Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 20 Dec 2018 03:25:03 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: insmod: ERROR: could not insert module p_lkrg.ko:
 No buffer space available

Hi,

I've just checked 4.19.10 kernel under Ubuntu:

	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# insmod output/p_lkrg.ko p_init_log_level=0
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# dmesg|tail
	[  951.305810] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
	[ 1251.307384] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
	[ 1454.690891] p_lkrg: loading out-of-tree module taints kernel.
	[ 1454.690940] p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
	[ 1454.692507] [p_lkrg] Loading LKRG...
	[ 1455.286597] [p_lkrg] LKRG initialized successfully!
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# uname -a
	Linux pi3-ubuntu 4.19.10-041910-generic #201812170433 SMP Mon Dec 17 09:35:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main#

so everything works fine. Kernel which I've used is this one:

https://kernel.ubuntu.com/~kernel-ppa/mainline/v4.19.10/

I believe you have not standard configuration of your kernel (like previously 
you've enabled dynamic kernel module support but at the same time you've 
disabled unloading of them - CONFIG_MODULE_UNLOAD=n).

Nevertheless, I suspect you did not use CONFIG_ARCH_HAS_SYSCALL_WRAPPER which 
is enabled by default on all modern kernels. LKRG should correctly detect that 
but I've missed that you can still compile new kernels (4.17+) without 
CONFIG_ARCH_HAS_SYSCALL_WRAPPER. I will try to address it soon.

Until I do it, you can try to compile kernel with that CONFIG option or 
manually change LKRG code. You can fix it by replacing following line of code 
in "lkrg-main/src/modules/exploit_detection/p_exploit_detection.h" file:

- #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0)
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0) && defined(CONFIG_ARCH_HAS_SYSCALL_WRAPPER)

Thanks,
Adam

On Wed, Dec 19, 2018 at 11:35:27AM +0100, bryn1u85 wrote:
> My output.
> 
> [root@...alhost lkrg-main]# dmesg | tail -20
> [    3.836920] cryptd: max_cpu_qlen set to 1000
> [    3.851179] AVX2 version of gcm_enc/dec engaged.
> [    3.851180] AES CTR mode by8 optimization enabled
> [    3.905981] EXT4-fs (vda1): mounted filesystem with ordered data mode.
> Opts: (null)
> [    4.125758] Adding 7077884k swap on /dev/mapper/centos-swap.
> Priority:-2 extents:1 across:7077884k FS
> [    4.757109] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
> [   11.546012] random: crng init done
> [   11.546017] random: 7 urandom warning(s) missed due to ratelimiting
> [  296.265199] p_lkrg: loading out-of-tree module taints kernel.
> [  296.265283] p_lkrg: module verification failed: signature and/or
> required key missing - tainting kernel
> [  296.266610] [p_lkrg] Loading LKRG...
> [  296.302774] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [  315.920095] [p_lkrg] Loading LKRG...
> [  315.950728] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [  342.557674] [p_lkrg] Loading LKRG...
> [  342.589567] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [41040.104115] [p_lkrg] Loading LKRG...
> [41040.117676] [p_lkrg] [kretprobe] register_kretprobe() for
> <__x64_sys_execve> failed! [err=-38]
> [41040.118335] [p_lkrg] ERROR: Can't hook execve syscall :(
> [41040.139079] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [root@...alhost lkrg-main]#
> 
> 
> śr., 19 gru 2018 o 03:51 Adam Zabrocki <pi3@....com.pl> napisał(a):
> 
> > On Tue, Dec 18, 2018 at 09:03:44PM +0100, bryn1u85 wrote:
> > > hey guys,
> > >
> > > I recompiled kernel to kernel-4.19.10. After that im trying to run lkrg
> > but
> > > im getting errors like below:
> > >
> > >
> > > [root@...alhost output]# insmod p_lkrg.ko
> > > insmod: ERROR: could not insert module p_lkrg.ko: No buffer space
> > available
> > > [root@...alhost output]#
> > >
> > > [   97.954081] p_lkrg: loading out-of-tree module taints kernel.
> > > [   97.954346] p_lkrg: module verification failed: signature and/or
> > > required key missing - tainting kernel
> > > [   97.955845] [p_lkrg] Loading LKRG...
> > > [   97.990086] [p_lkrg] Can't initialize exploit detection features!
> > > Exiting...
> > > [root@...alhost output]#
> > >
> > > What can i do in this situation ?
> > > Thanks !
> >
> > Hi,
> >
> > I believe you've already asked the same question a few times.
> > Alexander replied to you here:
> >
> > https://www.openwall.com/lists/lkrg-users/2018/12/06/1
> >
> > Additionally, that can be useful for you too:
> >
> >
> > https://forums.gentoo.org/viewtopic-p-8247498.html?sid=72c22d571ef610bb77a41150177a2939#8247498
> >
> > In short:
> >
> > "For the future reference, if you would like to know why LKRG fails
> > initialization you can try this simple scenario:
> > LKRG module has a parameter p_init_log_level which defines default
> > log_level
> > which is going to be used during initialization. You can read more about
> > log_level option (and in general about communication channel) here:
> >
> > https://openwall.info/wiki/p_lkrg/Examples#Communication-channel
> >
> > In short it might be a number between 0-4 or 0-6 (if debugging compilation
> > was
> > used). If LKRG fails initialization I'm suggesting to use at least
> > number 4 for this parameter (e.g. # insmod p_lkrg.ko p_init_log_level=4).
> > It
> > will give more information about the root of the problem. If debug option
> > is
> > enabled number 5 and 6 is also available but you need to be carefully
> > using it
> > to not spam the kernel with too many logs."
> >
> > Thanks,
> > Adam
> >
> > --
> > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > http://pi3.com.pl
> >

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.