Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 20 Dec 2018 03:25:03 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: insmod: ERROR: could not insert module p_lkrg.ko:
 No buffer space available

Hi,

I've just checked 4.19.10 kernel under Ubuntu:

	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# insmod output/p_lkrg.ko p_init_log_level=0
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# dmesg|tail
	[  951.305810] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
	[ 1251.307384] hv_balloon: Balloon request will be partially fulfilled. Balloon floor reached.
	[ 1454.690891] p_lkrg: loading out-of-tree module taints kernel.
	[ 1454.690940] p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
	[ 1454.692507] [p_lkrg] Loading LKRG...
	[ 1455.286597] [p_lkrg] LKRG initialized successfully!
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main# uname -a
	Linux pi3-ubuntu 4.19.10-041910-generic #201812170433 SMP Mon Dec 17 09:35:34 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
	root@...-ubuntu:~/zzz/bypass/legit/new-mitigation/lkrg-main#

so everything works fine. Kernel which I've used is this one:

https://kernel.ubuntu.com/~kernel-ppa/mainline/v4.19.10/

I believe you have not standard configuration of your kernel (like previously 
you've enabled dynamic kernel module support but at the same time you've 
disabled unloading of them - CONFIG_MODULE_UNLOAD=n).

Nevertheless, I suspect you did not use CONFIG_ARCH_HAS_SYSCALL_WRAPPER which 
is enabled by default on all modern kernels. LKRG should correctly detect that 
but I've missed that you can still compile new kernels (4.17+) without 
CONFIG_ARCH_HAS_SYSCALL_WRAPPER. I will try to address it soon.

Until I do it, you can try to compile kernel with that CONFIG option or 
manually change LKRG code. You can fix it by replacing following line of code 
in "lkrg-main/src/modules/exploit_detection/p_exploit_detection.h" file:

- #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0)
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0) && defined(CONFIG_ARCH_HAS_SYSCALL_WRAPPER)

Thanks,
Adam

On Wed, Dec 19, 2018 at 11:35:27AM +0100, bryn1u85 wrote:
> My output.
> 
> [root@...alhost lkrg-main]# dmesg | tail -20
> [    3.836920] cryptd: max_cpu_qlen set to 1000
> [    3.851179] AVX2 version of gcm_enc/dec engaged.
> [    3.851180] AES CTR mode by8 optimization enabled
> [    3.905981] EXT4-fs (vda1): mounted filesystem with ordered data mode.
> Opts: (null)
> [    4.125758] Adding 7077884k swap on /dev/mapper/centos-swap.
> Priority:-2 extents:1 across:7077884k FS
> [    4.757109] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
> [   11.546012] random: crng init done
> [   11.546017] random: 7 urandom warning(s) missed due to ratelimiting
> [  296.265199] p_lkrg: loading out-of-tree module taints kernel.
> [  296.265283] p_lkrg: module verification failed: signature and/or
> required key missing - tainting kernel
> [  296.266610] [p_lkrg] Loading LKRG...
> [  296.302774] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [  315.920095] [p_lkrg] Loading LKRG...
> [  315.950728] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [  342.557674] [p_lkrg] Loading LKRG...
> [  342.589567] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [41040.104115] [p_lkrg] Loading LKRG...
> [41040.117676] [p_lkrg] [kretprobe] register_kretprobe() for
> <__x64_sys_execve> failed! [err=-38]
> [41040.118335] [p_lkrg] ERROR: Can't hook execve syscall :(
> [41040.139079] [p_lkrg] Can't initialize exploit detection features!
> Exiting...
> [root@...alhost lkrg-main]#
> 
> 
> śr., 19 gru 2018 o 03:51 Adam Zabrocki <pi3@....com.pl> napisał(a):
> 
> > On Tue, Dec 18, 2018 at 09:03:44PM +0100, bryn1u85 wrote:
> > > hey guys,
> > >
> > > I recompiled kernel to kernel-4.19.10. After that im trying to run lkrg
> > but
> > > im getting errors like below:
> > >
> > >
> > > [root@...alhost output]# insmod p_lkrg.ko
> > > insmod: ERROR: could not insert module p_lkrg.ko: No buffer space
> > available
> > > [root@...alhost output]#
> > >
> > > [   97.954081] p_lkrg: loading out-of-tree module taints kernel.
> > > [   97.954346] p_lkrg: module verification failed: signature and/or
> > > required key missing - tainting kernel
> > > [   97.955845] [p_lkrg] Loading LKRG...
> > > [   97.990086] [p_lkrg] Can't initialize exploit detection features!
> > > Exiting...
> > > [root@...alhost output]#
> > >
> > > What can i do in this situation ?
> > > Thanks !
> >
> > Hi,
> >
> > I believe you've already asked the same question a few times.
> > Alexander replied to you here:
> >
> > https://www.openwall.com/lists/lkrg-users/2018/12/06/1
> >
> > Additionally, that can be useful for you too:
> >
> >
> > https://forums.gentoo.org/viewtopic-p-8247498.html?sid=72c22d571ef610bb77a41150177a2939#8247498
> >
> > In short:
> >
> > "For the future reference, if you would like to know why LKRG fails
> > initialization you can try this simple scenario:
> > LKRG module has a parameter p_init_log_level which defines default
> > log_level
> > which is going to be used during initialization. You can read more about
> > log_level option (and in general about communication channel) here:
> >
> > https://openwall.info/wiki/p_lkrg/Examples#Communication-channel
> >
> > In short it might be a number between 0-4 or 0-6 (if debugging compilation
> > was
> > used). If LKRG fails initialization I'm suggesting to use at least
> > number 4 for this parameter (e.g. # insmod p_lkrg.ko p_init_log_level=4).
> > It
> > will give more information about the root of the problem. If debug option
> > is
> > enabled number 5 and 6 is also available but you need to be carefully
> > using it
> > to not spam the kernel with too many logs."
> >
> > Thanks,
> > Adam
> >
> > --
> > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > http://pi3.com.pl
> >

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.