IBM Support

IBM Security Guardium: Potential Solaris kernel conflict when running Dtrace Application and Guardium STAP Agent on same Solaris server

Troubleshooting


Problem

There is a potential Solaris kernel reboot when running Dtrace Application and Guardium STAP on the same Solaris server.
 
Reboot happens when these conditions are met.
 
1. Guardium STAP installed
2. Dtrace running
3. Reboot triggers if STAP tried to hook when Dtrace is running.
 

Symptom

Operating System crash

Cause

When Dtrace script runs, it will hook the system calls, and unhook after the script is done. If the Dtrace script was running when STAP first starts, it will cause a conflict since both hook the system calls. This will cause system panic.

Environment

This problem is caused on Solaris system running Dtrace application.

Diagnosing The Problem

Crash is caused by stack overflow.

Resolving The Problem

To avoid this issue, when STAP starts, Dtrace User Application should not be running.
In case Dtrace User Application is running when STAP starts, STAP will generate a CONF_ERROR:
May 15 11:51:19 sol113spct ktap_108717: [ID 302146 kern.notice] Unhook_calls: can't restore system calls, addresses mismatch
May 15 11:51:19 sol113spct ktap_108717: [ID 767152 kern.notice] 15765 (v 108717) GUARD-02: ktap_stap_ioctl: unhook failed... returning (line 6390)
May 15 11:51:19 sol113spct guard_tap[15765]: [ID 748625 user.alert] 2020.05.15 11:51:19 GT_INTERCEPT failed: Bad address
User must stop Dtrace Application and restart STAP to fix this CONF_ERROR.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001h07AAA","label":"STAP->K-TAP"}],"ARM Case Number":"","Platform":[{"code":"PF027","label":"Solaris"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
21 May 2020

UID

ibm16213268

Page Feedback