Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 3 Dec 2020 07:58:03 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: p_lkrg] <Exploit Detection> Trying to kill
 process[ThreadPoolSingl | 2170]!

Hi

Sorry for late reply. However, I've been working on adding a new debugging 
logic to the LKRG code.
I have a few questions:
 - Do you have any ftrace* related tools which might run in the background? 
Especially, around the time when you see that problem? It could be any perf* 
tool as well since they are using tracing infrastructure under the hood
 - New LKRG's debugging infrastructure can independently track state for each 
process. However, it requires a lot more memory. If you are willing to enable 
it, it will produce much more useful information which I can use. To be able 
to do it, please uncomment the following definition in the file:
 
  "src/modules/print_log/p_lkrg_log_level_shared.h"
  /* Do we want to precisely track changes of 'off' flag per each process?
   * If yes, uncomment it here */
  #define P_LKRG_TASK_OFF_DEBUG

 - If you have anough resource and sucessfully load such build of LKRG, you 
should see more debug information in the logs when such problem appears.

The newest Linux kernel changed the behavior of KPROBES and FTRACE and I'm 
actively researching these changes. It is worth to note that if FTRACE is 
being disabled e.g. via /proc/sys/kernel/ftrace_enabled it can affect KPROBES 
as well. Some tools heavily using such interface.

Thanks,
Adam

On Mon, Nov 16, 2020 at 
09:25:10PM +0100, Jacek wrote:
> Hi
> 
> OS Gentoo:
> 
> Linux version 5.9.8-g1 (root@...ek) (gcc (Gentoo Hardened 9.3.0-r1 p3)
> 9.3.0, GNU ld (Gentoo 2.34 p6) 2.34.0) #2 SMP PREEMPT Thu Nov 12 07:29:29
> CET 2020
> 
> LKRG:
> 
> filename:       /lib/modules/5.9.8-g1/extra/p_lkrg.ko
> license:        GPL v2
> description:    pi3's Linux kernel Runtime Guard
> author:         Adam 'pi3' Zabrocki (http://pi3.com.pl)
> srcversion:     40A527C8D5D5D19B610FE2F
> depends:
> retpoline:      Y
> name:           p_lkrg
> vermagic:       5.9.8-g1 SMP preempt mod_unload modversions RANDSTRUCT_PLUGIN_7c046b7d45f5b82e76f627aadaefa3bc69fdd9ae1cd91b61e72d98512ef164aa
> 
> Git log:
> 
> # root ~> git log |head -n 20
> commit 4cfb2b3474b813b0f2c424bbbcd7c1c456fb8f6e
> Author: disrupttheflow <68149206+disrupttheflow@...rs.noreply.github.com>
> Date:   Mon Nov 16 12:28:23 2020 +0000
> 
>     Add correct repository to clone from in README (#25)
> 
> commit 645983fbf687c4bddb3c62c19a37d7db380bf927
> Author: Mariusz Zaborski <oshogbo@...illium.org>
> Date:   Fri Nov 6 19:29:40 2020 +0100
> 
>     ptrace: replace ptrace kprobes with security_ptrace_access_check
> 
> commit ca8237ed2251a6f4ae03fe8e549662465f26d347
> Merge: 37d5520 5db3f98
> Author: Adam 'pi3' Zabrocki <65244445+Adam-pi3@...rs.noreply.github.com>
> Date:   Sat Nov 7 08:52:18 2020 -0800
> 
>     Merge pull request #23 from oshogbo/kill
> 
>     umh: Kill process using the proper SIGKILL signal.
> 
> 
> Akreator (RSS client from KDE)
> 
> # user ~> akregator
> [506:1:0100/000000.026569:ERROR:broker_posix.cc(43)] Invalid node channel
> message
> Unicestwiony
> 
> LKRG error (from dmesg):
> 
> [  806.873553] [p_lkrg] <Exploit Detection> ON process[2170 |
> Chrome_IOThread] has corrupted 'off' flag!
> [  806.873555] [p_lkrg] <Exploit Detection> Trying to kill
> process[ThreadPoolSingl | 2170]!
> 
> Cheers
> 
> 
> 
> 
> 

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.