Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Dec 2019 07:28:15 +0000
From: Patrick Schleizer <adrelanos@...eup.net>
To: lkrg-users@...ts.openwall.com
Subject: Re: LIST HASH IS DIFFERENT - nf_nat / nf_conntrack Linux
 version 5.3.0-0

Adam Zabrocki:
> Can you share with me a VM with that specific kernel which I can use for local 
> repro?


You mean to share a binary VM build? That is an interesting idea.

If it was a VirtualBox VM, I could export the VM and upload it
elsewhere. Then you could easily download it and re-import to reproduce
(hopefully [1]) the very same issue. Usually I don't offer that because
I thought most would refuse it (download size, time, security) but
sometimes that could be a good way to debug things.

For Qubes I don't know from the top of my head how to export/share a VM
and then how someone else could re-import that. Might be possible but
someone might have to research and document that. Even if I managed to
share the template image, we might not be using the same dom0 VM
settings (but these could be easy enough to reproduce manually).
Therefore instead I try to produce better instructions for reproduction
of this issue.

> I'm going to have limited access to the internet until 14th of Jan ;/


No worries. Keep your time.

> However, I've sucrificed one physical machine to install qubeos but it has 
> fedora not debian in dom0.

Correcting in my original report.

"Qubes, Debian buster"

There's no Qubes with Debian in dom0 yet. If there was or if I
accomplished that, that would be big news and I should explicit explain
that. More specifically:

"Qubes, in a Debian buster (debian-10) based TemplateVM"

To reproduce, first, you'd need to re-configure the VM to use VM kernel
rather than Qubes dom0 kernel as per these instructions (which were
recently simplified by me):

https://www.qubes-os.org/doc/managing-vm-kernel/#installing-kernel-in-debian-vm

in summary:

in TemplateVM:
sudo mkdir -p /boot/grub

in TemplateVM:
sudo apt install --no-install-recommends linux-image-amd64
linux-headers-amd64 grub2-common qubes-kernel-vm-support initramfs-tools
busybox

in TemplateVM:
sudo update-grub

> The Kernel setting of the Virtualization mode setting:

> If Virtualization is set to PVH -> Kernel -> choose pvgrub2-pvh -> OK


(These instructions are even compatible with minimal Debian template. [2])


Then you'd need to add

deb tor+https://deb.debian.org/debian buster-backports main

to sources.list ( /etc/apt/sources.list / /etc/apt/sources.list.d )

And install the newer kernel from backports.

sudo apt update

sudo apt-get -t buster-backports install linux-image-amd64
linux-headers-amd64


> Can you check the output of the following command?
> 
>     # cat /proc/kallsyms |grep p_arch_jump_label_transform


No output. But small chance this will help:

sudo cat /proc/kallsyms | grep p_arch
ffffffffa6fe9e60 T swsusp_arch_resume
ffffffffa6feb000 T swsusp_arch_suspend
ffffffffa7e84b6a T setup_arch
ffffffffa7fc4370 t __setup_arch_parse_efi_cmdline

> Additionally, do you see the same problem just on QubeOS or normal debian 
> installation faces the same issue?


Qubes (usual fedora dom0) with Debian TemplateVM: described above.

(Non-Qubes, plain) Debian: not yet tested. I'll report once tested.

Kind regards,
Patrick

[1] Might not reproduce due to different host system configuration, host
system CPU and whatnot.
[2] https://github.com/QubesOS/qubes-doc/pull/905

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.