#StackBounty: #linux-kernel #firmware Include in-kernel firmware blobs in kernel binary

Bounty: 300

I am compiling my own kernel (4.4.x) on Debian Stretch, and I want to include the firmware for my radeon graphics card in the kernel, so that it does not need to be loaded from userspace.

CONFIG_FIRMWARE_IN_KERNEL
CONFIG_EXTRA_FIRMWARE

I have installed the firmware files to /lib/firmware/

apt-get install firmware-amd-graphics

How can I find out which firmware files I need to include for my specific graphis card?

VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Oland GL [FirePro W2100]

I assume I will need some of the following firmware files:

/lib/firmware/radeon/oland_*.bin

but which ones ?

In general, what is the process of finding out which firmware files a particular hw/driver needs ?


Get this bounty!!!

#StackBounty: #linux #networking #linux-kernel #tcpip #lxc Forcing Ping to Egress When Destination Interface is Local (Debian)

Bounty: 50

I am running a Debian-based Linux container under Proxmox 4.4. This host has five network interfaces (though only two come into play in the problem I’m having).

While I am shelled into this host, I ping the IP address associated with eth1. What is happening and what I believe should happen are two very different things.

What I want to happen is for the ping packet to egress eth3, where it will be routed to eth1.

What is happening is that the IP stack sees I’m pinging a local interface and it then sends the reply right back up the stack. I know the packet is not going out and coming back for two reasons:

  1. A packet capture shows nothing hitting either eth1 or eth3.
  2. The ping latency averages 0.013 ms. If the packet were going out and back as intended, the latency would be about 60 ms.

Of course, I desire corresponding behavior when I ping the IP address associated with eth3. In that case, I want the packet to egress eth1 where it will be routed to eth3. Unfortunately, similar behavior as described above happens.

Below, I show the static routes I’ve set up to try and induce the desired behavior. Such routes work as intended on a Windows machine, but they do not work under the Linux setup I am using.

How may I configure this host to forward as intended?

root@my-host:~# uname -a
Linux my-host 4.4.35-1-pve #1 SMP Fri Dec 9 11:09:55 CET 2016 x86_64 GNU/Linux
root@my-host:~#
root@my-host:~# cat /etc/debian_version
8.9
root@my-host:~#
root@my-host:~# ifconfig
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.0.2.65  Bcast:192.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:195028 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:92353608 (88.0 MiB)  TX bytes:11164530 (10.6 MiB)

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:128.66.100.10  Bcast:128.66.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:816 errors:0 dropped:0 overruns:0 frame:0
          TX packets:486 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:149517 (146.0 KiB)  TX bytes:34107 (33.3 KiB)

eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:203.0.113.1  Bcast:203.0.113.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:738 errors:0 dropped:0 overruns:0 frame:0
          TX packets:880 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:423603 (413.6 KiB)  TX bytes:94555 (92.3 KiB)

eth3      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:128.66.200.10  Bcast:128.66.200.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:611 errors:0 dropped:0 overruns:0 frame:0
          TX packets:182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:43921 (42.8 KiB)  TX bytes:13614 (13.2 KiB)

eth4      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:198.51.100.206  Bcast:198.51.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:183427 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:85706791 (81.7 MiB)  TX bytes:3906 (3.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:22869 (22.3 KiB)  TX bytes:22869 (22.3 KiB)
root@my-host:~#
root@my-host:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.0.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
128.66.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
203.0.113.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
128.66.200.0    0.0.0.0         255.255.255.0   U     0      0        0 eth3
198.51.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth4
root@my-host:~#
root@my-host:~# route -v add 128.66.200.10/32 gw 128.66.100.1
root@my-host:~# route -v add 128.66.100.10/32 gw 128.66.200.1
root@my-host:~#
root@my-host:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.0.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
203.0.113.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
198.51.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth4
128.66.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
128.66.100.10   128.66.200.1    255.255.255.255 UGH   0      0        0 eth3
128.66.200.0    0.0.0.0         255.255.255.0   U     0      0        0 eth3
128.66.200.10   128.66.100.1    255.255.255.255 UGH   0      0        0 eth1
root@my-host:~#
root@my-host:~# ping -c 3 128.66.100.10
PING 128.66.100.10 (128.66.100.10) 56(84) bytes of data.
64 bytes from 128.66.100.10: icmp_seq=1 ttl=64 time=0.008 ms
64 bytes from 128.66.100.10: icmp_seq=2 ttl=64 time=0.014 ms
64 bytes from 128.66.100.10: icmp_seq=3 ttl=64 time=0.017 ms

--- 128.66.100.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.008/0.013/0.017/0.003 ms
root@my-host:~#

THURSDAY, 8/17/2017 8:12 AM PDT UPDATE

Per the request of dirkt, I am elaborating on our architecture and the reason for my question.

The virtual host that is the subject of this post (i.e. the host with network interfaces eth1, eth3, and three other network interfaces unrelated to my question), is being used to test a physical, wired TCP/IP networking infrastructure we have set up. Specifically, it is the routing functionality of this TCP/IP networking infrastructure that we are testing.

We used to have two virtual hosts, not one as I’ve described in my original post. A ping between these two hosts would be our smoke test to ensure that the TCP/IP networking infrastructure under test was still working.

For reasons too detailed to get into, having two hosts made it difficult to collect the logs we need to. So, we switched to one host, gave it two NICs, set up static routes so that anything destined for NIC 2 would egress NIC 1 and vice versa. The problem is, as I’ve stated, they’re not egressing.

This one host / two NIC setup has worked under Windows for us for years. I don’t know if that is because Windows is broken and we were inadvertently taking advantage of a bug, or if Windows is fine (i.e. RFC-compliant) and we just need to get the configuration right on our Linux VMs to get the same behavior.

To summarize and distill down the long block of shell text above:

Two Interfaces:

eth1: 128.66.100.10/24; the router on this interface's network has IP address 128.66.100.1
eth3: 128.66.200.10/24; the router on this interface's network has IP address 128.66.200.1

Relevant Routes:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
128.66.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
128.66.100.10   128.66.200.1    255.255.255.255 UGH   0      0        0 eth3
128.66.200.0    0.0.0.0         255.255.255.0   U     0      0        0 eth3
128.66.200.10   128.66.100.1    255.255.255.255 UGH   0      0        0 eth1

Command I’m Executing:

ping -c 3 128.66.100.10

The destination of 128.66.100.10 matches two of the above routes:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
128.66.100.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
128.66.100.10   128.66.200.1    255.255.255.255 UGH   0      0        0 eth3

The route with the longest prefix match is:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
128.66.100.10   128.66.200.1    255.255.255.255 UGH   0      0        0 eth3

What I am trying to understand is why, given the existence of this route, the packet won’t egress eth3, travel through our TCP/IP networking infrastructure, come back and hit eth1 from the outside.

The TCP/IP stack is apparently not consulting the forwarding table. It’s as if when it sees that I’m pinging a locally-connected interface, the TCP/IP stack just says, “Oh, this is local interface. So, I’m not going to consult the forwarding table. Instead, I’ll just send an echo reply right back up the stack”.

Is the behavior I desire RFC-compliant? If it is not, I must abandon the attempt. But if it is RFC-compliant, I would like to learn how to configure the Linux TCP/IP stack to allow this behavior.

MONDAY, 8/21/2017 UPDATE

I’ve discovered the sysctl rp_filter and accept_local kernel parameters. I have set them as follows:

root@my-host:~# cat /proc/sys/net/ipv4/conf/eth1/accept_local
1
root@my-host:~# cat /proc/sys/net/ipv4/conf/eth3/accept_local
1
root@my-host:~# cat /proc/sys/net/ipv4/conf/all/accept_local
1
root@my-host:~# cat /proc/sys/net/ipv4/conf/default/accept_local
1
root@my-host:~# cat /proc/sys/net/ipv4/conf/eth1/rp_filter
0
root@my-host:~# cat /proc/sys/net/ipv4/conf/eth3/rp_filter
0
root@my-host:~# cat /proc/sys/net/ipv4/conf/all/rp_filter
0
root@my-host:~# cat /proc/sys/net/ipv4/conf/default/rp_filter
0

Setting this kernel parameters, rebooting, verifying they survived the reboot, and testing again showed no difference in behavior.

Please note that my-host is an lxc Linux container running under Proxmox 4.4. I have also set rp_filter and accept_local as shown above on the hypervisor interfaces that corresponds to the eth1 and eth3 interfaces on my-host.

To re-summarize my objective, I have a Linux host with two NICs, eth1 and eth3. I am trying to ping out eth1, have the ping packet get routed through a TCP/IP network infrastructure under test, and make its way back to eth3.

Nothing I’ve tried above has allowed me to do so. How may I do so?


Get this bounty!!!

#StackBounty: #debian #linux-kernel #osx #console #qemu Generate a QEMU bootable kernel from an existing installation

Bounty: 100

I have been trying to setup QEMU to provide console output only. So far I have succeeded with the following parameters: qemu-system -curses -hda debian.img, where debian.img is a working Debian installation. No other boot related parameters are used. (N)Curses seems to be terribly buggy and slow for this purpose however, at least under a macOS host.

I found out that a better way to achieve console, non-gui output to the terminal that qemu is launched in by using -serial stdio -append "console=ttyAMA0" instead of -curses. This option requires you to specify a kernel with the -kernel parameter however. Is there a way I can extract a bootable kernel from my existing Debian installation that I can provide to qemu? I already tried copying vmlinux from /boot, and also followed this guide to extract the kernel from the OS, but they won’t boot under QEMU with my existing debian.img file. I believe I possibly have to supply the initrd.img from my OS to qemu as well.

Now, is it possible to keep using my exisiting debian.img file with a fully working OS on it, while also passing an (extracted) kernel from that image (or elsewhere if needed) to qemu using the -kernel parameter? (and the same question for the initrd.img file)
My guest OS on the debian.img file is Debian Jessy.


Get this bounty!!!

#StackBounty: #process #linux-kernel #malware how does fileless malware work on linux?

Bounty: 200

I understand the definition of fileless malware:

Malicious code that is not file based but exists in memory only… More
particularly, fileless malicious code … appends itself to an active
process in memory…

Can somebody please explain how this appending itself to an active process in memory works ?

Also, what (kernel) protection/hardening is available against such attacks ?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!

#StackBounty: #linux-kernel #ip #routing Understand when in the day of a life of an ICMP "echo reply" message "ip rule&q…

Bounty: 100

I have a PC with two interfaces: eth0(IP address 192.168.1.16) and eth2(IP address 10.10.10.73). In addition, I have a host route in this PC in main table which says that if destination address is 172.16.1.1, then use eth0 interface.

Now when I send ICMP “echo request” from 172.16.1.1 to 10.10.10.73(eth2 interface), then ICMP “echo reply” is sent out from eth0(I have RPF disabled) using 192.168.1.16 as a source IP. This all is as expected because of this host route.

However, when I add an ip rule with selector from 10.10.10.73 and action lookup test right after rule number 0 and table test contains simply a default route using eth2 interface, then ICMP “echo reply” is sent out from eth2 interface.

I’m confused how can this from 10.10.10.73 selector match. When in the day of a life of an ICMP “echo reply” message the source IP was 10.10.10.73 so that match occurred?


Get this bounty!!!