Operation not permitted)000000m267342Yc267P211s26700211s267 17000000335255a26701000000f000000S216S26 7B314V267<On26700223G26723034537727766 n267010000000100G_22000000040000006 0211s2670100000002000000 0000000200000001000000335237S2674c26730 6237S2670000G_271236S267304241S267270343U26720 0000002000000000000000200343U26701000 000260343U267T316U267200343U26761Ts267"...
#5 0xb77299c0 in get_interface_list (err=0xbfffe6a8, err_str=0xbfffe6a4)
at capture-pcap-util-unix.c:110
No locals.
#6 0xb772f9d2 in capture_interface_list (err=0xbfffe6a8, err_str=0xbfffe6a4) at dumpcap.c:797
No locals.
#7 0xb772b345 in capture_opts_trim_iface (capture_opts=0xb7737060, capture_device=0x0)
at capture_opts.c:770
if_list = <optimized out>
if_info = <optimized out>
err = <optimized out>
err_str = <optimized out>
options = {name = 0x0, descr = 0x0, cfilter = 0x0, snaplen = -1219105568, linktype = 0,
---Type <return> to continue, or q <return> to quit---
promisc_mode = -1219113388, buffer_size = -1073747388, monitor_mode = -1073748280}
#8 0xb77306cd in main (argc=<optimized out>, argv=<optimized out>) at dumpcap.c:3850
opt = <optimized out>
arg_error = 0
action = {__sigaction_handler = {sa_handler = 0xb772d392 <capture_cleanup_handler>,
sa_sigaction = 0xb772d392 <capture_cleanup_handler>}, sa_mask = {__val = {
0 <repeats 32 times>}}, sa_flags = 0, sa_restorer = 0}
oldaction = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {
0, 0, 5, 1598488576, 7, 52953987, 14, 1598488577, 16, 3077434544, 0, 1, 3221218808,
3076736414, 8, 0, 4, 52953987, 3077796856, 3077434544, 3221218856, 52953987,
3077435808, 3077434544, 3221218856, 3077434544, 3077435808, 1, 3221218856,
3076845160, 3075859328, 3077787740}}, sa_flags = 0, sa_restorer = 0xac8c8380}
start_capture = 1
stats_known = 0
stats = {ps_recv = 0, ps_drop = 0, ps_ifdrop = 0}
list_interfaces = 0
list_link_layer_types = 0
print_bpf_code = 0
machine_readable = 0
print_statistics = 0
status = <optimized out>
run_once_args = 0
i = <optimized out>
(gdb)

(gdb) x/16i $pc
=> 0xb749f152 <__readdir64+54>: cmpxchg %ecx,0x4(%esi)
0xb749f156 <__readdir64+58>: jne 0xb749f1dc <_L_lock_22>
0xb749f15c <__readdir64+64>: mov 0x10(%esi),%eax
0xb749f15f <__readdir64+67>: lea 0x18(%esi),%edi
0xb749f162 <__readdir64+70>: jmp 0xb749f17d <__readdir64+97>
0xb749f164 <__readdir64+72>: lea (%edi,%eax,1),%edx
0xb749f167 <__readdir64+75>: movzwl 0x10(%edx),%ecx
0xb749f16b <__readdir64+79>: add %ecx,%eax
0xb749f16d <__readdir64+81>: mov %eax,0x10(%esi)
0xb749f170 <__readdir64+84>: mov 0x8(%edx),%ecx
0xb749f173 <__readdir64+87>: mov %ecx,0x14(%esi)
0xb749f176 <__readdir64+90>: mov 0x4(%edx),%ecx
0xb749f179 <__readdir64+93>: or (%edx),%ecx
0xb749f17b <__readdir64+95>: jne 0xb749f1b1 <__readdir64+149>
0xb749f17d <__readdir64+97>: cmp 0xc(%esi),%eax
0xb749f180 <__readdir64+100>: jb 0xb749f164 <__readdir64+72>
(gdb)

(gdb) x/16x $sp
0xbfffe128: 0x00000000 0xb75cbc60 0xbfffe4dc 0xbfffe488
0xbfffe138: 0xbfffe3c8 0xb759d7ea 0x00000000 0x00000002
0xbfffe148: 0x00000000 0xb75cbc60 0x00000000 0xb75b985c
0xbfffe158: 0xbfffe178 0x03280383 0xbfffe488 0xbfffe4dc
(gdb)

(gdb) info reg
eax 0x0 0
ecx 0x1 1
edx 0x0 0
ebx 0xb755ce54 -1219113388
esp 0xbfffe128 0xbfffe128
ebp 0xbfffe138 0xbfffe138
esi 0x0 0
edi 0xbfffe488 -1073748856
eip 0xb749f152 0xb749f152 <__readdir64+54>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

(gdb) x/8x $esi
0x0: Cannot access memory at address 0x0
(gdb)

--
WBR, Alex.

Hi!

On Sat, Jan 28, 2012 at 03:50:22AM +0200, Alex Efros wrote:
> #0 0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
> dp = <optimized out>
> saved_errno = <optimized out>
> #1 0xb759d7ea in scan_sys_class_net (devlistp=0xbfffe488,
> errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
> sys_class_net_d = 0x0

Ok, I'm not a C developer (you see, I don't even know how to use gdb), but
with so much information even I see what's the problem is:

in libpcap-1.1.1-r1:
pcap-linux.c:1816:

sys_class_net_d = opendir("/sys/class/net");
if (sys_class_net_d == NULL && errno == ENOENT)
return (0);
...
for (; {
errno = 0;
ent = readdir(sys_class_net_d);

the second line with if looks just plain wrong. Moreover, as far as I see,
in libpcap-1.2.1 they've already fixed this:
pcap-linux.c:1949:

sys_class_net_d = opendir("/sys/class/net");
if (sys_class_net_d == NULL) {
if (errno == ENOENT)
return (0);
(void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
"Can't open /sys/class/net: %s", pcap_strerror(errno));
return (-1);
}

So, I'm going to upgrade libpcap to latest ~x86 version and see is this
really fix this bug… Okay, here it is:

$ dumpcap
dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission denied

So, wireshark still doesn't work on hardened under non-root, but doesn't
crash anymore, that's a big progress.

--
WBR, Alex.

Hi!

But… as far as I see, it was just _one_ attempt to access NULL pointer
because of very usual bug. The questions is, why is that triggered
CONFIG_GRKERNSEC_BRUTE? Isn't word "brute" suppose many similar incidents
happened in short period of time, not just one? As for me, killing all
user's processes and disabling it for 15 minutes after single attempt to
access NULL pointer sounds too cruel.

--
WBR, Alex.

Hi!

On Sat, Jan 28, 2012 at 01:02:40AM +0200, Alex Efros wrote:
> > can you generate a coredump and see what the backtrace shows?
>
> Actually I can't get core. :-/ Look:
>
> I've re-emerged wireshark using this:
>
> # CFLAGS="-march=prescott -O1 -pipe -ggdb"
> FEATURES="userpriv usersandbox userfetch parallel-fetch nostrip"
> emerge wireshark
>
> Now:
>
> $ sudo zgrep ELF_CORE /proc/config.gz
> CONFIG_ELF_CORE=y
> $ cat /proc/sys/kernel/core_pattern
> core
> $ grep core /etc/security/limits.conf | grep -v '^#'
> * soft core unlimited
> $ cat /etc/limits.conf
> * C20480
> $ ulimit -c unlimited
> $ ulimit -c
> unlimited
> $ dumpcap
> Segmentation fault
> $ ls -l core
> ls: cannot access core: No such file or directory

And one more questions - why core wasn't dumped here?

I've even tried to log in in text mode console after editing both
limits.conf files and run dumpcap there - in case these limits apply on
user's login, and can't affect anything in the middle of X session - but
that doesn't helps too.

--
WBR, Alex.

On 28 Jan 2012 at 4:35, Alex Efros wrote:

> > $ dumpcap
> > Segmentation fault
> > $ ls -l core
> > ls: cannot access core: No such file or directory
>
> And one more questions - why core wasn't dumped here?

check /proc/sys/fs/suid_dumpable

On 28 Jan 2012 at 4:28, Alex Efros wrote:

> Hi!
>
> But... as far as I see, it was just _one_ attempt to access NULL pointer
> because of very usual bug. The questions is, why is that triggered
> CONFIG_GRKERNSEC_BRUTE? Isn't word "brute" suppose many similar incidents
> happened in short period of time, not just one? As for me, killing all
> user's processes and disabling it for 15 minutes after single attempt to
> access NULL pointer sounds too cruel.

you should probably read the config help about this option, your questions
are answered there. you made a suid executable crash, you wouldn't want an
attacker to be able to get away with it either (just think of the recent
/proc/pid/mem bug, the *only* thing that can save you is if you use grsec
and enable this very brute force protection option). if you don't care about
any of this on your personal desktop then just don't enable it .

On 28 Jan 2012 at 4:10, Alex Efros wrote:

> $ dumpcap
> dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission denied

i think it's GRKERNSEC_SYSFS_RESTRICT that could cause this, do you have it enabled?