lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <202110280944.23199.andreas-stoewing@web.de>
Date:   Thu, 28 Oct 2021 09:44:20 +0000
From:   secret <andreas-stoewing@....de>
To:     linux-kernel@...r.kernel.org
Subject: Unwanted activation of root-processes getting highly activated

10.27.2021
Hello, today it manages us (Gooken) to prevent the highly active kernel-
processes from above after a look into the home-directory of tor
(/home/surfuser).
There the size of a file increases all the times during the activation of tor
surrounded by firejail (that causes the high activity of the kernel-
processes), it is named:

cached-microdesc-consensus

and its size was incredible high (much over 100 MB)!

It prevents Tor from building up any connection, so I had to wait up to 20
minutes.

Deleting it did not help: This file occured and larges its size again.

So we set integrity on it (this file) by "chattr +i";. Now the problem
described next indeed got solved, Tor immediately builds up connections,
kernel-processes activity lowered to the current percentage far below 10
percent and the tower-LED for readwrites stopped blinking,
but nevertheless this is not really a good solution,
tor or firejail and kernel (here 5.4) of course still have to get patched ! (
!!! )

Date: 08.10.2021

Subject/Betreff: Unwanted activation of root-processes reading and writing out
the whole SSD/harddrive ! / Kernel-5.4.134 (pclos, AppArmor / Tor (OpenSuSE)
usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren
Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und
Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151
and higher, additional remark from 10.08.2021), there still is a problem with
unexpectedly activated, highly active root-processes (making the tower-LED
causing readwrites onto harddiscs and making the SSD/harddrive blink serious-
madly hard for about up to 20 minutes). The whole SSD/harddrive seems to get
read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-
root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%)
kworker/0:1H-kblockd
dmcrypt_write/2 and
jbd2/dm2--8

This occurs since kernel around 5.4.13, whenever I start browsing (with Pale
Moon), activating firejail and tor.

Please patch the kernel-5.4 to prevent it in future!
Regards
Andreas Stöwing (Gooken-producer, Gooken: https://gooken.safe-ws.de/gooken)

Appendix
libapparmor.so.required by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1,
mga7) must be the cause for the activation as much as high activity of some
root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my
boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7
(firejail) resp. to CentOS el7 (Tor), so that libapparmor.so.1  is not
required anymore, such root-processes did not get activated resp. active too
much!<BR>
But they did appear unexpectedly again in kernel-5.4.151 !
<BR><BR>
So I still await your patches for kernel-5.4.
In my opinion, Linux is killing spy-software and rubbish, if you won&#180;t
patch it !

Regards
Gooken

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ