0

We have a software which intercepts file IO operations and noticed a recent bug caused by a process who's /proc/$pid/exe pointed to /usr/bin/bash;61f1808a (deleted) (via readlink(2)). I'm curious what could be causing this and if the image /usr/bin/bash;61f1808a actually existed at some point or if there's a way to intentionally spawn processes with invalid images.

Relevant system is CentOS 7.9 with kernel 3.10, presumably bash 4.2.46 but of course would be nice to know if it happens on newer stuff too

Improve this question
5
  • 1
    Are containers involved on this system?
    – Daniel B
    Commented Apr 5, 2022 at 20:52
  • I believe that the host environment is windows but I think that the only virtualization is VMWare... asking the person who reported it
    – ridderhoff
    Commented Apr 5, 2022 at 21:13
  • 1
    Can you post output of cat /proc/$pid/cmdline could be a shell script...
    – Michael D.
    Commented Apr 5, 2022 at 21:56
  • @MichaelD.no I'm sorry I can't this is associated with a bug report where the reporter did not provide steps to reproduce apart from "the app had been running for over 70 hrs"
    – ridderhoff
    Commented Apr 6, 2022 at 14:54
  • performed in vmware, no containers, host is windows
    – ridderhoff
    Commented Apr 11, 2022 at 18:51

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .