Date: Thu, 3 Dec 2020 07:58:03 +0100 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: p_lkrg] <Exploit Detection> Trying to kill process[ThreadPoolSingl | 2170]! Hi Sorry for late reply. However, I've been working on adding a new debugging logic to the LKRG code. I have a few questions: - Do you have any ftrace* related tools which might run in the background? Especially, around the time when you see that problem? It could be any perf* tool as well since they are using tracing infrastructure under the hood - New LKRG's debugging infrastructure can independently track state for each process. However, it requires a lot more memory. If you are willing to enable it, it will produce much more useful information which I can use. To be able to do it, please uncomment the following definition in the file: "src/modules/print_log/p_lkrg_log_level_shared.h" /* Do we want to precisely track changes of 'off' flag per each process? * If yes, uncomment it here */ #define P_LKRG_TASK_OFF_DEBUG - If you have anough resource and sucessfully load such build of LKRG, you should see more debug information in the logs when such problem appears. The newest Linux kernel changed the behavior of KPROBES and FTRACE and I'm actively researching these changes. It is worth to note that if FTRACE is being disabled e.g. via /proc/sys/kernel/ftrace_enabled it can affect KPROBES as well. Some tools heavily using such interface. Thanks, Adam On Mon, Nov 16, 2020 at 09:25:10PM +0100, Jacek wrote: > Hi > > OS Gentoo: > > Linux version 5.9.8-g1 (root@...ek) (gcc (Gentoo Hardened 9.3.0-r1 p3) > 9.3.0, GNU ld (Gentoo 2.34 p6) 2.34.0) #2 SMP PREEMPT Thu Nov 12 07:29:29 > CET 2020 > > LKRG: > > filename: /lib/modules/5.9.8-g1/extra/p_lkrg.ko > license: GPL v2 > description: pi3's Linux kernel Runtime Guard > author: Adam 'pi3' Zabrocki (http://pi3.com.pl) > srcversion: 40A527C8D5D5D19B610FE2F > depends: > retpoline: Y > name: p_lkrg > vermagic: 5.9.8-g1 SMP preempt mod_unload modversions RANDSTRUCT_PLUGIN_7c046b7d45f5b82e76f627aadaefa3bc69fdd9ae1cd91b61e72d98512ef164aa > > Git log: > > # root ~> git log |head -n 20 > commit 4cfb2b3474b813b0f2c424bbbcd7c1c456fb8f6e > Author: disrupttheflow <68149206+disrupttheflow@...rs.noreply.github.com> > Date: Mon Nov 16 12:28:23 2020 +0000 > > Add correct repository to clone from in README (#25) > > commit 645983fbf687c4bddb3c62c19a37d7db380bf927 > Author: Mariusz Zaborski <oshogbo@...illium.org> > Date: Fri Nov 6 19:29:40 2020 +0100 > > ptrace: replace ptrace kprobes with security_ptrace_access_check > > commit ca8237ed2251a6f4ae03fe8e549662465f26d347 > Merge: 37d5520 5db3f98 > Author: Adam 'pi3' Zabrocki <65244445+Adam-pi3@...rs.noreply.github.com> > Date: Sat Nov 7 08:52:18 2020 -0800 > > Merge pull request #23 from oshogbo/kill > > umh: Kill process using the proper SIGKILL signal. > > > Akreator (RSS client from KDE) > > # user ~> akregator > [506:1:0100/000000.026569:ERROR:broker_posix.cc(43)] Invalid node channel > message > Unicestwiony > > LKRG error (from dmesg): > > [ 806.873553] [p_lkrg] <Exploit Detection> ON process[2170 | > Chrome_IOThread] has corrupted 'off' flag! > [ 806.873555] [p_lkrg] <Exploit Detection> Trying to kill > process[ThreadPoolSingl | 2170]! > > Cheers > > > > > -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.