Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore macOS kernel_panics table on modern macOS #7585

Merged
merged 5 commits into from
Jul 9, 2022
Merged

Restore macOS kernel_panics table on modern macOS #7585

merged 5 commits into from
Jul 9, 2022

Conversation

mike-myers-tob
Copy link
Member

@mike-myers-tob mike-myers-tob commented May 6, 2022
edited

Fixes #7215 by unwrapping a light layer of undocumented obfuscation (JSON) that Apple added to their semi-structured plaintext kernel panic log files up through macOS 10.15. Some columns don't appear to exist anymore, or might just be missing from my crash dump: dependencies, last_unloaded, etc.

  • attempt to read the regsiters column, but unfortunately the data is not there anymore (at least since macOS 10.14)
  • same for module_backtrace column, but unfortunately the data is not there anymore (at least since macOS 10.14)
  • test on M1 Mac
  • test on macOS 10.15
  • test on macOS 10.14
  • test on macOS 11.x (skipped, since the format in 10.15.6 and 12.3.1 are exactly the same)
  • clean up and clang-format

Example of table working to parse a crash dump:

mmyers@mmyerss-Mac build % ./osquery/osqueryi
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> select * from kernel_panics;
            path = /Library/Logs/DiagnosticReports/Kernel-2022-05-05-173858.panic
            time = 2022-05-05 17:38:58.00 -0700
       registers = 
 frame_backtrace = 0xffffffe0735e3210 : 0xffffff8019c83e2d
module_backtrace = 
    dependencies = 
            name = dtrace
      os_version = 21E258
  kernel_version = Darwin Kernel Version 21.4.0: Fri Mar 18 00:45:05 PDT 2022; root:xnu-8020.101.4~15/RELEASE_X86_64
    system_model = VMware7,1 (Mac-5F9802EFE386AA28)
          uptime = 779382986226
     last_loaded = |IOAVB!F 1040.6 (addr 0xffffff7fb2b2f000, size 77824)
   last_unloaded =

@mike-myers-tob mike-myers-tob added bug macOS macOS Big Sur For things pertaining to macOS 11.0 macOS Monterey For things pertaining to macOS 12.0 labels May 6, 2022
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented May 6, 2022
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

@mike-myers-tob mike-myers-tob added this to the 5.4.0 milestone May 6, 2022
@mike-myers-tob
Copy link
Member Author

Interestingly, the kernel panic log format in macOS 12 is also the exact same format I just saw generated in macOS 10.15.7.

@mike-myers-tob mike-myers-tob changed the title Parse x86 macOS12 kernel panic log format Restore macOS kernel panic log table on x86 May 11, 2022
@mike-myers-tob mike-myers-tob force-pushed the mike/fix_7215_macOS_kernel_panics branch from ec1d392 to b9558d1 Compare May 11, 2022 23:09
@mike-myers-tob
Copy link
Member Author

The following content is just no longer present in panic logs. I will try to find when it was last present, but right now these just can't be filled in:

  1. registers (Apple stopped capturing this in the log)
  2. module_backtrace unless it is present only in certain circumstances. I only have one kernel panic I can create.
  3. dependencies (same reason)

The uptime field isn't logged in a very accessible way on M1. It could maybe be derived as a difference between mach_absolute_time and Boot (Epoch Time) or maybe that's not it either. In doubt, I just left it so it's blank on M1.

@mike-myers-tob mike-myers-tob marked this pull request as ready for review May 13, 2022 23:55
@mike-myers-tob mike-myers-tob requested review from a team as code owners May 13, 2022 23:55
@mike-myers-tob
Copy link
Member Author

A note for reviewers: macOS sweeps this log directory for kernel panic logs older than say, a week, and puts them in a subdirectory called Retired. Should osquery be looking there as well?

@mike-myers-tob
Copy link
Member Author

Another interesting note: switching macOS system language to non-English does not appear to change the content of a kernel panic file, which is still created in English. So there's no internationalization concerns with this table.

@mike-myers-tob
Copy link
Member Author

For reviewers who wish to test, see issue #7215 for instructions on creating your own panic log file, or download one of mine and extract to the /Library/Logs/DiagnosticReports/ directory.

@mike-myers-tob mike-myers-tob changed the title Restore macOS kernel panic log table on x86 Restore macOS kernel_panics table on modern macOS Jun 22, 2022
@mike-myers-tob
Copy link
Member Author

Bumping this to 5.5 until it gets reviewed but maybe after I get approver rights I can trade @sharvilshah for a review? :-)

@mike-myers-tob mike-myers-tob modified the milestones: 5.4.0, 5.5.0 Jul 6, 2022
sharvilshah
sharvilshah approved these changes Jul 6, 2022
View reviewed changes
Copy link
Member

@sharvilshah sharvilshah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I can't induce kernel panics on my machine (don't have access to disable SIP to do the dtrace panic() trick), tested with all the attached panic logs, and it works great!

@mike-myers-tob
Copy link
Member Author

Thanks! I guess you have no more open PRs so I'll have to review the next one 😆

@mike-myers-tob mike-myers-tob merged commit 9f94afb into osquery:master Jul 9, 2022
@mike-myers-tob mike-myers-tob deleted the mike/fix_7215_macOS_kernel_panics branch July 9, 2022 01:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharvilshah sharvilshah sharvilshah approved these changes

Assignees
No one assigned
Labels
bug macOS Big Sur For things pertaining to macOS 11.0 macOS Monterey For things pertaining to macOS 12.0 macOS
Projects
None yet
Milestone
5.5.0
Development

Successfully merging this pull request may close these issues.

Empty kernel_panics table after macOS 10.15
2 participants
@mike-myers-tob @sharvilshah