[PATCH] boobytrap for 2.2.15pre5
Anton Ivanov
aivanov en eu.level3.net
Sab Ene 29 05:55:47 CST 2000
-----BEGIN PGP SIGNED MESSAGE-----
On 28-Jan-2000 glouis en dynamicro.on.ca wrote:
> On Fri, 28 Jan 2000, Petri Kaukasoina wrote:
>
>> >>> Addresses in System.map are between c0100000 and c01cfabc and I don't
>> >>> use
>> >>> modules.
>> > >
>> > > kmem_cache_alloc called by non-running (1) task from c37ff020!
>> > > kmem_cache_alloc called by non-running (1) task from c37ff080!
>> > > kmem_cache_alloc called by non-running (1) task from c37ff8c0!
>> > > kmem_cache_alloc called by non-running (1) task from c37ff920!
>> > > kmem_cache_alloc called by non-running (2) task from c37ff8c0!
>> > >
>> > > I have 56 megs of memory (56M = 03800000).
>> >
>> > Sorry to state the obvious, but are you sure the System.map you are
>> > checking is the one generated when this patched kernel was compiled?
>>
>> Yes.
>>
>> The addresses c37ffxxx are just below the end of memory (56 megs) calculated
>> from c0000000. The addresses in the System.map are in the beginning of the
>> memory from c0000000.
>
> Me too.
> I'm getting ...non-running (1) task from c3fff8c0 and c3fff920 in strict
> alternation, every few seconds. During boot-up there was also one with
> status 4 from 8c0 and one with status 1 from 860 (all
> c3fff---). Symbols in "cat proc/ksyms | sort" go up to c02796c8
> (pci-root) and then the next symbol is an __insmod at c4806000. The
> machine in question has 64Mb of ram.
>
I have the following question about this patch. What will happen if a
kernel root kit module has been installed that hides tasks, I/O calls and
networking?
I am not suggesting that the two machines in question may have this problem. I
am asking in general. Can this patch be also considered a security measure for
at least some of the kernel module root kits? They should be calling sched and
so on quite often when they are not supposed to/expected to in order to work...
- ----------------------------------
Anton R. Ivanov
IP Engineer Level3 Communications
RIPE: ARI2-RIPE E-Mail: Anton Ivanov <aivanov en eu.level3.net>
@*** Kamin's Laws (No 2 of 7) ***
Threat of capital controls accelerates marginal capital outflows.
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQEVAwUBOJIpOylWAw/bM84zAQHvQQf+LhwGuVpOwZyS0WO/113oJsUxeQT9kCMq
X2kol8TpUgtmTQNiKNiQfsPI72OAntcipd1gDB9QV8hceSgQAaquxzJl3BLesq9b
+3xuvRgnFoOe28oPkieJUbeLwKLzImP+hhkz69/jFiYHgsoGSoPTzoR3lTXo0HEP
9RFr4ExwqCtGbSrP1jIaNQU4LiLEUoOWSckr5H9HeCRYT9++r0cM4y7PFG1iftMU
klgpXHP4ImHd/srS5jcbpTk+dfCndMt7xIU4KS1EqQilW58b+G6RLXzypUM9jOlN
4UhqfTqAtBNYtVfDO7pXRwe1p9f2c1AK+j8ykm3BriiEG1bfjtbSTQ==
=/oau
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Más información sobre la lista de distribución Ayuda