5.6. Analyse d'un dump
Aller à la navigation
Aller à la recherche
Analyser un dump mdb -k $KERNEL $CORE
# mdb -k unix.0 vmcore.0
Loading modules: [ unix genunix specfs dtrace ufs ssd fcp fctl emlxs px md mpt sd isp mpt_sas ip hook neti sctp arp usba nca zfs cpc random crypto wrsmd fcip logindmux ptm sppp nfs ipc lofs ]
> $C
000002a10efd0771 vpanic(0, 3, 7af45ee0, 2a10efd1178, 47bd8a00, 7af45ee0)
000002a10efd0841 zfs_panic_recover+0x38(7af45ee0, 24, 4b6, 600, 3, 0)
000002a10efd08f1 dmu_buf_hold_array_by_dnode+0xa8(5, 0, 2000, 1, 7af3b93e, 1)
000002a10efd09b1 dmu_read+0xcc(500000, a, 0, 2000, 800003ccdc3ce000, 7af3b800)
000002a10efd0a81 zfs_fillpage+0xf0(2000, 0, 601497bb6b0, 0, 2a10efd1760, 2000)
000002a10efd0b61 zfs_getpage+0x15c(60102888ac0, 601497bb6b0, 1, 0, 2a10efd1760, 2000)
000002a10efd0c41 zfs_shim_getpage+0x40(60102888ac0, 0, 3003b482160, 1, ff380000, 1)
000002a10efd0d21 fop_getpage+0x44(60102888ac0, 600a26396c0, 3003b482160, 1, ff380000, 1)
000002a10efd0df1 segvn_fault+0xb00(2000, 601497bb6b0, 1, 2000, 0, 0)
000002a10efd0fc1 as_fault+0x4c8(601497bb6b0, 30070873738, ff380000, 3007c751468, 18e8e70, 0)
000002a10efd10d1 pagefault+0xac(ff380000, 0, 1, 0, 3007c7513f0, 1)
000002a10efd1191 trap+0xd50(2a10efd1b90, ff3802e0, 0, 1, 115f8, 0)
000002a10efd12e1 utl0+0x4c(ff3803c4, ff380000, ffbff10c, 0, 3c6, 24400)
> ::panicinfo
cpu 4
thread 3003cc0b080
message zfs: accessing past end of object 24/4b6 (size=1536 access=0+8192)
tstate 4400001601
g1 7aefced4
g2 2000
g3 7af45c00
g4 600b4411640
g5 600b4f8e1c0
g6 1
g7 3003cc0b080
o0 7af45ee0
o1 2a10efd1178
o2 1892260
o3 30055788270
o4 16
o5 0
o6 2a10efd0771
o7 114fc78
pc 104bbec
npc 104bbf0
y 0
> 3003cc0b080::thread -p
ADDR PROC LWP CRED
000003003cc0b080 30055788270 30070873738 3003b482160
> 30055788270::ps -ft
S PID PPID PGID SID UID FLAGS ADDR NAME
R 991 990 533 533 0 0x4a004000 0000030055788270 tail -1 ./log/100_GENERAL_001_SOLARIS.log
T 0x3003cc0b080 <TS_ONPROC>
> 0000030055788270::ptree
0000000001892260 sched
00000600a17c1088 init
000006013e7fe5d0 sshd
000006017c3d9918 sshd
000006014f660db8 sshd
000006013e68f2a8 op
000003009eed7b30 cks_0exe.sh
00000600d36e9968 cut
0000030055788270 tail
> ::zone
ADDR ID NAME PATH
00000000019406f8 0 global /
000006011dbb5980 28 ${VM_NAME} /${VM_NAME}/root/
00000600d51ab1c0 29 ${VM_NAME} /${VM_NAME}/root/
00000301195e3840 36 ${VM_NAME} /${VM_NAME}/root/
0000060182056fc0 37 ${VM_NAME} /${VM_NAME}/root/
0000060182055980 40 ${VM_NAME} /${VM_NAME}/root/
> 0000030055788270::print proc_t!grep p_zone
p_zone = 0x6011dbb5980
> ::ps -ft
S PID PPID PGID SID UID FLAGS ADDR NAME
R 0 0 0 0 0 0x00000001 0000000001892260 sched
T t0 <TS_STOPPED>
R 3 0 0 0 0 0x00020001 00000600a17bf848 fsflush
T 0x3001171d3a0 <TS_ONPROC>
R 2 0 0 0 0 0x00020001 00000600a17c0468 pageout
T 0x3001171d6e0 <TS_SLEEP>
R 1 0 0 0 0 0x4a004000 00000600a17c1088 /sbin/init
T 0x3001171da20 <TS_SLEEP>
R 29877 1 29877 29877 0 0x5a006400 00000300560242b8 /soft/UniQPT/programs/servers/xprinter ptip92
T 0x30051698a00 <TS_SLEEP>
R 1263 1 29289 29289 44322 0x5a004400 00000300412b0700 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext /logs/vxbsa.1330837519.191.pr
T 0x301f41ced20 <TS_ONPROC>
R 1218 1 29289 29289 44322 0x5a004400 0000030179eea648 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1330837519.191.pr
T 0x300a137d1a0 <TS_ONPROC>
R 1186 1 29289 29289 44322 0x5a004400 0000030089472158 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1330837519.191.pr
T 0x3003e3655a0 <TS_ONPROC>
R 1172 1 29289 29289 44322 0x5a004400 00000300d0970338 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1330837519.191.pr
T 0x3009d23b8c0 <TS_ONPROC>
R 1093 1 29289 29289 44322 0x5a004400 000006010fb57270 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1330837519.191.pr
T 0x3021752cb40 <TS_SLEEP>
R 859 1 29289 29289 44322 0x5a004400 0000030166904d20 bpbkar -L /usr/openv/netbackup/logs/user_ops/dbext/logs/vxbsa.1330837519.191.pr
T 0x30028262540 <TS_SLEEP>
R 188 1 26455 26455 44322 0x4a004400 00000301639719d8 /usr/sap/PO1/SYS/exe/run/brconnect -S 26455
T 0x3010127a5c0 <TS_SLEEP>
Z 300 188 300 300 44322 0x4a004002 000003005616da90 oraclePO1 (DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))
R 26353 1 26353 26353 0 0x4a004400 000006016cdec130 bphdb -sb -rdbms sap -S pyasej -to 3600 -c pyasg7_isapbw_po1 -s FULL -clnt pyas
T 0x30069a92020 <TS_SLEEP>
R 26354 26353 26353 26353 0 0x4a004000 00000300d09ae4b8 /bin/sh /users/nbk00/exploit/script/nbk_0ls.sh >/dev/null 2>/dev/null
T 0x300fcea60e0 <TS_SLEEP>
R 26361 26354 26353 26353 0 0x4a004000 0000030166513960 /bin/sh /users/nbk00/exploit/script/nbk_0os.sh
T 0x30011f8a500 <TS_SLEEP>
R 26381 26361 26353 26353 44322 0x4a014000 00000300fc5c3990 -csh -c setenv SAP_SERVER pyasej; setenv SAP_CLASS pyasg7_isapbw_po1; brbackup
T 0x300a25b8440 <TS_SLEEP>
R 26455 26381 26455 26455 44322 0x4a004000 000003016690cd10 brbackup -c force -u / -p initPO1.sapdata.offline.bw.sap -m all
T 0x300a05fa460 <TS_SLEEP>
R 190 26455 26455 26455 44322 0x4a004000 000006014f6619d8 sh -c ( /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbac
T 0x300c7167540 <TS_SLEEP>
R 191 190 26455 26455 44322 0x4a004000 00000600a2dc0c60 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x301fdfef7a0 <TS_SLEEP>
R 203 191 26455 26455 44322 0x42000000 00000300d09a24d0 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x3009f65c840 <TS_SLEEP>
R 202 191 26455 26455 44322 0x42000000 00000600d2769950 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x3001295e3e0 <TS_SLEEP>
R 201 191 26455 26455 44322 0x42000000 000003013d6fe230 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x3006a298de0 <TS_SLEEP>
R 200 191 26455 26455 44322 0x42000000 000003016690c0f0 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x300a1ade700 <TS_SLEEP>
R 199 191 26455 26455 44322 0x42000000 000006010f8cc200 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x30158d96220 <TS_SLEEP>
R 198 191 26455 26455 44322 0x42000000 00000300878c6ca8 /usr/sap/PO1/SYS/exe/run/backint -u PO1 -f backup -i /oracle/PO1/sapbackup/.bei
T 0x3003750bc80 <TS_SLEEP>
R 5441 1 5441 5441 9009 0x4a004400 0000030166921908 oracleDSM00 (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))
T 0x3015e54d6c0 <TS_SLEEP>
R 5439 1 5439 5439 9009 0x4a004400 00000300d09fe518 oracleDSM00 (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))
T 0x300837bc760 <TS_SLEEP>
R 5437 1 5437 5437 9009 0x4a004400 00000300d099d8b8 oracleDSM00 (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=BEQ)))
T 0x301fb7f5040 <TS_SLEEP>
R 5435 1 5435 5435 9009 0x4a004400 00000600d2b7c118 oracleDSM00 (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=B
T 0x300bf51eb20 <TS_SLEEP>
R 5433 1 5433 5433 9009 0x4a004400 00000300fa9be250 oracleDSM00 (DESCRIPTION=(LOCAL=no)(ADDRESS=(PROTOCOL=B
T 0x300114614c0 <TS_SLEEP>
> 30055788270::ps
S PID PPID PGID SID UID FLAGS ADDR NAME
R 991 990 533 533 0 0x4a004000 0000030055788270 tail
> $
> 30055788270::ps -aef
mdb: illegal option -- a
Usage: ps [-fltzTP]
> 30055788270::ps -fltz
S PID PPID PGID SID ZONE UID FLAGS ADDR NAME
R 991 990 533 533 28 0 0x4a004000 0000030055788270 tail -1 ./log/100_GENERAL_001_SOLARIS.log
T 0x3003cc0b080 <TS_ONPROC>
L 0x30070873738 ID: 1
> ::ps
> ::zone
ADDR ID NAME PATH
00000000019406f8 0 global /
000006011dbb5980 28 ${VM_NAME} /${VM_NAME}/root/
00000600d51ab1c0 29 ${VM_NAME} /${VM_NAME}/root/
00000301195e3840 36 ${VM_NAME} /${VM_NAME}/root/
0000060182056fc0 37 ${VM_NAME} /${VM_NAME}/root/
0000060182055980 40 ${VM_NAME} /${VM_NAME}/root/
> 0000030055788270::print proc_t!grep p_zone
p_zone = 0x6011dbb5980
> 30055788270::ps -fltzT
S PID PPID PGID SID TASK ZONE UID FLAGS ADDR NAME
R 991 990 533 533 359639 28 0 0x4a004000 0000030055788270 tail -1 ./log/100_GENERAL_001_SOLARIS.log
T 0x3003cc0b080 <TS_ONPROC>
L 0x30070873738 ID: 1
> 30055788270::ps -fltzTP
S PID PPID PGID SID TASK PROJ ZONE UID FLAGS ADDR NAME
R 991 990 533 533 359639 3 28 0 0x4a004000 0000030055788270 tail -1 ./log/100_GENERAL_001_SOLARI
T 0x3003cc0b080 <TS_ONPROC>
L 0x30070873738 ID: 1
Autre exemple:
ll
> ::panicinfo
cpu 7
thread fffffebbd3ce2c60
message BAD TRAP: type=e (#pf Page fault) rp=fffffe8011496c40 addr=c96610d2 occurred in module "unix" due to an illegal access to a user address
rdi c96610d2
rsi fffffeb60b4418d0
rdx fffffebbd3ce2c60
rcx fffffeb60b4418d0
r8 0
r9 0
rax 71
rbx c96610d2
rbp fffffe8011496d50
r10 34
r10 34
r11 fffffffffbd18460
r12 ffffffffa0e3f600
r13 ffffff286cd33bb8
r14 d
r15 fffffe8011496e50
fsbase ffffffff80000000
gsbase ffffffffa4c2a000
ds 43
es 43
fs 0
gs 1c3
trapno e
err 0
rip fffffffffb836310
cs 28
rflags 10206
rsp fffffe8011496d38
ss 30
gdt_hi 0
gdt_lo defacedd
idt_hi 0
idt_lo d0000fff
ldt 0
task 60
cr0 80050033
cr2 c96610d2
cr3 182c345000
> fffffebbd3ce2c60::thread -p
ADDR PROC LWP CRED
fffffebbd3ce2c60 fffffeb2a09488d8 ffffff60d65de0b0 fffffeb62b0d0830
> fffffeb2a09488d8::ps -ft
S PID PPID PGID SID UID FLAGS ADDR NAME
R 23089 23087 141 141 0 0x4a004000 fffffeb2a09488d8 format /dev/rdsk/c0t60050768018E826F5000000000000C58d0s2
T 0xfffffebbd3ce2c60 <TS_ONPROC>
T 0xfffffeb266c698c0 <TS_SLEEP>
T 0xfffffeb2a4e4b760 <TS_SLEEP>
T 0xfffffed3808538c0 <TS_ONPROC>
> fffffeb2a09488d8::ptree
fffffffffbc27720 sched
ffffffffa3745348 init
fffffeb271dcd6f0 Lance_get_all.sh
fffffeb29d9058f8 get_disques.sh
fffffeb25ee0e1f0 dc
fffffeb2a09488d8 format
> fffffeb271dcd6f0::ps -ft
S PID PPID PGID SID UID FLAGS ADDR NAME
R 19197 1 141 141 0 0x4a004000 fffffeb271dcd6f0 ${ICI SERA LE NOM DU PROCESS}
T 0xfffffeb2d5d8c780 <TS_SLEEP>