[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 3 Dec 2020 09:03:25 +0100
From: Jacek <wampir990@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: lkrg-users] Corrupted 'off' flag - Firefox
HI
OS:
Gentoo
Linux version 5.9.12-g1 (root@...ek) (gcc (Gentoo Hardened 9.3.0-r1 p3)
9.3.0, GNU ld (Gentoo 2.34 p6) 2.34.0) #1 SMP PREEMPT Wed Dec 2 23:36:00
CET 2020
# root ~> modinfo p_lkrg
filename: /lib/modules/5.9.12-g1/extra/p_lkrg.ko
license: GPL v2
description: pi3's Linux kernel Runtime Guard
author: Adam 'pi3' Zabrocki (http://pi3.com.pl)
srcversion: 3FEDA79783B6E9B589C2852
depends:
retpoline: Y
name: p_lkrg
vermagic: 5.9.12-g1 SMP preempt mod_unload modversions
RANDSTRUCT_PLUGIN_1c1dfe302635f9ddb26d74dc1b6ce870700aa48d1ff2f88ca73c57d9881613ef
# G1 Gentuś ### czw gru 03 08:59:47 domek : /ssdtmp/lkrg
# root ~> git log | head -n 20
commit d051bc28026729f50b2a38051d55e47e60db4e04
Author: Adam_pi3 <pi3@....com.pl>
Date: Tue Dec 1 16:47:19 2020 -0500
Fix debug task logic for seccomp
Track child in
case of SECCOMP_FILTER_FLAG_TSYNC flag
commit 24f4156516b839da1c025639ac4a9bae7bdf3747
Author: Adam_pi3 <pi3@....com.pl>
Date: Sun Nov 29 20:47:47 2020 -0500
Add task debugging infrastructure
This is a relatively heavy feature. It introduces a possibility of
having a 'ring-buffer' per each tracked task in the kernel. Such buffer
keeps a history of important events (from LKRG perspective) related to
this task
commit 1b84b006c753982bc9772083a0cc5ac869db9414
Author: Mariusz Zaborski <oshogbo@...illium.org>
Date: Fri Nov 27 18:36:58 2020 +0100
Firefox error - LKRG log:
[18787.744246] [p_lkrg] <Exploit Detection> ON process[1223 | firefox]
has corrupted 'off' flag!
[18787.744248] [p_lkrg] 'off' flag[0x0] (normalization via
0x539df534979a561)
[18787.744249] [p_lkrg] OFF debug: normalization[0x539df534979a561]
cookie[0xa5dfb3f95d0555dd]
[18787.744250] [p_lkrg] Process[1223 | firefox] Parent[1 | init] has
[20] entries:
[18787.744251] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744252] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744253] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744254] [p_lkrg] Stack trace:
[18787.744263] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744268] pre_handler_kretprobe+0xaa/0x1b0
[18787.744270] opt_pre_handler+0x47/0x80
[18787.744273] optimized_callback+0xbc/0xe0
[18787.744274] 0xffffffffc03f930e
[18787.744275] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744275] [p_lkrg] Stack trace:
[18787.744280] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744282] pre_handler_kretprobe+0xaa/0x1b0
[18787.744283] opt_pre_handler+0x47/0x80
[18787.744285] optimized_callback+0xbc/0xe0
[18787.744285] 0xffffffffc03f9388
[18787.744286] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744287] [p_lkrg] => caller[p_sys_execve_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744287] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744288] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744289] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744289] [p_lkrg] Stack trace:
[18787.744293] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744295] pre_handler_kretprobe+0xaa/0x1b0
[18787.744296] opt_pre_handler+0x47/0x80
[18787.744297] optimized_callback+0xbc/0xe0
[18787.744298] 0xffffffffc03f930e
[18787.744298] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744299] [p_lkrg] Stack trace:
[18787.744302] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744305] pre_handler_kretprobe+0xaa/0x1b0
[18787.744306] opt_pre_handler+0x47/0x80
[18787.744307] optimized_callback+0xbc/0xe0
[18787.744307] 0xffffffffc03f9388
[18787.744308] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744309] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744309] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744310] [p_lkrg] Stack trace:
[18787.744313] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744315] pre_handler_kretprobe+0xaa/0x1b0
[18787.744316] opt_pre_handler+0x47/0x80
[18787.744317] optimized_callback+0xbc/0xe0
[18787.744318] 0xffffffffc03f930e
[18787.744318] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744319] [p_lkrg] Stack trace:
[18787.744323] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744324] pre_handler_kretprobe+0xaa/0x1b0
[18787.744325] opt_pre_handler+0x47/0x80
[18787.744326] optimized_callback+0xbc/0xe0
[18787.744327] 0xffffffffc03f9388
[18787.744328] [p_lkrg] => caller[p_cap_task_prctl_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744328] [p_lkrg] => caller[p_cap_task_prctl_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744329] [p_lkrg] => caller[p_seccomp_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744329] [p_lkrg] => caller[p_seccomp_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744330] [p_lkrg] => caller[p_seccomp_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744330] [p_lkrg] => caller[p_seccomp_ret] action[ON]
old_off[0x539df534979a561] debug_val[0]
[18787.744331] [p_lkrg] <Exploit Detection> Trying to kill
process[firefox | 1223]!
[18787.744335] [p_lkrg] <Exploit Detection> ON process[1223 | firefox]
has corrupted 'off' flag!
[18787.744336] [p_lkrg] 'off' flag[0x0] (normalization via
0x539df534979a561)
[18787.744336] [p_lkrg] OFF debug: normalization[0x539df534979a561]
cookie[0xa5dfb3f95d0555dd]
[18787.744337] [p_lkrg] Process[1223 | firefox] Parent[1 | init] has
[20] entries:
[18787.744338] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744338] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744339] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744339] [p_lkrg] Stack trace:
[18787.744343] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744345] pre_handler_kretprobe+0xaa/0x1b0
[18787.744346] opt_pre_handler+0x47/0x80
[18787.744347] optimized_callback+0xbc/0xe0
[18787.744347] 0xffffffffc03f930e
[18787.744348] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744348] [p_lkrg] Stack trace:
[18787.744352] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744353] pre_handler_kretprobe+0xaa/0x1b0
[18787.744354] opt_pre_handler+0x47/0x80
[18787.744356] optimized_callback+0xbc/0xe0
[18787.744356] 0xffffffffc03f9388
[18787.744357] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744357] [p_lkrg] => caller[p_sys_execve_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744358] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744358] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744359] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744359] [p_lkrg] Stack trace:
[18787.744363] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744364] pre_handler_kretprobe+0xaa/0x1b0
[18787.744366] opt_pre_handler+0x47/0x80
[18787.744367] optimized_callback+0xbc/0xe0
[18787.744367] 0xffffffffc03f930e
[18787.744368] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744368] [p_lkrg] Stack trace:
[18787.744371] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744373] pre_handler_kretprobe+0xaa/0x1b0
[18787.744374] opt_pre_handler+0x47/0x80
[18787.744375] optimized_callback+0xbc/0xe0
[18787.744375] 0xffffffffc03f9388
[18787.744376] [p_lkrg] => caller[p_sys_execve_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744376] [p_lkrg] => caller[p_sys_execve_ret] action[RESET]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744377] [p_lkrg] => caller[p_override_creds_entry]
action[OVERRIDE OFF] old_off[0x539df534979a561] debug_val[1]
[18787.744377] [p_lkrg] Stack trace:
[18787.744381] p_override_creds_entry+0x91/0xd0 [p_lkrg]
[18787.744382] pre_handler_kretprobe+0xaa/0x1b0
[18787.744383] opt_pre_handler+0x47/0x80
[18787.744384] optimized_callback+0xbc/0xe0
[18787.744384] 0xffffffffc03f930e
[18787.744385] [p_lkrg] => caller[p_revert_creds_ret] action[OVERRIDE
ON] old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744385] [p_lkrg] Stack trace:
[18787.744388] p_revert_creds_entry+0x87/0xc0 [p_lkrg]
[18787.744390] pre_handler_kretprobe+0xaa/0x1b0
[18787.744391] opt_pre_handler+0x47/0x80
[18787.744392] optimized_callback+0xbc/0xe0
[18787.744392] 0xffffffffc03f9388
[18787.744393] [p_lkrg] => caller[p_cap_task_prctl_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744393] [p_lkrg] => caller[p_cap_task_prctl_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744394] [p_lkrg] => caller[p_seccomp_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744394] [p_lkrg] => caller[p_seccomp_ret] action[ON]
old_off[0xa73bea692f34ac2] debug_val[0]
[18787.744395] [p_lkrg] => caller[p_seccomp_entry] action[OFF]
old_off[0x539df534979a561] debug_val[1]
[18787.744396] [p_lkrg] => caller[p_seccomp_ret] action[ON]
old_off[0x539df534979a561] debug_val[0]
[18787.744396] [p_lkrg] <Exploit Detection> Trying to kill
process[firefox | 1223]!
Cheers
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
