Module Error: [traps]: mbatchd[123] general protection fault ip:xxx sp:xxx error:0 in mbatchd[123]
Environment
- Red Hat Enterprise Linux 8.10
- Kernel Version 4.18.0-553.8.1.el8_10.x86_64
- [traps] security module is installed
Issue
- Application is crashing
- Error observed in the logs
[92250.398649] traps: mbatchd[115471] general protection fault ip:617186 sp:7fda915276c0 error:0 in mbatchd[400000+d58000]
Resolution
- Traps is security solution by Palo Alto Networks designed to protect endpoints from malware.
- Suggested to consult the provider of this module [traps].
Root Cause
- The third party security scanner [traps] seems to act as middle man between the user space and kernel for all ongoing events.
- All this error message is generated while accessing [trap] modules.
Diagnostic Steps
- MODULES:
cat proc/modules | grep traps
traps 143360 3 - Live 0xffffffffc08b9000 (OE)
filename: /lib/modules/4.18.0-553.8.1.el8_10.x86_64/traps/traps.ko
version: 00000-960d7728
description: Traps core collects and handles system-wide security events
author: Open Source Code Request <OSSCodeRequest@paloaltonetworks.com>
license: GPL
rhelversion: 8.10
srcversion: D5FE9B709CE675133D93E67
depends:
name: traps
vermagic: 4.18.0-553.8.1.el8_10.x86_64 SMP mod_unload modversions
sig_id: PKCS#7
signer: www.paloaltonetworks.com
sig_key: 03:E8
$ cat ps|grep traps
user /opt/traps/
root /opt/traps/
- DMESG:
[ 21.821051] traps: loading out-of-tree module taints kernel.
[ 21.821141] traps: module verification failed: signature and/or required key missing - tainting kernel
[ 21.823358] TRAPS: --- starting ---
[ 21.837138] TRAPS: [fs] strategy [0]
[ 21.852446] TRAPS: [callbacks] data-proto version [1] supported [1:2]
[ 21.852450] TRAPS: [callbacks] enabled providers [0x39ff] requested [0x39ff] supported [0x3fff]
[ 21.852451] TRAPS: [callbacks] enabled features [0x3] requested [0x3] supported [0x3]
[ 21.852498] TRAPS: [auth-link] strategy [1]
[ 21.852500] TRAPS: [auth-link] enabled flows [0x50] requested [0x50] supported [0x50]
[ 21.869719] TRAPS: [auth-link] connected to pid [1110]
[ 24.225631] traps: mbatchd[7766] general protection fault ip:617186 sp:7f4bbd4336c0 error:0 in mbatchd[400000+d58000]
[ 24.256341] TRAPS: [data-link] mapped by [1110]
[ 24.849649] traps: mbatchd[7915] general protection fault ip:617186 sp:7f54155136c0 error:0 in mbatchd[400000+d58000]
[ 25.081692] TRAPS: [auth-link] flow registered [6]
[ 25.267061] TRAPS: [auth-link] flow registered [4]
[ 55.169520] traps: mbatchd[8265] general protection fault ip:617186 sp:7fb18cee76c0 error:0 in mbatchd[400000+d58000]
[ 120.700796] traps: mbatchd[8299] general protection fault ip:617186 sp:7f2734bbd6c0 error:0 in mbatchd[400000+d58000]
[ 216.094940] traps: mbatchd[8321] general protection fault ip:617186 sp:7f326aa5e6c0 error:0 in mbatchd[400000+d58000]
[ 341.491852] traps: mbatchd[8927] general protection fault ip:617186 sp:7f2ec23956c0 error:0 in mbatchd[400000+d58000]
[ 490.867827] traps: mbatchd[9562] general protection fault ip:617186 sp:7f48225276c0 error:0 in mbatchd[400000+d58000]
[ 671.348268] traps: mbatchd[9611] general protection fault ip:617186 sp:7f5729c276c0 error:0 in mbatchd[400000+d58000]
:::
mbatchd[400000+d58000]
[91072.526698] traps: mbatchd[114807] general protection fault ip:617186 sp:7fd14a5a36c0 error:0 in mbatchd[400000+d58000]
[91644.719910] traps: mbatchd[115104] general protection fault ip:617186 sp:7fb114dd06c0 error:0 in mbatchd[400000+d58000]
[92250.398649] traps: mbatchd[115471] general protection fault ip:617186 sp:7fda915276c0 error:0 in mbatchd[400000+d58000]
- Several traps running:
$ cat ps|grep traps
root 1110 0.4 0.5 1513760 376824 ? - Jul18 7:15 /opt/traps/bin/pmd
root 1824 0.0 0.0 297768 54368 ? - Jul18 0:43 /opt/traps/python/payload/cortex-xdr-payload -config /opt/traps/python/scripts/service_main.json -type 2
root 7928 0.0 0.0 476348 28956 ? - Jul18 0:06 /opt/traps/bin/dypdng -- 205
UserA+ 7940 0.0 0.1 255132 70460 ? - Jul18 0:01 /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
UserA+ 7953 0.0 0.0 115412 2912 ? - Jul18 0:00 /opt/traps/analyzerd/analyzerd 210 213 219
UserA+ 7978 0.0 0.0 255132 58608 ? - Jul18 0:00 /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
UserA+ 7979 0.0 0.0 255132 57804 ? - Jul18 0:00 /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
UserA+ 7980 0.0 0.0 255132 57804 ? - Jul18 0:00 /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
UserA+ 7981 0.0 0.0 255132 57804 ? - Jul18 0:00 /opt/traps/ltee/lted -type 2 -config ltee_decryptor.json
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments