Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20191226044331.GA22279@pi3.com.pl>
Date: Thu, 26 Dec 2019 05:43:32 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: LIST HASH IS DIFFERENT - nf_nat / nf_conntrack
 Linux version 5.3.0-0

Hi Patrick,

Can you share with me a VM with that specific kernel which I can use for local 
repro? I'm going to have limited access to the internet until 14th of Jan ;/

However, I've sucrificed one physical machine to install qubeos but it has 
fedora not debian in dom0. Tomorrow i'm going to fly to Poland and won't have 
access to this box anymore so can't make any more tests. If you give me a VM I 
can try to repro it under Hyper-V VM on my laptop.

What it looks like from the logs is that for some reasons you compilation on 
LKRG doesn't see that this kernel using different JUMP_LABEL method (which LKRG 
supports). In short, since kernel 5.3 that specific hook is needed:

https://bitbucket.org/Adam_pi3/lkrg-main/src/master/src/modules/database/JUMP_LABEL/p_arch_jump_label_transform_apply/p_arch_jump_label_transform_apply.h

   #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,3,0)
   int p_arch_jump_label_transform_apply_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);

Can you check the output of the following command?

    # cat /proc/kallsyms |grep p_arch_jump_label_transform

Additionally, do you see the same problem just on QubeOS or normal debian 
installation faces the same issue?

Thanks,
Adam

On Mon, Dec 23, 2019 at 07:43:15AM -0500, Patrick Schleizer wrote:
> Qubes, Debian buster
> 
> user@...t:~$ cat /proc/version
> Linux version 5.3.0-0.bpo.2-amd64 (debian-kernel@...ts.debian.org) (gcc
> version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 5.3.9-2~bpo10+1 (2019-11-13)
> 
> user@...t:~$ cat /proc/cmdline
> BOOT_IMAGE=/boot/vmlinuz-5.3.0-0.bpo.2-amd64 root=/dev/xvda3 ro
> xen_scrub_pages=0 root=/dev/mapper/dmroot console=hvc0 console=tty0
> swiotlb=8192 noresume intel_iommu=on amd_iommu=on slab_nomerge
> slub_debug=FZ init_on_alloc=1 init_on_free=1 mce=0 pti=on mds=full,nosmt
> vsyscall=none page_alloc.shuffle=1
> 
> user@...t:~$ sudo journalctl -b -o cat | grep lkrg
> p_lkrg: loading out-of-tree module taints kernel.
> p_lkrg: module verification failed: signature and/or required key
> missing - tainting kernel
> [p_lkrg] Loading LKRG...
> [p_lkrg] LKRG initialized successfully!
> Inserted module 'p_lkrg'
> [p_lkrg] Disabling "clean" message.
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
>     user : TTY=pts/0 ; PWD=/home/user ; USER=root ;
> COMMAND=/usr/bin/journalctl -b -o cat -u lkrg
>     user : TTY=pts/0 ; PWD=/home/user ; USER=root ;
> COMMAND=/usr/bin/journalctl -b -o cat -u lkrg-dkms
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
> [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is
> [0x8daa4a39f8ae8401] and should be [0x25ed90ca36ee0266] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it is
> [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] ALERT !!! MODULE LIST HASH IS DIFFERENT !!! - it is
> [0x333c093b7373b41b] and should be [0xd42a3b20e4da8541] !!!
> [p_lkrg] ALERT !!! MODULE KOBJ HASH IS DIFFERENT !!! - it is
> [0x5f13310a27d2344f] and should be [0xbf5da19a4b5e9f8d] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_conntrack> HASH IS DIFFERENT it
> is [0xfe2e9cd1fd5ea173] and should be [0x99dd56638030bb2b] !!!
> [p_lkrg] [KOBJ] ALERT !!! MODULE'S <nf_nat> HASH IS DIFFERENT it is
> [0x3d9dae4aaff5f86d] and should be [0xd8e509a7b4d09682] !!!
> [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 7
> CHECKSUMS !!!
> 
> Kind regards,
> Patrick

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.