Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20201205175324.GA8557@openwall.com>
Date: Sat, 5 Dec 2020 18:53:24 +0100
From: Solar Designer <solar@...nwall.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: p_lkrg] <Exploit Detection> Trying to kill process[ThreadPoolSingl | 2170]!

On Sat, Dec 05, 2020 at 06:06:39PM +0100, Adam Zabrocki wrote:
> Thanks for the report. I've just pushed fix for it. Can you verify if it helps?

Thanks, Adam!  I think we should note in here that our understanding is
that this bug was introduced into LKRG on November 9 in:

"ptrace: replace ptrace kprobes with security_ptrace_access_check"
https://github.com/openwall/lkrg/commit/645983fbf687c4bddb3c62c19a37d7db380bf927

That was a simplification I had suggested - hooking just one internal
function instead of three ptrace(2) syscall functions.  I overlooked
that the kernel uses the newly hooked function in more places (not only
for ptrace(2), but also for some procfs accesses) and that those may be
reached by the kernel with deliberately temporarily overridden
credentials (it does crazy things like that to implement access(2),
faccessat(2), and such, which is one of the reasons why we need that
"off" flag).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.