Date: Sat, 5 Dec 2020 18:53:24 +0100 From: Solar Designer <solar@...nwall.com> To: lkrg-users@...ts.openwall.com Subject: Re: p_lkrg] <Exploit Detection> Trying to kill process[ThreadPoolSingl | 2170]! On Sat, Dec 05, 2020 at 06:06:39PM +0100, Adam Zabrocki wrote: > Thanks for the report. I've just pushed fix for it. Can you verify if it helps? Thanks, Adam! I think we should note in here that our understanding is that this bug was introduced into LKRG on November 9 in: "ptrace: replace ptrace kprobes with security_ptrace_access_check" https://github.com/openwall/lkrg/commit/645983fbf687c4bddb3c62c19a37d7db380bf927 That was a simplification I had suggested - hooking just one internal function instead of three ptrace(2) syscall functions. I overlooked that the kernel uses the newly hooked function in more places (not only for ptrace(2), but also for some procfs accesses) and that those may be reached by the kernel with deliberately temporarily overridden credentials (it does crazy things like that to implement access(2), faccessat(2), and such, which is one of the reasons why we need that "off" flag). Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.