lkrg
lkrg copied to clipboard
Published
20 hours ago •
lkrg-org
lkrg-org
Crash when killing a process following exploit detection
On two different computers running Debian sid amd64 5.16.0-4/-5, I've experienced three full system DoS of the hang variety, over the several few days after I added LKRG 0.9.2 by using the procedure from https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG .
Here's the excerpt of the kernel log from the Skylake computer. The two others on the Sandy Bridge computer were similar attempts to kill a process with corrupted name, following an exploit detection on a process named preload (which was indeed running on these computers, I've disabled it for now) at the beginning of the logs, and modprobe at the bottom of this log. I haven't checked the process name at the bottom of the logs on the Sandy Bridge computer, which is powered off at the moment. It's the time frame where the daily cronjobs run. In this log, besides the process name corruption, the PID value looks excessively high:
[806054.894177] [p_lkrg] <Exploit Detection> ON process[1390091 | preload] has corrupted 'off' flag!
[806054.894182] [p_lkrg] <Exploit Detection> Trying to kill process[<B9><94>y[<B9><94>y[<E8>^C | 65569152]!
[806054.894186] BUG: unable to handle page fault for address: 00004ccc00000000
[806054.894188] #PF: supervisor write access in kernel mode
[806054.894189] #PF: error_code(0x0002) - not-present page
[806054.894191] PGD 0 P4D 0
[806054.894194] Oops: 0002 [#1] PREEMPT SMP PTI
[806054.894196] CPU: 0 PID: 1390091 Comm: modprobe Tainted: G IOE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[806054.894199] Hardware name: ASUSTeK COMPUTER INC. GL552VX/GL552VX, BIOS GL552VX.303 04/24/2019
[806054.894200] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[806054.894206] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[806054.894208] RSP: 0018:ffffb5f08a943bc0 EFLAGS: 00010046
[806054.894210] RAX: 0000000000000000 RBX: 00004ccc00000000 RCX: 0000000000000000
[806054.894212] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[806054.894214] RBP: 00004ccc00000000 R08: 0000000000000000 R09: ffffb5f08a943a38
[806054.894215] R10: ffffb5f08a943a30 R11: ffffffffb04c4ef0 R12: 0000000000000006
[806054.894217] R13: ffff9b66cf0999c0 R14: 0000000000000001 R15: 0000000000000000
[806054.894218] FS: 0000000000000000(0000) GS:ffff9b6c61c00000(0000) knlGS:0000000000000000
[806054.894220] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[806054.894222] CR2: 00004ccc00000000 CR3: 0000000247c24005 CR4: 00000000003706f0
[806054.894224] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[806054.894225] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[806054.894227] Call Trace:
[806054.894229] <TASK>
[806054.894231] do_send_sig_info+0x34/0xb0
[806054.894236] ? security_bprm_committing_creds+0x5/0x30
[806054.894241] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[806054.894255] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[806054.894266] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[806054.894277] pre_handler_kretprobe+0x8f/0x160
[806054.894281] ? security_bprm_committing_creds+0x1/0x30
[806054.894283] kprobe_ftrace_handler+0x153/0x1d0
[806054.894288] 0xffffffffc006e0c8
[806054.894293] ? security_bprm_committing_creds+0x1/0x30
[806054.894295] security_bprm_committing_creds+0x5/0x30
[806054.894298] begin_new_exec+0x581/0xa80
[806054.894301] load_elf_binary+0x70a/0x1630
[806054.894304] ? __kernel_read+0x1b1/0x2d0
[806054.894306] ? __kernel_read+0x1b1/0x2d0
[806054.894308] ? aa_get_task_label+0x4f/0xd0
[806054.894311] ? _raw_read_lock+0x13/0x30
[806054.894314] bprm_execve+0x273/0x670
[806054.894316] ? call_usermodehelper_exec_work+0xb0/0xb0
[806054.894320] kernel_execve+0x12e/0x1b0
[806054.894322] call_usermodehelper_exec_async+0xd1/0x140
[806054.894325] ? call_usermodehelper_exec_work+0xb0/0xb0
[806054.894328] elfcorehdr_read+0x40/0x40
[806054.894331] </TASK>
[806054.894332] Modules linked in: ufs qnx4 hfsplus hfs minix msdos jfs xfs p_lkrg(OE) uas usb_storage mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq vboxnetadp(OE) bridge vboxnetflt(OE) vboxdrv(OE) stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat xt_addrtype nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc snd_hda_codec_hdmi nls_ascii nls_cp437 snd_hda_codec_conexant vfat snd_hda_codec_generic fat ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec mei_hdcp joydev snd_hda_core snd_hwdep snd_pcm_oss x86_pkg_temp_thermal intel_powerclamp snd_mixer_oss pktcdvd coretemp
[806054.894377] snd_pcm kvm_intel kvm asus_nb_wmi asus_wmi snd_timer intel_rapl_msr iTCO_wdt snd irqbypass intel_pmc_bxt platform_profile rapl intel_cstate intel_uncore soundcore sg serio_raw sparse_keymap iTCO_vendor_support intel_pmc_core elan_i2c mei_me watchdog pcspkr rfkill processor_thermal_device_pci_legacy processor_thermal_device processor_thermal_rfim ee1004 processor_thermal_mbox mei evdev processor_thermal_rapl intel_rapl_common int3403_thermal int340x_thermal_zone int3400_thermal intel_pch_thermal intel_soc_dts_iosf acpi_thermal_rel asus_wireless acpi_pad ac efi_pstore eeprom i2c_dev ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc ppdev lp parport fuse configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress dm_crypt efivarfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_microsoft
[806054.894426] ff_memless hid_generic usbhid sr_mod cdrom sd_mod t10_pi crc_t10dif crct10dif_generic i915 nouveau crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel rtsx_pci_sdmmc ghash_clmulni_intel mmc_core ahci libahci r8169 realtek mdio_devres mxm_wmi i2c_algo_bit libata drm_ttm_helper ttm drm_kms_helper aesni_intel cec xhci_pci rc_core crypto_simd cryptd libphy xhci_hcd rtsx_pci scsi_mod i2c_hid_acpi drm i2c_hid intel_lpss_pci intel_lpss hid idma64 scsi_common i2c_i801 usbcore i2c_smbus usb_common battery video wmi button
[806054.894456] CR2: 00004ccc00000000
[806054.894458] ---[ end trace 833996b27a6f2160 ]---
[806056.274989] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[806056.274998] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[806056.275000] RSP: 0018:ffffb5f08a943bc0 EFLAGS: 00010046
[806056.275002] RAX: 0000000000000000 RBX: 00004ccc00000000 RCX: 0000000000000000
[806056.275004] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[806056.275006] RBP: 00004ccc00000000 R08: 0000000000000000 R09: ffffb5f08a943a38
[806056.275007] R10: ffffb5f08a943a30 R11: ffffffffb04c4ef0 R12: 0000000000000006
[806056.275009] R13: ffff9b66cf0999c0 R14: 0000000000000001 R15: 0000000000000000
[806056.275010] FS: 0000000000000000(0000) GS:ffff9b6c61c00000(0000) knlGS:0000000000000000
[806056.275012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[806056.275014] CR2: 00004ccc00000000 CR3: 0000000247c24005 CR4: 00000000003706f0
[806056.275016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[806056.275017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[806056.275019] note: modprobe[1390091] exited with preempt_count 3
Maybe preload is doing weird stuff which trips the exploit detection, but that shouldn't yield attempts to kill processes of corrupted names and weird PIDs, and bring the system down :)
I see several other issues reporting crashes, but they're nullptr dereferences with "#PF: supervisor instruction fetch in kernel mode", whereas this is non-nullptr dereference with "#PF: supervisor write access in kernel mode". Since the 0.9.2 release, I see no commit which could have fixed my issue.
Thank you for reporting this, @debrouxl. It's weird stuff that we need to figure out, and there's probably more than one issue here.
Is the preload that gets killed this one? - "preload is an adaptive readahead daemon. It monitors applications that users run, and by analyzing this data, predicts what applications users might run, and fetches those binaries and their dependencies into memory for faster startup times."
Edit: I think I found the preload at https://sourceforge.net/projects/preload/ and its man page at http://manpages.ubuntu.com/manpages/bionic/man8/preload.8.html
Even though LKRG logs it intends to kill preload, the crash is in context of a modprobe process, which is apparently run from the Linux kernel (via usermodehelper). And yes, somehow the info about the process to kill gets replaced with garbage between the "has corrupted" and "trying to kill" lines. In code, these two places are:
p_print_log(P_LKRG_CRIT,
"<Exploit Detection> ON process[%d | %s] has corrupted 'off' flag!\n",
p_source->p_ed_task.p_pid, p_source->p_ed_task.p_comm);
[...]
rcu_read_lock();
p_ed_kill_task_by_task(p_source->p_ed_task.p_task);
}
p_print_log(P_LKRG_CRIT,
"<Exploit Detection> Trying to kill process[%s | %d]!\n",
p_task->comm,task_pid_nr(p_task));
return send_sig_info(SIGKILL, SEND_SIG_PRIV, p_task);
Apparently, the task struct pointed to by p_source in the first snippet above isn't locked in memory when this code is running, and can get freed/replaced. This probably implies it could as well have gotten replaced before the first log message, and it's pure luck that we're only seeing the problem starting with the second log message.
Then there's the maybe-separate question of why LKRG saw off flag corruption for the process in the first place. @debrouxl Maybe it'd help @Adam-pi3 figure this out if you uncomment this line in p_lkrg_log_level_shared.h:
/* Do we want to precisely track changes of 'off' flag per each process?
* If yes, uncomment it here */
//#define P_LKRG_TASK_OFF_DEBUG
(of course, this means moving away from using the pre-made package of LKRG... which might make a difference on its own)
Just verified that there are no unexpected differences in LKRG code between our 0.9.2 release and what's in Whonix's LKRG fork's "master" branch - which I guess is the basis for the package @debrouxl installed.
In discussion with Adam, we determined that no, this is probably not a race condition. I overlooked that the two log messages use different task structs - p_source->p_ed_task (LKRG's own) vs. p_source->p_ed_task.p_task (saved pointer to the kernel's). It looks like the latter is simply not initialized in that code path.
I downloaded the lkrg-dkms 0.9.2 source package from the Kicksecure repository, uncommented the #define P_LKRG_TASK_OFF_DEBUG line, rebuilt the package and deployed it to both computers. I planned on rebooting today for deploying the modified LKRG, alongside a new version of the kernel, but the Sandy Bridge computer crashed before I got a chance to do that :)
I had left a tail -F /var/log/kern.log running through SSH on that computer; here's what my terminal scrollback contains:
[95295.024439] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[99278.944252] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[101421.337016] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[lynis]
[102581.858346] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[102581.891131] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[104621.834219] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[104621.867143] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[105141.832095] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[105382.782160] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[106002.766342] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[106322.818008] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[106983.848748] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[107423.793646] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[107423.826616] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[107803.758173] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[108645.717672] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[108645.750347] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[108826.800941] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[110786.758512] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[110986.739098] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[111046.647378] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[111847.641290] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[111907.888982] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[112589.675858] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[112889.969397] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[113010.646868] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[113891.648017] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[113931.687631] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[114191.630459] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[114611.591284] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[116612.624430] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[117435.575113] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[118417.489043] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[118417.555993] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[118717.513089] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[119437.534633] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[119777.519366] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[119837.518500] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[119958.467044] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[120138.475379] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[120199.489393] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[120619.521715] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[preload] vs orig[preload]
[121665.214668] [p_lkrg] <Exploit Detection> ON process[1389052 | preload] has corrupted 'off' flag!
[121665.214687] [p_lkrg] <Exploit Detection> Trying to kill process[usbguard-dbus | 1389580]!
[121698.149932] [p_lkrg] <Exploit Detection> ON process[1397094 | preload] has corrupted 'off' flag!
[121698.149945] [p_lkrg] <Exploit Detection> Trying to kill process[grep | 1396922]!
[121698.165806] [p_lkrg] <Exploit Detection> ON process[1397099 | preload] has corrupted 'off' flag!
[121698.165828] [p_lkrg] <Exploit Detection> Trying to kill process[ | -1922750656]!
[121698.180384] [p_lkrg] <Exploit Detection> ON process[1397103 | preload] has corrupted 'off' flag!
[121698.180392] [p_lkrg] <Exploit Detection> Trying to kill process[grep | 1396571]!
[121698.189796] [p_lkrg] <Exploit Detection> ON process[1397107 | preload] has corrupted 'off' flag!
[121698.189808] [p_lkrg] <Exploit Detection> Trying to kill process[grep | 1396829]!
[121698.202493] [p_lkrg] <Exploit Detection> ON process[1397111 | preload] has corrupted 'off' flag!
[121698.202500] [p_lkrg] <Exploit Detection> Trying to kill process[kworker/0:2 | 1372271]!
[121698.217949] [p_lkrg] <Exploit Detection> ON process[1397115 | preload] has corrupted 'off' flag!
[121698.217968] [p_lkrg] <Exploit Detection> Trying to kill process[head | 1396327]!
[121698.233725] [p_lkrg] <Exploit Detection> ON process[1397119 | preload] has corrupted 'off' flag!
[121698.233733] [p_lkrg] <Exploit Detection> Trying to kill process[kworker/0:0 | 1388679]!
[121698.246126] [p_lkrg] <Exploit Detection> ON process[1397123 | preload] has corrupted 'off' flag!
[121698.246140] [p_lkrg] <Exploit Detection> Trying to kill process[head | 1396741]!
[121698.259829] [p_lkrg] <Exploit Detection> ON process[1397127 | preload] has corrupted 'off' flag!
[121698.259837] [p_lkrg] <Exploit Detection> Trying to kill process[grep | 1396112]!
[121698.269888] [p_lkrg] <Exploit Detection> ON process[1397131 | preload] has corrupted 'off' flag!
[121698.269905] [p_lkrg] <Exploit Detection> Trying to kill process[ | 0]!
[121698.269917] BUG: unable to handle page fault for address: ffffaaca8af1c000
[121698.269922] #PF: supervisor write access in kernel mode
[121698.269927] #PF: error_code(0x0002) - not-present page
[121698.269931] PGD 100000067 P4D 100000067 PUD 1001a7067 PMD 13ca96067 PTE 0
[121698.269945] Oops: 0002 [#1] PREEMPT SMP PTI
[121698.269952] CPU: 0 PID: 1397131 Comm: modprobe Tainted: G OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121698.269960] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121698.269965] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.269980] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.269987] RSP: 0018:ffffaaca8c83fbc0 EFLAGS: 00010046
[121698.269993] RAX: 0000000000000000 RBX: ffffaaca8af1c000 RCX: 0000000000000000
[121698.269998] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.270002] RBP: ffffaaca8af1c000 R08: 0000000000000000 R09: ffffaaca8c83fa38
[121698.270007] R10: ffffaaca8c83fa30 R11: ffffffff8d6c2dd8 R12: 0000000000000086
[121698.270012] R13: ffff8e3cf2d79940 R14: 0000000000000001 R15: 0000000000000000
[121698.270017] FS: 0000000000000000(0000) GS:ffff8e3f7f200000(0000) knlGS:0000000000000000
[121698.270023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.270028] CR2: ffffaaca8af1c000 CR3: 00000001c262a002 CR4: 00000000000606f0
[121698.270034] Call Trace:
[121698.270039] <TASK>
[121698.270044] do_send_sig_info+0x34/0xb0
[121698.270057] ? security_bprm_committing_creds+0x5/0x30
[121698.270069] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[121698.270099] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[121698.270124] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[121698.270149] pre_handler_kretprobe+0x8f/0x160
[121698.270160] ? security_bprm_committing_creds+0x1/0x30
[121698.270167] kprobe_ftrace_handler+0x153/0x1d0
[121698.270178] 0xffffffffc06a70c8
[121698.270209] ? security_bprm_committing_creds+0x1/0x30
[121698.270216] security_bprm_committing_creds+0x5/0x30
[121698.270223] begin_new_exec+0x581/0xa80
[121698.270232] load_elf_binary+0x70a/0x1630
[121698.270240] ? __kernel_read+0x1b1/0x2d0
[121698.270247] ? __kernel_read+0x1b1/0x2d0
[121698.270253] ? aa_get_task_label+0x4f/0xd0
[121698.270262] ? _raw_read_lock+0x13/0x30
[121698.270271] bprm_execve+0x273/0x670
[121698.270277] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.270288] kernel_execve+0x12e/0x1b0
[121698.270294] call_usermodehelper_exec_async+0xd1/0x140
[121698.270302] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.270310] elfcorehdr_read+0x40/0x40
[121698.270320] </TASK>
[121698.270323] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121698.270451] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121698.270614] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121698.270642] CR2: ffffaaca8af1c000
[121698.270648] ---[ end trace 0f2ef8e8d312faa0 ]---
[121698.270652] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.270661] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.270667] RSP: 0018:ffffaaca8c83fbc0 EFLAGS: 00010046
[121698.270673] RAX: 0000000000000000 RBX: ffffaaca8af1c000 RCX: 0000000000000000
[121698.270677] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.270681] RBP: ffffaaca8af1c000 R08: 0000000000000000 R09: ffffaaca8c83fa38
[121698.270686] R10: ffffaaca8c83fa30 R11: ffffffff8d6c2dd8 R12: 0000000000000086
[121698.270690] R13: ffff8e3cf2d79940 R14: 0000000000000001 R15: 0000000000000000
[121698.270695] FS: 0000000000000000(0000) GS:ffff8e3f7f200000(0000) knlGS:0000000000000000
[121698.270700] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.270705] CR2: ffffaaca8af1c000 CR3: 00000001c262a002 CR4: 00000000000606f0
[121698.270711] note: modprobe[1397131] exited with preempt_count 3
[121698.278181] [p_lkrg] <Exploit Detection> ON process[1397136 | preload] has corrupted 'off' flag!
[121698.278191] [p_lkrg] <Exploit Detection> Trying to kill process[ | 0]!
[121698.278198] BUG: unable to handle page fault for address: ffffaaca827f4000
[121698.278201] #PF: supervisor write access in kernel mode
[121698.278204] #PF: error_code(0x0002) - not-present page
[121698.278207] PGD 100000067 P4D 100000067 PUD 1001a7067 PMD 1628b8067 PTE 0
[121698.278216] Oops: 0002 [#2] PREEMPT SMP PTI
[121698.278220] CPU: 0 PID: 1397136 Comm: modprobe Tainted: G D OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121698.278225] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121698.278227] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.278236] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.278240] RSP: 0018:ffffaaca8c81fbc0 EFLAGS: 00010046
[121698.278244] RAX: 0000000000000000 RBX: ffffaaca827f4000 RCX: 0000000000000000
[121698.278247] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.278250] RBP: ffffaaca827f4000 R08: 0000000000000000 R09: ffffaaca8c81fa38
[121698.278253] R10: ffffaaca8c81fa30 R11: ffffffff8d6c33c0 R12: 0000000000000086
[121698.278256] R13: ffff8e3cc95b9940 R14: 0000000000000001 R15: 0000000000000000
[121698.278259] FS: 0000000000000000(0000) GS:ffff8e3f7f200000(0000) knlGS:0000000000000000
[121698.278262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.278265] CR2: ffffaaca827f4000 CR3: 00000001bc498006 CR4: 00000000000606f0
[121698.278269] Call Trace:
[121698.278272] <TASK>
[121698.278276] do_send_sig_info+0x34/0xb0
[121698.278284] ? security_bprm_committing_creds+0x5/0x30
[121698.278291] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[121698.278310] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[121698.278325] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[121698.278340] pre_handler_kretprobe+0x8f/0x160
[121698.278346] ? security_bprm_committing_creds+0x1/0x30
[121698.278351] kprobe_ftrace_handler+0x153/0x1d0
[121698.278358] 0xffffffffc06a70c8
[121698.278378] ? security_bprm_committing_creds+0x1/0x30
[121698.278382] security_bprm_committing_creds+0x5/0x30
[121698.278386] begin_new_exec+0x581/0xa80
[121698.278392] load_elf_binary+0x70a/0x1630
[121698.278397] ? __kernel_read+0x1b1/0x2d0
[121698.278401] ? __kernel_read+0x1b1/0x2d0
[121698.278405] ? aa_get_task_label+0x4f/0xd0
[121698.278411] ? _raw_read_lock+0x13/0x30
[121698.278416] bprm_execve+0x273/0x670
[121698.278420] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.278426] kernel_execve+0x12e/0x1b0
[121698.278430] call_usermodehelper_exec_async+0xd1/0x140
[121698.278435] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.278440] elfcorehdr_read+0x40/0x40
[121698.278446] </TASK>
[121698.278448] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121698.278527] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121698.278629] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121698.278646] CR2: ffffaaca827f4000
[121698.278650] ---[ end trace 0f2ef8e8d312faa1 ]---
[121698.278653] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.278658] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.278662] RSP: 0018:ffffaaca8c83fbc0 EFLAGS: 00010046
[121698.278665] RAX: 0000000000000000 RBX: ffffaaca8af1c000 RCX: 0000000000000000
[121698.278668] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.278671] RBP: ffffaaca8af1c000 R08: 0000000000000000 R09: ffffaaca8c83fa38
[121698.278673] R10: ffffaaca8c83fa30 R11: ffffffff8d6c2dd8 R12: 0000000000000086
[121698.278676] R13: ffff8e3cf2d79940 R14: 0000000000000001 R15: 0000000000000000
[121698.278679] FS: 0000000000000000(0000) GS:ffff8e3f7f200000(0000) knlGS:0000000000000000
[121698.278682] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.278685] CR2: ffffaaca827f4000 CR3: 00000001bc498006 CR4: 00000000000606f0
[121698.278688] note: modprobe[1397136] exited with preempt_count 3
[121698.280840] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280846] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280848] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280850] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280852] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280854] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280856] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280857] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280860] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280862] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280863] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280865] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280867] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280870] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280871] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280873] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280874] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280876] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280877] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280879] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280880] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280882] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280883] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280885] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280886] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280888] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280890] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280891] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280893] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280894] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280896] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280897] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280898] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280900] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280902] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280903] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280905] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280906] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280908] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280910] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280911] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280912] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280914] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280915] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280917] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280918] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.280920] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280921] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.280923] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid base for stack pointer!
[121698.280924] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397137] has invalid stack pointer (stack size mismatch)!
[121698.280926] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397137] !!!
[121698.280927] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397137]!
[121698.281121] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281126] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid base for stack pointer!
[121698.281128] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid stack pointer (stack size mismatch)!
[121698.281130] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281131] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281134] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281135] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281137] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281140] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281141] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid base for stack pointer!
[121698.281143] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid stack pointer (stack size mismatch)!
[121698.281144] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281146] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281148] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281150] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid base for stack pointer!
[121698.281151] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid stack pointer (stack size mismatch)!
[121698.281153] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281154] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281155] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281157] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281158] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281160] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281162] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid base for stack pointer!
[121698.281163] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid stack pointer (stack size mismatch)!
[121698.281165] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281166] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281169] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.281170] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid base for stack pointer!
[121698.281172] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397138] has invalid stack pointer (stack size mismatch)!
[121698.281173] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281175] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281176] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397138] !!!
[121698.281178] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397138]!
[121698.281179] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.290701] [p_lkrg] <Exploit Detection> ON process[1397143 | preload] has corrupted 'off' flag!
[121698.290709] [p_lkrg] <Exploit Detection> Trying to kill process[ | -1922750656]!
[121698.303301] [p_lkrg] <Exploit Detection> ON process[1397147 | preload] has corrupted 'off' flag!
[121698.303308] [p_lkrg] <Exploit Detection> Trying to kill process[ | 0]!
[121698.303313] BUG: unable to handle page fault for address: ffffaaca8ae24000
[121698.303315] #PF: supervisor write access in kernel mode
[121698.303317] #PF: error_code(0x0002) - not-present page
[121698.303318] PGD 100000067 P4D 100000067 PUD 1001a7067 PMD 13ca96067 PTE 0
[121698.303324] Oops: 0002 [#3] PREEMPT SMP PTI
[121698.303327] CPU: 1 PID: 1397147 Comm: modprobe Tainted: G D OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121698.303330] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121698.303331] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.303338] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.303341] RSP: 0018:ffffaaca8c8c7bc0 EFLAGS: 00010046
[121698.303343] RAX: 0000000000000000 RBX: ffffaaca8ae24000 RCX: 0000000000000000
[121698.303345] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.303346] RBP: ffffaaca8ae24000 R08: 0000000000000000 R09: ffffaaca8c8c7a38
[121698.303348] R10: ffffaaca8c8c7a30 R11: ffffffff8d6c41e8 R12: 0000000000000086
[121698.303350] R13: ffff8e3cb90c8000 R14: 0000000000000001 R15: 0000000000000000
[121698.303352] FS: 0000000000000000(0000) GS:ffff8e3f7f240000(0000) knlGS:0000000000000000
[121698.303354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.303356] CR2: ffffaaca8ae24000 CR3: 0000000165b2e003 CR4: 00000000000606e0
[121698.303358] Call Trace:
[121698.303360] <TASK>
[121698.303362] do_send_sig_info+0x34/0xb0
[121698.303367] ? security_bprm_committing_creds+0x5/0x30
[121698.303373] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[121698.303385] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[121698.303394] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[121698.303403] pre_handler_kretprobe+0x8f/0x160
[121698.303408] ? security_bprm_committing_creds+0x1/0x30
[121698.303411] kprobe_ftrace_handler+0x153/0x1d0
[121698.303416] 0xffffffffc06a70c8
[121698.303432] ? security_bprm_committing_creds+0x1/0x30
[121698.303435] security_bprm_committing_creds+0x5/0x30
[121698.303438] begin_new_exec+0x581/0xa80
[121698.303441] load_elf_binary+0x70a/0x1630
[121698.303445] ? __kernel_read+0x1b1/0x2d0
[121698.303447] ? __kernel_read+0x1b1/0x2d0
[121698.303449] ? aa_get_task_label+0x4f/0xd0
[121698.303453] ? _raw_read_lock+0x13/0x30
[121698.303457] bprm_execve+0x273/0x670
[121698.303459] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.303463] kernel_execve+0x12e/0x1b0
[121698.303465] call_usermodehelper_exec_async+0xd1/0x140
[121698.303469] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.303472] elfcorehdr_read+0x40/0x40
[121698.303475] </TASK>
[121698.303477] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121698.303529] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121698.303595] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121698.303606] CR2: ffffaaca8ae24000
[121698.303608] ---[ end trace 0f2ef8e8d312faa2 ]---
[121698.303610] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.303613] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.303615] RSP: 0018:ffffaaca8c83fbc0 EFLAGS: 00010046
[121698.303617] RAX: 0000000000000000 RBX: ffffaaca8af1c000 RCX: 0000000000000000
[121698.303619] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.303621] RBP: ffffaaca8af1c000 R08: 0000000000000000 R09: ffffaaca8c83fa38
[121698.303622] R10: ffffaaca8c83fa30 R11: ffffffff8d6c2dd8 R12: 0000000000000086
[121698.303624] R13: ffff8e3cf2d79940 R14: 0000000000000001 R15: 0000000000000000
[121698.303626] FS: 0000000000000000(0000) GS:ffff8e3f7f240000(0000) knlGS:0000000000000000
[121698.303628] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.303630] CR2: ffffaaca8ae24000 CR3: 0000000165b2e003 CR4: 00000000000606e0
[121698.303632] note: modprobe[1397147] exited with preempt_count 3
[121698.305457] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305463] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305465] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305467] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305468] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305471] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305472] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305474] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305476] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305478] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305479] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305481] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305483] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305485] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305487] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305488] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305490] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305491] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305492] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305494] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305495] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305497] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305499] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305500] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305501] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305503] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305505] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305506] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305508] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305509] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305511] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305512] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305513] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305515] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305517] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305518] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305519] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305521] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305522] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305524] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305526] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305527] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305529] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305530] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305531] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305533] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305534] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305536] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305538] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid base for stack pointer!
[121698.305539] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397148] has invalid stack pointer (stack size mismatch)!
[121698.305540] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397148] !!!
[121698.305542] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397148]!
[121698.305574] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305579] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid base for stack pointer!
[121698.305581] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid stack pointer (stack size mismatch)!
[121698.305583] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305584] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305587] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305588] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305590] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305593] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305594] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid base for stack pointer!
[121698.305596] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid stack pointer (stack size mismatch)!
[121698.305597] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305599] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305602] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305603] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid base for stack pointer!
[121698.305604] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid stack pointer (stack size mismatch)!
[121698.305604] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305606] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305607] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305608] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305609] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305610] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid base for stack pointer!
[121698.305611] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305613] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305613] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid stack pointer (stack size mismatch)!
[121698.305614] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305615] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid base for stack pointer!
[121698.305616] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid stack pointer (stack size mismatch)!
[121698.305617] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305618] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305618] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305620] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305621] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305622] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305623] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305624] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid base for stack pointer!
[121698.305625] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397149] has invalid stack pointer (stack size mismatch)!
[121698.305627] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305627] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305628] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid base for stack pointer!
[121698.305629] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305630] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397149] !!!
[121698.305631] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid stack pointer (stack size mismatch)!
[121698.305632] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397149]!
[121698.305632] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305633] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305635] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305638] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305639] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid base for stack pointer!
[121698.305641] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid stack pointer (stack size mismatch)!
[121698.305642] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305644] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305645] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305646] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305648] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305652] [p_lkrg] <Exploit Detection> [pCFI - SP] Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.305654] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid base for stack pointer!
[121698.305655] [p_lkrg] <Exploit Detection> process [chkrootkit | 1397150] has invalid stack pointer (stack size mismatch)!
[121698.305657] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305658] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305660] [p_lkrg] <Exploit Detection> Stack pointer corruption (ROP?) - pCFI violation: process[chkrootkit | 1397150] !!!
[121698.305661] [p_lkrg] <Exploit Detection> Trying to kill process[chkrootkit | 1397150]!
[121698.305662] [p_lkrg] <Exploit Detection> Potential kretprobe glitch detected for process[chkrootkit] vs orig[preload]
[121698.311514] [p_lkrg] <Exploit Detection> ON process[1397154 | preload] has corrupted 'off' flag!
[121698.311521] [p_lkrg] <Exploit Detection> Trying to kill process[ | 511]!
[121698.311527] BUG: unable to handle page fault for address: ffffffff8dc9e900
[121698.311529] #PF: supervisor write access in kernel mode
[121698.311531] #PF: error_code(0x0002) - not-present page
[121698.311533] PGD 2e0814067 P4D 2e0814067 PUD 2e0815063 PMD 2e15ff063 PTE 800ffffd1f161062
[121698.311539] Oops: 0002 [#4] PREEMPT SMP PTI
[121698.311542] CPU: 1 PID: 1397154 Comm: modprobe Tainted: G D OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121698.311546] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121698.311548] RIP: 0010:native_queued_spin_lock_slowpath+0x1ba/0x200
[121698.311555] Code: ff f3 90 8b 03 85 c0 74 ee eb f6 c1 e9 12 83 e2 03 83 e9 01 48 c1 e2 05 48 63 c9 48 81 c2 c0 18 03 00 48 03 14 cd e0 7a fc 8c <48> 89 2a 8b 55 08 85 d2 75 09 f3 90 8b 55 08 85 d2 74 f7 48 8b 4d
[121698.311558] RSP: 0018:ffffaaca8c8bfba0 EFLAGS: 00010086
[121698.311560] RAX: 0000000000080000 RBX: ffffffff8d619700 RCX: 0000000000001d5a
[121698.311563] RDX: ffffffff8dc9e900 RSI: ffffffff8cf4e24e RDI: ffffffff8cf29fca
[121698.311565] RBP: ffff8e3f7f2718c0 R08: 0000000000000000 R09: ffffaaca8c8bfa38
[121698.311567] R10: ffffaaca8c8bfa30 R11: ffffffff8d6c5298 R12: 0000000000000000
[121698.311568] R13: ffff8e3cb90ce500 R14: 0000000000000001 R15: 0000000000000000
[121698.311571] FS: 0000000000000000(0000) GS:ffff8e3f7f240000(0000) knlGS:0000000000000000
[121698.311573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.311575] CR2: ffffffff8dc9e900 CR3: 0000000179348004 CR4: 00000000000606e0
[121698.311578] Call Trace:
[121698.311580] <TASK>
[121698.311582] _raw_spin_lock_irqsave+0x44/0x50
[121698.311588] do_send_sig_info+0x34/0xb0
[121698.311593] ? security_bprm_committing_creds+0x5/0x30
[121698.311598] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[121698.311611] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[121698.311621] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[121698.311631] pre_handler_kretprobe+0x8f/0x160
[121698.311636] ? security_bprm_committing_creds+0x1/0x30
[121698.311639] kprobe_ftrace_handler+0x153/0x1d0
[121698.311644] 0xffffffffc06a70c8
[121698.311660] ? security_bprm_committing_creds+0x1/0x30
[121698.311663] security_bprm_committing_creds+0x5/0x30
[121698.311666] begin_new_exec+0x581/0xa80
[121698.311670] load_elf_binary+0x70a/0x1630
[121698.311673] ? __kernel_read+0x1b1/0x2d0
[121698.311677] ? __kernel_read+0x1b1/0x2d0
[121698.311679] ? aa_get_task_label+0x4f/0xd0
[121698.311683] ? _raw_read_lock+0x13/0x30
[121698.311687] bprm_execve+0x273/0x670
[121698.311689] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.311694] kernel_execve+0x12e/0x1b0
[121698.311696] call_usermodehelper_exec_async+0xd1/0x140
[121698.311700] ? call_usermodehelper_exec_work+0xb0/0xb0
[121698.311703] elfcorehdr_read+0x40/0x40
[121698.311707] </TASK>
[121698.311708] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121698.311762] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121698.311832] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121698.311844] CR2: ffffffff8dc9e900
[121698.311846] ---[ end trace 0f2ef8e8d312faa3 ]---
[121698.311848] RIP: 0010:_raw_spin_lock_irqsave+0x2d/0x50
[121698.311852] Code: 00 00 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 bf 01 00 00 00 e8 da 10 77 ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 07 4c 89 e0 5b 41 5c c3 89 c6 48 89 df e8 fc 55 7a
[121698.311854] RSP: 0018:ffffaaca8c83fbc0 EFLAGS: 00010046
[121698.311857] RAX: 0000000000000000 RBX: ffffaaca8af1c000 RCX: 0000000000000000
[121698.311859] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000001
[121698.311860] RBP: ffffaaca8af1c000 R08: 0000000000000000 R09: ffffaaca8c83fa38
[121698.311862] R10: ffffaaca8c83fa30 R11: ffffffff8d6c2dd8 R12: 0000000000000086
[121698.311864] R13: ffff8e3cf2d79940 R14: 0000000000000001 R15: 0000000000000000
[121698.311866] FS: 0000000000000000(0000) GS:ffff8e3f7f240000(0000) knlGS:0000000000000000
[121698.311868] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121698.311870] CR2: ffffffff8dc9e900 CR3: 0000000179348004 CR4: 00000000000606e0
[121698.311873] note: modprobe[1397154] exited with preempt_count 3
[121698.321879] [p_lkrg] <Exploit Detection> ON process[1397158 | preload] has corrupted 'off' flag!
[121698.321894] [p_lkrg] <Exploit Detection> Trying to kill process[ | -1922750656]!
[121698.337249] [p_lkrg] <Exploit Detection> ON process[1397162 | preload] has corrupted 'off' flag!
Message from syslogd@asus2 at Apr 1 07:39:22 ...
kernel:[121716.005464] NMI watchdog: Watchdog detected hard LOCKUP on cpu 2
[121698.347862] [p_lkrg] <Exploit Detection> ON process[1397166 | preload] has corrupted 'off' flag!
[121698.347872] [p_lkrg] <Exploit Detection> Trying to kill process[ | 511]!
[121716.005464] NMI watchdog: Watchdog detected hard LOCKUP on cpu 2
[121716.005466] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121716.005507] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121716.005556] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121716.005563] CPU: 2 PID: 1397166 Comm: modprobe Tainted: G D OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121716.005566] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121716.005567] RIP: 0010:native_queued_spin_lock_slowpath+0x1c4/0x200
[121716.005573] Code: f6 c1 e9 12 83 e2 03 83 e9 01 48 c1 e2 05 48 63 c9 48 81 c2 c0 18 03 00 48 03 14 cd e0 7a fc 8c 48 89 2a 8b 55 08 85 d2 75 09 <f3> 90 8b 55 08 85 d2 74 f7 48 8b 4d 00 48 85 c9 0f 84 5e ff ff ff
[121716.005575] RSP: 0018:ffffaaca8c907ba0 EFLAGS: 00000046
[121716.005577] RAX: 00000000000c0000 RBX: ffffffff8d619700 RCX: 0000000000000001
[121716.005578] RDX: 0000000000000000 RSI: ffffffff8cf4e24e RDI: ffffffff8cf29fca
[121716.005579] RBP: ffff8e3f7f2b18c0 R08: 0000000000000000 R09: ffffaaca8c907a38
[121716.005580] R10: ffffaaca8c907a30 R11: ffffffff8d6c58f8 R12: 0000000000000000
[121716.005581] R13: ffff8e3cc207e500 R14: 0000000000000001 R15: 0000000000000000
[121716.005582] FS: 0000000000000000(0000) GS:ffff8e3f7f280000(0000) knlGS:0000000000000000
[121716.005584] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121716.005585] CR2: 000055de9c65eac0 CR3: 000000017ed0a005 CR4: 00000000000606e0
[121716.005587] Call Trace:
[121716.005588] <TASK>
[121716.005590] _raw_spin_lock_irqsave+0x44/0x50
[121716.005594] do_send_sig_info+0x34/0xb0
[121716.005599] ? security_bprm_committing_creds+0x5/0x30
[121716.005603] p_ed_is_off_off.part.0+0x48/0x4f [p_lkrg]
[121716.005614] p_set_ed_process_off.cold+0x8/0x73 [p_lkrg]
[121716.005623] p_security_bprm_committing_creds_entry+0x77/0xb0 [p_lkrg]
[121716.005631] pre_handler_kretprobe+0x8f/0x160
[121716.005636] ? security_bprm_committing_creds+0x1/0x30
[121716.005637] kprobe_ftrace_handler+0x153/0x1d0
[121716.005641] 0xffffffffc06a70c8
[121716.005657] ? security_bprm_committing_creds+0x1/0x30
[121716.005659] security_bprm_committing_creds+0x5/0x30
[121716.005661] begin_new_exec+0x581/0xa80
[121716.005664] load_elf_binary+0x70a/0x1630
[121716.005667] ? __kernel_read+0x1b1/0x2d0
[121716.005669] ? __kernel_read+0x1b1/0x2d0
[121716.005671] ? aa_get_task_label+0x4f/0xd0
[121716.005674] ? _raw_read_lock+0x13/0x30
[121716.005677] bprm_execve+0x273/0x670
[121716.005678] ? call_usermodehelper_exec_work+0xb0/0xb0
[121716.005682] kernel_execve+0x12e/0x1b0
[121716.005684] call_usermodehelper_exec_async+0xd1/0x140
[121716.005686] ? call_usermodehelper_exec_work+0xb0/0xb0
[121716.005689] elfcorehdr_read+0x40/0x40
[121716.005692] </TASK>
Message from syslogd@asus2 at Apr 1 07:40:02 ...
kernel: [121723.679674] NMI watchdog: Watchdog detected hard LOCKUP on cpu 0
[121723.679674] NMI watchdog: Watchdog detected hard LOCKUP on cpu 0
[121723.679677] Modules linked in: ufs qnx4 hfsplus hfs minix vfat msdos fat jfs xfs mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device nft_masq bridge stp llc cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative ip6_tables ip6t_REJECT nf_reject_ipv6 nft_chain_nat xt_MASQUERADE nf_nat nft_limit xt_LOG nf_log_syslog xt_limit xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipt_REJECT nf_reject_ipv4 nft_counter xt_CHECKSUM xt_tcpudp nft_compat nf_tables nfnetlink binfmt_misc ecb crypto_simd xts dm_crypt intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio snd_hda_intel mei_hdcp snd_intel_dspcfg kvm_intel snd_intel_sdw_acpi snd_hda_codec snd_hda_core kvm snd_hwdep snd_pcm_oss irqbypass pktcdvd snd_mixer_oss rapl intel_cstate iTCO_wdt
[121723.679713] snd_pcm intel_uncore asus_nb_wmi mei_me intel_pmc_bxt asus_wmi snd_timer mei iTCO_vendor_support joydev at24 platform_profile watchdog snd sparse_keymap sg soundcore rfkill evdev ac pcspkr serio_raw wmi_bmof cpuid coretemp loop p_lkrg(OE) ipmi_devintf ipmi_msghandler msr ecryptfs drivetemp parport_pc nfsd ppdev lp auth_rpcgss parport nfs_acl lockd grace sunrpc configfs fuse ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod hid_generic usbhid hid sd_mod sr_mod t10_pi crc_t10dif cdrom crct10dif_generic i915 nouveau ahci libahci xhci_pci libata r8169 mxm_wmi drm_ttm_helper i2c_algo_bit realtek ttm xhci_hcd i2c_i801 drm_kms_helper scsi_mod ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common cec crc32_pclmul mdio_devres crc32c_intel rc_core
[121723.679757] ghash_clmulni_intel cryptd drm psmouse usbcore i2c_smbus libphy lpc_ich scsi_common usb_common wmi video battery button
[121723.679763] CPU: 0 PID: 1270 Comm: preload Tainted: G D OE 5.16.0-5-amd64 #1 Debian 5.16.14-1
[121723.679766] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[121723.679767] RIP: 0010:queued_write_lock_slowpath+0x56/0x80
[121723.679772] Code: 0d 48 89 ef c6 07 00 0f 1f 40 00 5b 5d c3 f0 81 0b 00 01 00 00 ba ff 00 00 00 b9 00 01 00 00 8b 03 3d 00 01 00 00 74 0b f3 90 <8b> 03 3d 00 01 00 00 75 f5 89 c8 f0 0f b1 13 74 c6 eb e2 89 c6 48
[121723.679774] RSP: 0018:ffffaaca80f37cd8 EFLAGS: 00000006
[121723.679776] RAX: 00000000000001ff RBX: ffffffffc129bd50 RCX: 0000000000000100
[121723.679777] RDX: 00000000000000ff RSI: ffffaaca80f37da0 RDI: ffffffffc129bd50
[121723.679778] RBP: ffffffffc129bd54 R08: 000000000015538b R09: 0000000000000001
[121723.679779] R10: 00007fde51fcb550 R11: ffffaaca80f37d30 R12: 0000000000000206
[121723.679780] R13: ffffffffc1293fe0 R14: ffffffffc129bd50 R15: ffffffff8bec90f5
[121723.679782] FS: 00007fde51fcb280(0000) GS:ffff8e3f7f200000(0000) knlGS:0000000000000000
[121723.679783] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[121723.679784] CR2: 000056446c9c915c CR3: 0000000104508001 CR4: 00000000000606f0
[121723.679786] Call Trace:
[121723.679787] <TASK>
[121723.679789] _raw_write_lock_irqsave+0x43/0x50
[121723.679793] p_wake_up_new_task_entry+0x52/0xe0 [p_lkrg]
[121723.679804] ? wake_up_new_task+0x5/0x300
[121723.679808] pre_handler_kretprobe+0x8f/0x160
[121723.679811] ? wake_up_new_task+0x1/0x300
[121723.679813] kprobe_ftrace_handler+0x153/0x1d0
[121723.679817] 0xffffffffc06a70c8
[121723.679828] ? wake_up_new_task+0x1/0x300
[121723.679831] wake_up_new_task+0x5/0x300
[121723.679833] kernel_clone+0xf3/0x3e0
[121723.679836] __do_sys_clone+0x60/0x80
[121723.679838] do_syscall_64+0x3b/0xc0
[121723.679842] entry_SYSCALL_64_after_hwframe+0x44/0xae
[121723.679845] RIP: 0033:0x7fde52126d35
[121723.679849] Code: ed 0f 85 16 01 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 8f 00 00 00 41 89 c5 85 c0 0f 85 9c 00 00
[121723.679850] RSP: 002b:00007ffece520670 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[121723.679852] RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007fde52126d35
[121723.679853] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[121723.679854] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000020
[121723.679855] R10: 00007fde51fcb550 R11: 0000000000000246 R12: 0000000000000000
[121723.679856] R13: 000000000000c000 R14: 00000000000001cf R15: 000056446d23df68
[121723.679859] </TASK>
Well, unless there's a brand-new bug between Debian's 5.16.0-5 and 5.16.0-6 kernels, the task off debug code of 0.9.2 seems to be leaking memory :) On the usual Sandy Bridge computer, the first allocation failure occured at less than 20 minutes uptime. That was yesterday evening, but I didn't watch and therefore notice:
[ 1190.048785] preload: page allocation failure: order:7, mode:0x40a20(GFP_ATOMIC|__GFP_COMP), nodemask=(null),cpuset=preload.service,mems_allowed=0
[ 1190.048802] CPU: 3 PID: 1279 Comm: preload Tainted: G OE 5.16.0-6-amd64 #1 Debian 5.16.18-1
[ 1190.048806] Hardware name: ASUSTeK Computer Inc. N53SV/N53SV, BIOS N53SV.214 08/10/2011
[ 1190.048808] Call Trace:
[ 1190.048813] <TASK>
[ 1190.048816] dump_stack_lvl+0x48/0x5e
[ 1190.048823] warn_alloc+0x134/0x160
[ 1190.048828] __alloc_pages_slowpath.constprop.0+0xc12/0xc70
[ 1190.048833] __alloc_pages+0x31b/0x330
[ 1190.048835] allocate_slab+0x330/0x420
[ 1190.048840] ___slab_alloc+0x683/0x860
[ 1190.048844] ? p_dump_task_f+0x1e/0x100 [p_lkrg]
[ 1190.048858] ? p_dump_task_f+0x1e/0x100 [p_lkrg]
[ 1190.048867] ? p_dump_task_f+0x1e/0x100 [p_lkrg]
[ 1190.048876] __slab_alloc.constprop.0+0x4a/0x80
[ 1190.048879] kmem_cache_alloc+0x384/0x3c0
[ 1190.048883] ? wake_up_new_task+0x5/0x300
[ 1190.048887] p_dump_task_f+0x1e/0x100 [p_lkrg]
[ 1190.048896] p_wake_up_new_task_entry+0x70/0xe0 [p_lkrg]
[ 1190.048906] ? wake_up_new_task+0x5/0x300
[ 1190.048909] pre_handler_kretprobe+0x8f/0x160
[ 1190.048913] ? wake_up_new_task+0x1/0x300
[ 1190.048916] kprobe_ftrace_handler+0x153/0x1d0
[ 1190.048921] 0xffffffffc03b90c8
[ 1190.048936] ? wake_up_new_task+0x1/0x300
[ 1190.048939] wake_up_new_task+0x5/0x300
[ 1190.048942] kernel_clone+0xf3/0x3e0
[ 1190.048946] __do_sys_clone+0x60/0x80
[ 1190.048949] do_syscall_64+0x3b/0xc0
[ 1190.048954] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1190.048959] RIP: 0033:0x7f3bf46d1d35
[ 1190.048963] Code: ed 0f 85 16 01 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 8f 00 00 00 41 89 c5 85 c0 0f 85 9c 00 00
[ 1190.048965] RSP: 002b:00007ffdb9413be0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[ 1190.048969] RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f3bf46d1d35
[ 1190.048971] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[ 1190.048973] RBP: 0000000000000000 R08: 0000000000000000 R09: 00005636e8dc4390
[ 1190.048974] R10: 00007f3bf4576550 R11: 0000000000000246 R12: 0000000000000000
[ 1190.048976] R13: 000000000000e000 R14: 000000000000009c R15: 00005636e8dc59a8
[ 1190.048979] </TASK>
[ 1190.048981] Mem-Info:
[ 1190.048983] active_anon:272 inactive_anon:84550 isolated_anon:0
[ 1190.048983] active_file:46335 inactive_file:143467 isolated_file:0
[ 1190.048983] unevictable:31319 dirty:41 writeback:0
[ 1190.048983] slab_reclaimable:13689 slab_unreclaimable:3564346
[ 1190.048983] mapped:58729 shmem:27766 pagetables:1480 bounce:0
[ 1190.048983] kernel_misc_reclaimable:0
[ 1190.048983] free:168511 free_pcp:1880 free_cma:0
[ 1190.048989] Node 0 active_anon:1088kB inactive_anon:338200kB active_file:185340kB inactive_file:573868kB unevictable:125276kB isolated(anon):0kB isolated(file):0kB mapped:234916kB dirty:164kB writeback:0kB shmem:111064kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 169984kB writeback_tmp:0kB kernel_stack:4364kB pagetables:5920kB all_unreclaimable? no
[ 1190.048994] Node 0 DMA free:13304kB boost:0kB min:64kB low:80kB high:96kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15988kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
[ 1190.049000] lowmem_reserve[]: 0 2566 15803 15803 15803
[ 1190.049005] Node 0 DMA32 free:57140kB boost:0kB min:10964kB low:13704kB high:16444kB reserved_highatomic:10240KB active_anon:0kB inactive_anon:2048kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:2778572kB managed:2713036kB mlocked:0kB bounce:0kB free_pcp:4728kB local_pcp:240kB free_cma:0kB
[ 1190.049010] lowmem_reserve[]: 0 0 13237 13237 13237
[ 1190.049014] Node 0 Normal free:603600kB boost:127236kB min:183788kB low:197924kB high:212060kB reserved_highatomic:0KB active_anon:1088kB inactive_anon:335956kB active_file:184672kB inactive_file:573944kB unevictable:125276kB writepending:164kB present:13885440kB managed:13563172kB mlocked:20208kB bounce:0kB free_pcp:2824kB local_pcp:596kB free_cma:0kB
[ 1190.049020] lowmem_reserve[]: 0 0 0 0 0
[ 1190.049024] Node 0 DMA: 0*4kB 1*8kB (U) 1*16kB (U) 1*32kB (U) 1*64kB (U) 1*128kB (U) 1*256kB (U) 1*512kB (U) 0*1024kB 2*2048kB (UM) 2*4096kB (M) = 13304kB
[ 1190.049039] Node 0 DMA32: 5*4kB (UM) 4*8kB (UM) 6*16kB (M) 7*32kB (M) 3*64kB (M) 2*128kB (M) 2*256kB (UM) 1*512kB (M) 2*1024kB (M) 2*2048kB (M) 12*4096kB (M) = 57140kB
[ 1190.049055] Node 0 Normal: 6762*4kB (UME) 5589*8kB (UME) 3330*16kB (UME) 2615*32kB (UME) 1892*64kB (UME) 985*128kB (UME) 577*256kB (UM) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 603600kB
[ 1190.049069] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
[ 1190.049071] 208346 total pagecache pages
[ 1190.049072] 0 pages in swap cache
[ 1190.049074] Swap cache stats: add 0, delete 0, find 0/0
[ 1190.049075] Free swap = 0kB
[ 1190.049076] Total swap = 0kB
[ 1190.049078] 4170000 pages RAM
[ 1190.049079] 0 pages HighMem/MovableOnly
[ 1190.049080] 97108 pages reserved
[ 1190.049081] 0 pages hwpoisoned
[ 1190.049082] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
[ 1190.049085] cache: p_ed_pids, object size: 274832, buffer size: 274880, default order: 7, min order: 7
[ 1190.049087] node 0: slabs: 27722, objs: 27722, free: 0
[ 1190.049089] [p_lkrg] p_alloc_ed_pids() returned NULL for pid 38506 :(
Looks like I failed to disable preload on that computer. This morning, the errors continue, unsurprisingly.
[50431.011166] [p_lkrg] p_alloc_ed_pids() returned NULL for pid 417921 :(
[50431.011169] [p_lkrg] <Exploit Detection> Error[-1] when trying to add process[417921 |preload] for tracking!
[50431.167484] [p_lkrg] p_alloc_ed_pids() returned NULL for pid 417922 :(
[50431.167505] [p_lkrg] <Exploit Detection> Error[-1] when trying to add process[417922 |bash] for tracking!
[50435.448599] slab_out_of_memory: 105 callbacks suppressed
[50435.448604] SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
[50435.448618] cache: p_ed_pids, object size: 274832, buffer size: 274880, default order: 7, min order: 7
[50435.448621] node 0: slabs: 29822, objs: 29822, free: 0
[50435.448623] [p_lkrg] p_alloc_ed_pids() returned NULL for pid 417923 :(
[50435.448625] [p_lkrg] <Exploit Detection> Error[-1] when trying to add process[417923 |bash] for tracking!
I added a bit of swap to try and make the computer less unresponsive, but to little avail. No user-space process comes remotely close to consuming a significant amount of RAM.
# cat /proc/meminfo
MemTotal: 16291568 kB
MemFree: 213616 kB
MemAvailable: 314772 kB
Buffers: 110168 kB
Cached: 282588 kB
SwapCached: 39016 kB
Active: 244800 kB
Inactive: 297192 kB
Active(anon): 82560 kB
Inactive(anon): 139668 kB
Active(file): 162240 kB
Inactive(file): 157524 kB
Unevictable: 39952 kB
Mlocked: 20208 kB
SwapTotal: 4194272 kB
SwapFree: 3774696 kB
Dirty: 3480 kB
Writeback: 12 kB
AnonPages: 176112 kB
Mapped: 198736 kB
Shmem: 53432 kB
KReclaimable: 70940 kB
Slab: 15410400 kB
SReclaimable: 70940 kB
SUnreclaim: 15339460 kB
KernelStack: 4992 kB
PageTables: 8264 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 12340056 kB
Committed_AS: 2143948 kB
VmallocTotal: 34359738367 kB
VmallocUsed: 34008 kB
VmallocChunk: 0 kB
Percpu: 11008 kB
HardwareCorrupted: 0 kB
AnonHugePages: 61440 kB
ShmemHugePages: 0 kB
ShmemPmdMapped: 0 kB
FileHugePages: 0 kB
FilePmdMapped: 0 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
Hugetlb: 0 kB
DirectMap4k: 464332 kB
DirectMap2M: 16216064 kB
Slab and SUnreclaim are way too high.
I downloaded the lkrg-dkms 0.9.2 source package from the Kicksecure repository (...)
When you try to debug / report any issues in LKRG, please always use the latest LKRG from the github repo: https://github.com/lkrg-org/lkrg Can you try it?
On two different computers running Debian sid amd64 5.16.0-4/-5,
I tried to reproduce your issue and I've installed the latest Debian sid on my VM, deployed the latest LKRG (from the github), installed preload and so far I haven't seen any issues. Do I need to have any special configuration to be able to hit the same issue?
root@debian-sid:~/lkrg# dmesg|tail
[ 219.638382] p_lkrg: loading out-of-tree module taints kernel.
[ 219.638876] p_lkrg: module verification failed: signature and/or required key missing - tainting kernel
[ 219.695726] [p_lkrg] Loading LKRG...
[ 219.701992] Freezing user space processes ... (elapsed 0.001 seconds) done.
[ 219.703307] OOM killer disabled.
[ 219.833009] [p_lkrg] [kretprobe] register_kretprobe() for <ovl_create_or_link> failed! [err=-2]
[ 219.833032] [p_lkrg] Can't hook 'ovl_create_or_link' function. This is expected if you are not using OverlayFS.
[ 220.047688] [p_lkrg] LKRG initialized successfully!
[ 220.047705] OOM killer enabled.
[ 220.047705] Restarting tasks ... done.
root@debian-sid:~/lkrg# uptime
15:04:44 up 2:07, 3 users, load average: 0.00, 0.00, 0.00
root@debian-sid:~/lkrg# ps aux|grep preload
root 3155 0.0 0.0 5848 2252 ? SNs 13:05 0:01 /usr/sbin/preload -s /var/lib/preload/preload.state
root 3162 0.0 0.0 5848 2192 ? SNs 13:05 0:01 preload
root 3170 0.0 0.0 5848 2256 ? SNs 13:11 0:01 preload /bin/ls
root 3173 0.0 0.0 5848 2240 ? SNs 13:11 0:01 preload /bin/ps
root 3287 0.0 0.0 6300 2268 pts/2 R+ 15:04 0:00 grep preload
root@debian-sid:~/lkrg#
Well, unless there's a brand-new bug between Debian's 5.16.0-5 and 5.16.0-6 kernels, the task off debug code of 0.9.2 seems to be leaking memory
I don't think there is any memory leak in that code-path. However, P_LKRG_TASK_OFF_DEBUG uses an enormous amount of memory for debugging. Additionally, we are debating about shrinking the memory usage for pCFI and you can read more about it here:
https://github.com/lkrg-org/lkrg/issues/131
