Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191127201055.GA29638@pi3.com.pl>
Date: Wed, 27 Nov 2019 21:10:55 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: lkrg-0.7 implicit declaration of 'stack_trace_print'

Hi,

Do you have compiled in KPROBES ? Can you execute:

  cat /boot/config-$(uname -r) |grep -i 'kprobe\|kretprobe'

Thanks,
Adam

On Wed, Nov 27, 2019 at 08:37:24PM +0100, Michael de Lang wrote:
> Hey,
> 
> I did compile my own kernel, yes. I can give you the config file if
> that would make it easier.
> 
> The output is as follows:
> 
> $ cat /proc/kallsyms|grep -i execve
> 0000000000000000 t audit_log_execve_info
> 0000000000000000 t __do_execve_file.isra.0
> 0000000000000000 T do_execve_file
> 0000000000000000 T do_execve
> 0000000000000000 T do_execveat
> 0000000000000000 T __x64_sys_execve
> 0000000000000000 T __ia32_sys_execve
> 0000000000000000 T __x64_sys_execveat
> 0000000000000000 T __ia32_sys_execveat
> 0000000000000000 T __ia32_compat_sys_execve
> 0000000000000000 T __x32_compat_sys_execve
> 0000000000000000 T __ia32_compat_sys_execveat
> 0000000000000000 T __x32_compat_sys_execveat
> 
> 
> Met vriendelijke groet,
> Michael de Lang
> 
> On Wed, 27 Nov 2019 at 20:35, Adam Zabrocki <pi3@....com.pl> wrote:
> >
> > Hi,
> >
> > It looks like LKRG can't find function execve in the kernel. Do you have some
> > kind of non-standard kernel compilation? Can you show me the output of the
> > command:
> >
> > cat /proc/kallsyms|grep -i execve
> >
> > Thanks,
> > Adam
> >
> >
> > On Wed, Nov 27, 2019 at 08:31:46PM +0100, Michael de Lang wrote:
> > > Hey Adam,
> > >
> > > Thanks! It seems to compile now, but now I get the following error
> > > message when trying to start it with systemctl. Am I missing another
> > > kernel feature perhaps?
> > >
> > > nov 27 20:29:26 oipo systemd[1]: Starting Linux Kernel Runtime Guard...
> > > -- Subject: A start job for unit lkrg.service has begun execution
> > > -- Defined-By: systemd
> > > -- Support: http://www.ubuntu.com/support
> > > --
> > > -- A start job for unit lkrg.service has begun execution.
> > > --
> > > -- The job identifier is 4822.
> > > nov 27 20:29:26 oipo kernel: [p_lkrg] Loading LKRG...
> > > nov 27 20:29:26 oipo kernel: Freezing user space processes ...
> > > (elapsed 0.007 seconds) done.
> > > nov 27 20:29:26 oipo kernel: OOM killer disabled.
> > > nov 27 20:29:26 oipo kernel: [p_lkrg] Verifying 21 potential UMH paths
> > > for whitelisting...
> > >         nov 27 20:29:26 oipo kernel: [p_lkrg] 5 UMH paths were whitelisted...
> > > nov 27 20:29:26 oipo kernel: [p_lkrg] [kretprobe] register_kretprobe()
> > > for <__x64_sys_execve> failed! [err=-38]
> > > nov 27 20:29:26 oipo kernel: [p_lkrg] ERROR: Can't hook execve syscall :(
> > > nov 27 20:29:26 oipo kernel: [p_lkrg] Can't initialize exploit
> > > detection features! Exiting...
> > > nov 27 20:29:26 oipo kernel: OOM killer enabled.
> > > nov 27 20:29:26 oipo kernel: Restarting tasks ... done.
> > > nov 27 20:29:26 oipo modprobe[27242]: modprobe: ERROR: could not
> > > insert 'p_lkrg': No buffer space available
> > > nov 27 20:29:26 oipo systemd[1]: lkrg.service: Control process exited,
> > > code=exited, status=1/FAILURE
> > >
> > >
> > > Met vriendelijke groet,
> > > Michael de Lang
> > >
> > > Met vriendelijke groet,
> > > Michael de Lang
> > >
> > >
> > > On Wed, 27 Nov 2019 at 20:15, Adam Zabrocki <pi3@....com.pl> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I've just pushed a new commit which should address this issue. LKRG should be
> > > > able to compile and run on the kernels without CONFIG_STACKTRACE:
> > > >
> > > > https://bitbucket.org/Adam_pi3/lkrg-main/commits/196266c5eda079022f3876fa625089a7063269ef
> > > >
> > > > Thanks,
> > > > Adam
> > > >
> > > > On Sat, Nov 23, 2019 at 06:44:25AM +0100, Adam Zabrocki wrote:
> > > > > Hi,
> > > > >
> > > > > I believe your kernel might not be compiled with CONFIG_STACKTRACE option. This
> > > > > specific call is sueful for debugging purpose and it is not critical. It is
> > > > > recommended to have kernel compiled with CONFIG_STACKTRACE however as a
> > > > > temporary fix you might just comment call to this function.
> > > > >
> > > > > Thanks,
> > > > > Adam
> > > > >
> > > > > On Thu, Nov 21, 2019 at 07:38:48PM +0100, Michael de Lang wrote:
> > > > > > Hello,
> > > > > >
> > > > > > When compiling lkrg-0.7 on ubuntu 19.10 and kernel 5.40-rc7 I get the
> > > > > > following error:
> > > > > >
> > > > > > $ make
> > > > > > make -C /lib/modules/5.4.0-rc7-custom/build M=/home/oipo/Downloads/lkrg-0.7
> > > > > > modules
> > > > > > make[1]: Entering directory '/usr/src/linux-headers-5.4.0-rc7-custom'
> > > > > >   CC [M]
> > > > > >  /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.o
> > > > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.c:
> > > > > > In function ???p_ed_enforce_pcfi???:
> > > > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.c:1092:7:
> > > > > > error: implicit declaration of function ???stack_trace_print???; did you mean
> > > > > > ???acpi_trace_point???? [-Werror=implicit-function-declaration]
> > > > > >  1092 |       stack_trace_print(p_trace.entries, p_trace.nr_entries, 0);
> > > > > >       |       ^~~~~~~~~~~~~~~~~
> > > > > >       |       acpi_trace_point
> > > > > > cc1: some warnings being treated as errors
> > > > > > make[2]: *** [scripts/Makefile.build:266:
> > > > > > /home/oipo/Downloads/lkrg-0.7/src/modules/exploit_detection/p_exploit_detection.o]
> > > > > > Error 1
> > > > > > make[1]: *** [Makefile:1652: /home/oipo/Downloads/lkrg-0.7] Error 2
> > > > > > make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-rc7-custom'
> > > > > > make: *** [Makefile:91: all] Error 2
> > > > > >
> > > > > > including linux/ftrace did not seem to resolve this.
> > > > > >
> > > > > > Met vriendelijke groet,
> > > > > > Michael de Lang
> > > > >
> > > > > --
> > > > > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > > > > http://pi3.com.pl
> > > > >
> > > >
> > > > --
> > > > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > > > http://pi3.com.pl
> > > >
> >
> > --
> > pi3 (pi3ki31ny) - pi3 (at) itsec pl
> > http://pi3.com.pl
> >

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.