Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20191127193520.GA29311@pi3.com.pl>
Date: Wed, 27 Nov 2019 20:35:20 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: lkrg-0.7 implicit declaration of 'stack_trace_print'

Hi,

It looks like LKRG can't find function execve in the kernel. Do you have some 
kind of non-standard kernel compilation? Can you show me the output of the 
command:

cat /proc/kallsyms|grep -i execve

Thanks,
Adam


On Wed, Nov 27, 2019 at 08:31:46PM +0100, Michael de Lang wrote:
> Hey Adam,
> 
> Thanks! It seems to compile now, but now I get the following error
> message when trying to start it with systemctl. Am I missing another
> kernel feature perhaps?
> 
> nov 27 20:29:26 oipo systemd[1]: Starting Linux Kernel Runtime Guard...
> -- Subject: A start job for unit lkrg.service has begun execution
> -- Defined-By: systemd
> -- Support: http://www.ubuntu.com/support
> --
> -- A start job for unit lkrg.service has begun execution.
> --
> -- The job identifier is 4822.
> nov 27 20:29:26 oipo kernel: [p_lkrg] Loading LKRG...
> nov 27 20:29:26 oipo kernel: Freezing user space processes ...
> (elapsed 0.007 seconds) done.
> nov 27 20:29:26 oipo kernel: OOM killer disabled.
> nov 27 20:29:26 oipo kernel: [p_lkrg] Verifying 21 potential UMH paths
> for whitelisting...
>         nov 27 20:29:26 oipo kernel: [p_lkrg] 5 UMH paths were whitelisted...
> nov 27 20:29:26 oipo kernel: [p_lkrg] [kretprobe] register_kretprobe()
> for <__x64_sys_execve> failed! [err=-38]
> nov 27 20:29:26 oipo kernel: [p_lkrg] ERROR: Can't hook execve syscall :(
> nov 27 20:29:26 oipo kernel: [p_lkrg] Can't initialize exploit
> detection features! Exiting...
> nov 27 20:29:26 oipo kernel: OOM killer enabled.
> nov 27 20:29:26 oipo kernel: Restarting tasks ... done.
> nov 27 20:29:26 oipo modprobe[27242]: modprobe: ERROR: could not
> insert 'p_lkrg': No buffer space available
> nov 27 20:29:26 oipo systemd[1]: lkrg.service: Control process exited,
> code=exited, status=1/FAILURE
> 
> 
> Met vriendelijke groet,
> Michael de Lang
> 
> Met vriendelijke groet,
> Michael de Lang
> 
> 
> On Wed, 27 Nov 2019 at 20:15, Adam Zabrocki <pi3@....com.pl> wrote:
> >
> > Hi,
> >
> > I've just pushed a new commit which should address this issue. LKRG should be
> > able to compile and run on the kernels without CONFIG_STACKTRACE:
> >
> > https://bitbucket.org/Adam_pi3/lkrg-main/commits/196266c5eda079022f3876fa625089a7063269ef
> >
> > Thanks,
> > Adam
> >
> > On Sat, Nov 23, 2019 at 06:44:25AM +0100, Adam Zabrocki wrote:
> > > Hi,
> > >
> > > I believe your kernel might not be compiled with CONFIG_STACKTRACE option. This
> > > specific call is sueful for debugging purpose and it is not critical. It is
> > > recommended to have kernel compiled with CONFIG_STACKTRACE however as a
> > > temporary fix you might just comment call to this function.
> > >
> > > Thanks,
> > > Adam
> > >
> > > On Thu, Nov 21, 2019 at 07:38:48PM +0100, Michael de Lang wrote:
> > > > Hello,
> > > >
> > > > When compiling lkrg-0.7 on ubuntu 19.10 and kernel 5.40-rc7 I get the
> > > > following error:
> > > >
> > > > $ make
> > > > make -C /lib/modules/5.4.0-rc7-custom/build M=/home/oipo/Downloads/lkrg-0.7
> > > > modules
> > > > make[1]: Entering directory '/usr/src/linux-headers-5.4.0-rc7-custom'
> > > >   CC [M]
> > > >  /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.o
> > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.c:
> > > > In function ???p_ed_enforce_pcfi???:
> > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.c:1092:7:
> > > > error: implicit declaration of function ???stack_trace_print???; did you mean
> > > > ???acpi_trace_point???? [-Werror=implicit-function-declaration]
> > > >  1092 |       stack_trace_print(p_trace.entries, p_trace.nr_entries, 0);
> > > >       |       ^~~~~~~~~~~~~~~~~
> > > >       |       acpi_trace_point
> > > > cc1: some warnings being treated as errors
> > > > make[2]: *** [scripts/Makefile.build:266:
> > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.o]
> > > > Error 1
> > > > make[1]: *** [Makefile:1652: /home/oipo/Downloads/lkrg-0.7] Error 2
> > > > make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-rc7-custom'
> > > > make: *** [Makefile:91: all] Error 2
> > > >
> > > > including linux/ftrace did not seem to resolve this.
> > > >
> > > > Met vriendelijke groet,
> > > > Michael de Lang
> > >
> > > --
> > > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > > http://pi3.com.pl
> > >
> >
> > --
> > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > http://pi3.com.pl
> >

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.