[OpenAFS-devel] AFS has a problem with SPLX real-time scanning
Frank Bagehorn
FBA@zurich.ibm.com
Thu, 16 Sep 2004 18:23:00 +0200
This is an S/MIME signed message.
---------z37754_boundary_sign
Content-Type: text/plain; charset="US-ASCII"
If you are running TrendMicro ServerProtect for Linux on a machine and
real-time scanning is turned on, AFS will no longer start.
The reason has to do with the sym table look ups that AFS does. In
real-time scanning SPLX will mediate sys_table calls, but AFS circumvents
that and gets lost.
I know that in the long-run the sys_table calls will vanish from the AFS
code, so I don't know if it's worth to do anything about it.
Anyway, here is the response that we got from TrendMicro about their
investigation on the problem:
*** This email is automatically generated by the PSP 5.0 system. ***
*** PLEASE DO NOT REPLY TO THIS E-MAIL. ***
Hi Eric,
Here are the updates. In short > "I think it's openafs need to modify its
way to hook". Ok to close?
---------------------
<rudy 9/14/04 8:34AM PST>Hi Jeff, can you pleas send IBM our results.
Please let them know that we will probably recommend they first start afs
and then splx as previously mentioned. Thanks.
//allen 2004/9/10
seems not possible.
The problem is that openafs want the original sys_call_table to hooking,
if the sys_call_table has been modified, openafs will not be able to
recognize it, so hooking fail...
But if we want to provide realtime scanning, we must modify the
sys_call_table!!
I think it's openafs need to modify its way to hook, or it may conflict
with other software that modify sys_call_table..
hook functions and therefore openafs doesn't find an appropriate return
value to hook file system. From SPLX standpoint is there any way we can
change the way we modify sys_call_table[__NR_exi] so that openafs can hook
the file system? If there isn't any way for a change in the SPLX code then
I will recommend the workaround. Also, do you know if openafs makes this
call only once at startup or will the call be made multiple times during
system operation? Thanks.
//allen 2004/9/8
Have found out a possible cause!!
the following is the code of openafs related to sys_call_table address
finding:
//////////////////////////
ptr=(unsigned long *)&init_mm;
datalen=16384;
for (offset=0;offset <datalen;ptr++,offset++) {
if (ptr[0] == (unsigned long)&sys_exit && ptr[__NR_open - __NR_exit] ==
(unsigned long)&sys_open) {
sys_call_table=ptr - __NR_exit;
break;
}
}
if (!sys_call_table) {
printf("Failed to find address of sys_call_table\n"); return -EIO;
}
///////////////////////////////////
and the sys_call number for RHEL 3 is listed below.
__NR_exit 1
__NR_fork 2
__NR_read 3
__NR_write 4
__NR_open 5
__NR_close 6
:
:
For openafs, it will try to search in the memory to get a position that
ptr[0] contains address of sys_exit and ptr[__NR_open - __NR_exit]
contains address of sys_open.
If it is found, openafs will take this position as the address of
sys_call_table[__NR_exit]!! Then start address of sys_call_table can be
found out..
But our splx will mediate sys_call_table, replace the address stored in
sys_call_table[__NR_exit] and sys_call_table[__NR_open] with our
self-define hook functions.. So openafs cannot find what it suppose to
find.... And then cant get sys_call_table address...
So,The conflict only happen when realtime scan is on(the KHM will hook
sys_call only when realtime scan function is turn on)!! if realtime scan
is off, there will be no conflict to start openafs even we turn on splx
and splxmod.o is inserted!!
I think IBM could start openafs when realtime scan is close or even before
splx is installed!
Thank you,
Jeffrey Burge
----------------------------------------------------------------------
Dr. Frank Bagehorn
Manager Workstation & Server ZRL IS
IBM Zurich Research Lab.
Saeumerstr. 4
CH-8803 Rueschlikon
Switzerland
----------------------------------------------------------------------
SMTP: fba@zurich.ibm.com
Notes: Frank Bagehorn/Zurich/IBM@IBMCH
phone: ++41 (01) 724 83 23 fax: ++41 (01) 724 89 59
---------z37754_boundary_sign
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIIUOAIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBoIISWDCCAtow
ggJDoAMCAQICAwMUtjANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1
aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTAy
MDExNDIyMDcxMVoXDTExMTIzMTIyMDcxMVowaTELMAkGA1UEBhMCVVMxNDAyBgNVBAoTK0ludGVy
bmF0aW9uYWwgQnVzaW5lc3MgTWFjaGluZXMgQ29ycG9yYXRpb24xJDAiBgNVBAMTG0lCTSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA629xc49NpAPz
cAsuShTImLRYMkyepDEkC1UrPbsFRyAFZKsv3pw0MGfW/+7glzJKgPkPzlTZZfznznGbmAWVnNBQ
lyPasOtCjif603euRXReHcKfHMPLItKozibWIPHJuOnwNclOnnP2sKufuPzbTImQTTi5c8JZNZcM
J0YFzTcCAwEAAaOBqjCBpzARBglghkgBhvhCAQEEBAMCAIcwDgYDVR0PAQH/BAQDAgHGMB0GA1Ud
DgQWBBSuVA6S6qgzqSskLcfIbzDc3vNKQDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf
1DAPBgNVHRMBAf8EBTADAQH/MDEGA1UdJQQqMCgGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH
AwMGCCsGAQUFBwMEMA0GCSqGSIb3DQEBBAUAA4GBADJye3NmC8q2PzypRZfu7JvDRDX1rRcanZvu
jQupk2oCScMd3FIHLE7hOfu8YffvxtLU3y8wNamQEORjTD175qAffryXypwtiVjBUKSDlBCQ14ke
McF9ViNdewEoBGiAycUq8R3Lrlf4TCDvW4GeguNTFFZnS0ygYATiJk7iDyvEMIIC2jCCAkOgAwIB
AgIDAxS2MA0GCSqGSIb3DQEBBAUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0w
KwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwMTE0MjIw
NzExWhcNMTExMjMxMjIwNzExWjBpMQswCQYDVQQGEwJVUzE0MDIGA1UEChMrSW50ZXJuYXRpb25h
bCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjEkMCIGA1UEAxMbSUJNIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrb3Fzj02kA/NwCy5KFMiY
tFgyTJ6kMSQLVSs9uwVHIAVkqy/enDQwZ9b/7uCXMkqA+Q/OVNll/OfOcZuYBZWc0FCXI9qw60KO
J/rTd65FdF4dwp8cw8si0qjOJtYg8cm46fA1yU6ec/awq5+4/NtMiZBNOLlzwlk1lwwnRgXNNwID
AQABo4GqMIGnMBEGCWCGSAGG+EIBAQQEAwIAhzAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFK5U
DpLqqDOpKyQtx8hvMNze80pAMB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMA8GA1Ud
EwEB/wQFMAMBAf8wMQYDVR0lBCowKAYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYB
BQUHAwQwDQYJKoZIhvcNAQEEBQADgYEAMnJ7c2YLyrY/PKlFl+7sm8NENfWtFxqdm+6NC6mTagJJ
wx3cUgcsTuE5+7xh9+/G0tTfLzA1qZAQ5GNMPXvmoB9+vJfKnC2JWMFQpIOUEJDXiR4xwX1WI117
ASgEaIDJxSrxHcuuV/hMIO9bgZ6C41MUVmdLTKBgBOImTuIPK8QwggMgMIICiaADAgECAgQ13vTP
MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQL
EyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODIyMTY0MTUxWhcN
MTgwODIyMTY0MTUxWjBOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMk
RXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDBXbFYZwhi7qCaLR8IbZEUaJgKHv7aBG8ThGIhw9F8zp8F4LgB8E407OKKlQRkrPFr
U18Fs8tngL9CAo7+3QEJ7OEAFE/8+/AM3UO6WyvhH4BwmRVXkxbxD5dqt8JoIxzMTVkwrFEeO68r
1u5jRXvF2V9Q0uNQDzqI578U/eDHuQIDAQABo4IBCTCCAQUwcAYDVR0fBGkwZzBloGOgYaRfMF0x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwGgYDVR0QBBMwEYEPMjAxODA4MjIx
NjQxNTFaMAsGA1UdDwQEAwIBBjAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNV
HQ4EFgQUSOZo+SvSspXXR9gjIBBPM5iQn9QwDAYDVR0TBAUwAwEB/zAaBgkqhkiG9n0HQQAEDTAL
GwVWMy4wYwMCBsAwDQYJKoZIhvcNAQEFBQADgYEAWM4p6vz33rXOArkXtYXRuePglcwlMQ0AppJu
f7aSY55QldGab+QR3mOFbpjuqP9ayNNVsmZxV97AIes9KqcjSQEEhkJ7/O5/ohZStWdn00DbOyZY
sih3Pa4Ud2HW+ipmJ6AN+qdzXOpw8ZQhZURf+vzvKWipood573nvT6wHdzgwggMgMIICiaADAgEC
AgQ13vTPMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0w
KwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNOTgwODIyMTY0
MTUxWhcNMTgwODIyMTY0MTUxWjBOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsG
A1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDBXbFYZwhi7qCaLR8IbZEUaJgKHv7aBG8ThGIhw9F8zp8F4LgB8E407OKK
lQRkrPFrU18Fs8tngL9CAo7+3QEJ7OEAFE/8+/AM3UO6WyvhH4BwmRVXkxbxD5dqt8JoIxzMTVkw
rFEeO68r1u5jRXvF2V9Q0uNQDzqI578U/eDHuQIDAQABo4IBCTCCAQUwcAYDVR0fBGkwZzBloGOg
YaRfMF0xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNl
Y3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDTALBgNVBAMTBENSTDEwGgYDVR0QBBMwEYEPMjAx
ODA4MjIxNjQxNTFaMAsGA1UdDwQEAwIBBjAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf
1DAdBgNVHQ4EFgQUSOZo+SvSspXXR9gjIBBPM5iQn9QwDAYDVR0TBAUwAwEB/zAaBgkqhkiG9n0H
QQAEDTALGwVWMy4wYwMCBsAwDQYJKoZIhvcNAQEFBQADgYEAWM4p6vz33rXOArkXtYXRuePglcwl
MQ0AppJuf7aSY55QldGab+QR3mOFbpjuqP9ayNNVsmZxV97AIes9KqcjSQEEhkJ7/O5/ohZStWdn
00DbOyZYsih3Pa4Ud2HW+ipmJ6AN+qdzXOpw8ZQhZURf+vzvKWipood573nvT6wHdzgwggMmMIIC
j6ADAgECAgMBybYwDQYJKoZIhvcNAQEEBQAwaTELMAkGA1UEBhMCVVMxNDAyBgNVBAoTK0ludGVy
bmF0aW9uYWwgQnVzaW5lc3MgTWFjaGluZXMgQ29ycG9yYXRpb24xJDAiBgNVBAMTG0lCTSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDA3MTQxNzQxMjVaFw0wNTA3MjgxNzQxMjVaMIGFMQsw
CQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMREwDwYDVQQLEwhFTVBMT1lFRTEXMBUGA1UEAxMORnJh
bmsgQmFnZWhvcm4xGTAXBgoJkiaJk/IsZAEBEwk5OTk3MzA4NDgxITAfBgkqhkiG9w0BCQEWEmZi
YUB6dXJpY2guaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAghuLe7oviz416FRx
uk66Wmm0r+Gj/OLH7CGh+iZrdAHH3dDw/SIT2LXelM+hu4wSltRqIxkKnTXsgYU5rBHlvPX8GNLm
HQ26m3C9duvlJ6Fp/neq0pglbWPFAeCWxImTNPCAYogKVjpPR3pxNC5PXQDfYYSHf2lj0/Re+dv1
7aUCAwEAAaOBvjCBuzARBglghkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQW
BBQ2834MWh3rUw8ngHdFLWnpwNfg2TAtBgNVHREEJjAkoCIGCisGAQQBgjcUAgOgFAwSZmJhQHp1
cmljaC5pYm0uY29tMB8GA1UdIwQYMBaAFK5UDpLqqDOpKyQtx8hvMNze80pAMCcGA1UdJQQgMB4G
CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQwDQYJKoZIhvcNAQEEBQADgYEAhQBisQ5i32vh
2jHQsR0NcZLOaJCbmvf2SNxvBP6TEB8B5BjlU8E2DyJQq2GpEnVEPq3tPfHm2CHqFTbM06SMfe/9
Y7RhTHmOtTE85O23woBBXeoa87isL0wxahPZy/S0+egizZWa9+jn70bXkImHmaJqnbV1+g5XaR2J
PxPlZt0wggMmMIICj6ADAgECAgMBybYwDQYJKoZIhvcNAQEEBQAwaTELMAkGA1UEBhMCVVMxNDAy
BgNVBAoTK0ludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGluZXMgQ29ycG9yYXRpb24xJDAiBgNV
BAMTG0lCTSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDA3MTQxNzQxMjVaFw0wNTA3Mjgx
NzQxMjVaMIGFMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMREwDwYDVQQLEwhFTVBMT1lFRTEX
MBUGA1UEAxMORnJhbmsgQmFnZWhvcm4xGTAXBgoJkiaJk/IsZAEBEwk5OTk3MzA4NDgxITAfBgkq
hkiG9w0BCQEWEmZiYUB6dXJpY2guaWJtLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ghuLe7oviz416FRxuk66Wmm0r+Gj/OLH7CGh+iZrdAHH3dDw/SIT2LXelM+hu4wSltRqIxkKnTXs
gYU5rBHlvPX8GNLmHQ26m3C9duvlJ6Fp/neq0pglbWPFAeCWxImTNPCAYogKVjpPR3pxNC5PXQDf
YYSHf2lj0/Re+dv17aUCAwEAAaOBvjCBuzARBglghkgBhvhCAQEEBAMCBaAwDgYDVR0PAQH/BAQD
AgXgMB0GA1UdDgQWBBQ2834MWh3rUw8ngHdFLWnpwNfg2TAtBgNVHREEJjAkoCIGCisGAQQBgjcU
AgOgFAwSZmJhQHp1cmljaC5pYm0uY29tMB8GA1UdIwQYMBaAFK5UDpLqqDOpKyQtx8hvMNze80pA
MCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQwDQYJKoZIhvcNAQEEBQAD
gYEAhQBisQ5i32vh2jHQsR0NcZLOaJCbmvf2SNxvBP6TEB8B5BjlU8E2DyJQq2GpEnVEPq3tPfHm
2CHqFTbM06SMfe/9Y7RhTHmOtTE85O23woBBXeoa87isL0wxahPZy/S0+egizZWa9+jn70bXkImH
maJqnbV1+g5XaR2JPxPlZt0xggG7MIIBtwIBATBwMGkxCzAJBgNVBAYTAlVTMTQwMgYDVQQKEytJ
bnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uMSQwIgYDVQQDExtJQk0g
Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkCAwHJtjAJBgUrDgMCGgUAoIGiMBgGCSqGSIb3DQEJAzEL
BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA0MDkxNjE2MjI1NVowIwYJKoZIhvcNAQkEMRYE
FIziTuxnXSjtliMa+c3oXyAeyfPpMEMGCSqGSIb3DQEJDzE2MDQwBwYFKw4DAh0wDgYIKoZIhvcN
AwICAgCAMAoGCCqGSIb3DQMHMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIGAa6V3E+kl
Kqtrh5Sq80OKmrX7l8dJWjeVMIQJkoYV3msG0y1zJ6B1pD4omKJSCK/caCK+IzAePulUVwvjsWSc
mmshLoMR+XSpE15azXBMQpHShGXPYtS9acPj8Jfgm699FbgeoWwzXCxDGP4PcA/vA7Aw/lmyVphk
b7Ituzu7FkgAAAAA
---------z37754_boundary_sign--