Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Dec 2020 07:57:48 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: Corrupted 'off' flag

Hi

Sorry for late reply. However, I've been working on adding a new debugging 
logic to the LKRG code.
I have a few questions:
 - Do you have any ftrace* related tools which might run in the background? 
Especially, around the time when you see that problem? It could be any perf* 
tool as well since they are using tracing infrastructure under the hood
 - New LKRG's debugging infrastructure can independently track state for each 
process. However, it requires a lot more memory. If you are willing to enable 
it, it will produce much more useful information which I can use. To be able to 
do it, please uncomment the following definition in the file:
 
  "src/modules/print_log/p_lkrg_log_level_shared.h"
  /* Do we want to precisely track changes of 'off' flag per each process?
   * If yes, uncomment it here */
  #define P_LKRG_TASK_OFF_DEBUG

 - If you have anough resource and sucessfully load such build of LKRG, you 
should see more debug information in the logs when such problem appears.

The newest Linux kernel changed the behavior of KPROBES and FTRACE and I'm 
actively researching these changes. It is worth to note that if FTRACE is being 
disabled e.g. via /proc/sys/kernel/ftrace_enabled it can affect KPROBES as 
well. Some tools heavily using such interface.

Thanks,
Adam

On Tue, Nov 17, 2020 at 11:30:34AM +0000, PaweĊ‚ Krawczyk wrote:
> 
> Seeing these periodically:
> 
> Nov 17 11:25:18 curie kernel: [p_lkrg] <Exploit Detection> ON
> process[25086 | last] has corrupted 'off' flag!
> 
> Nov 17 11:25:18 curie kernel: [p_lkrg] <Exploit Detection> Trying to
> kill process[last | 25086]!
> 
> 
> I suspect this is the `last` command is being run periodically by Wazuh.
> When run as root from command line LKRG doesn't kick in. No harm done
> otherwise, so just reporting this as a minor annoyance.
> 
> Kernel:
> 
> Linux curie 5.4.0-54-generic #60-Ubuntu SMP Fri Nov 6 10:37:59 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> LKRG is the latest git branch pulled & compiled yesterday.
> 



-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.