/usr/share/initramfs-tools/hooks/fsck failed with return 1 due to /lib/libgcwrap.so in ldd output caused by crypto-miner malware

Bug #1641230 reported by nima
82
This bug affects 15 people
Affects Status Importance Assigned to Milestone
e2fsprogs (Ubuntu)
Invalid
Undecided
Unassigned
initramfs-tools (Ubuntu)
Invalid
High
Unassigned

Bug Description

Do you want to continue? [Y/n] y
(Reading database ... 254369 files and directories currently installed.)
Removing linux-image-extra-4.4.0-43-generic (4.4.0-43.63) ...
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
Error! Your kernel headers for kernel 4.4.0-43-generic cannot be found.
Please install the linux-headers-4.4.0-43-generic package,
or use the --kernelsourcedir option to tell DKMS where it's located
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
update-initramfs: Generating /boot/initrd.img-4.4.0-43-generic
E: /usr/share/initramfs-tools/hooks/fsck failed with return 1.
update-initramfs: failed for /boot/initrd.img-4.4.0-43-generic with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-extra-4.4.0-43-generic (--remove):
 subprocess installed post-removal script returned error exit status 1
Removing linux-image-extra-4.4.0-47-generic (4.4.0-47.68) ...
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
run-parts: executing /etc/kernel/postinst.d/dkms 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
update-initramfs: Generating /boot/initrd.img-4.4.0-47-generic
E: /usr/share/initramfs-tools/hooks/fsck failed with return 1.
update-initramfs: failed for /boot/initrd.img-4.4.0-47-generic with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-extra-4.4.0-47-generic (--remove):
 subprocess installed post-removal script returned error exit status 1
Errors were encountered while processing:
 linux-image-extra-4.4.0-43-generic
 linux-image-extra-4.4.0-47-generic
E: Sub-process /usr/bin/dpkg returned an error code (1)

ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-43-generic 4.4.0-43.63
ProcVersionSignature: Ubuntu 4.4.0-45.66-generic 4.4.21
Uname: Linux 4.4.0-45-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: pezhman 1535 F.... pulseaudio
Date: Fri Nov 11 21:03:09 2016
ErrorMessage: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
HibernationDevice: RESUME=UUID=e8c76af0-04d5-4831-a401-a0911630111c
InstallationDate: Installed on 2016-08-27 (76 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
MachineType: ASUSTeK COMPUTER INC. S300CA
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-45-generic.efi.signed root=UUID=72d332d4-9180-442f-a032-8c1b612566ec ro quiet splash vt.handoff=7
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions: grub-pc N/A
SourcePackage: initramfs-tools
Title: package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 01/22/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: S300CA.302
dmi.board.asset.tag: ATN12345678901234567
dmi.board.name: S300CA
dmi.board.vendor: ASUSTeK COMPUTER INC.
dmi.board.version: 1.0
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: ASUSTeK COMPUTER INC.
dmi.chassis.version: 1.0
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrS300CA.302:bd01/22/2013:svnASUSTeKCOMPUTERINC.:pnS300CA:pvr1.0:rvnASUSTeKCOMPUTERINC.:rnS300CA:rvr1.0:cvnASUSTeKCOMPUTERINC.:ct10:cvr1.0:
dmi.product.name: S300CA
dmi.product.version: 1.0
dmi.sys.vendor: ASUSTeK COMPUTER INC.

Revision history for this message
nima (nima-d-kenari) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in initramfs-tools (Ubuntu):
status: New → Confirmed
tags: removed: need-duplicate-check
Changed in initramfs-tools (Ubuntu):
importance: Undecided → High
Changed in initramfs-tools (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Benjamin Drung (bdrung) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The relevant dpkg terminal log says:

E: /usr/share/initramfs-tools/hooks/fsck failed with return 1.

Sadly there is no error message for the command that failed in this fsck shell script. Can you reproduce this error message? If yes, please add "set -x" to the second line in /usr/share/initramfs-tools/hooks/fsck to collect debugging information.

Changed in initramfs-tools (Ubuntu):
status: Fix Committed → Incomplete
Revision history for this message
Clayton M. (cemarrio) wrote :

Hello,
I'm experiencing the same failure in initramfs-tools fsck hook script. I'm running Ubuntu 22.04.3 LTS with the following initramfs package versions installed:

initramfs-tools/jammy-updates,now 0.140ubuntu13.4 all [installed]
initramfs-tools-bin/jammy-updates,now 0.140ubuntu13.4 amd64 [installed]
initramfs-tools-core/jammy-updates,now 0.140ubuntu13.4 all [installed,automatic]

I've attached the output from running "sudo update-initramfs -u -v" with the "set -x" line added to the fsck script. A chunk of the first lines were dropped but the latter lines with the script processing is there.

I've tried reinstalling these packages, reinstalling the e2fsck packages as e2fsck is mentioned there... Nothing has worked yet. Thankfully the most recent initrd is fine to boot.

Please let me know if you need any other info.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Thanks. That log files are useful. The relevant bits:

env --unset=LD_PRELOAD ldd /sbin/fsck.ext4
copy_file binary /lib/libgcwrap.so

fsck.ext4 comes from e2fsprogs. I don't know how ldd came to libgcwrap.so.

Which version of e2fsprogs do you have installed? Can you run "env --unset=LD_PRELOAD ldd /sbin/fsck.ext4" and paste the output? Do you have set any special environment variable that could fiddle with how libraries are loaded?

Changed in initramfs-tools (Ubuntu):
status: Incomplete → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in e2fsprogs (Ubuntu):
status: New → Confirmed
Changed in initramfs-tools (Ubuntu):
status: New → Confirmed
Revision history for this message
Clayton M. (cemarrio) wrote :

Currently installed e2fsprogs:
e2fsprogs/jammy-updates,jammy-security,now 1.46.5-2ubuntu1.1 amd64 [installed,automatic]

The output from "env --unset=LD_PRELOAD ldd /sbin/fsck.ext4":

clayton@ubuserver:~$ env --unset=LD_PRELOAD ldd /sbin/fsck.ext4
 linux-vdso.so.1 (0x00007ffe691b5000)
 libext2fs.so.2 => /lib/x86_64-linux-gnu/libext2fs.so.2 (0x00007f6c67e9d000)
 libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f6c67e97000)
 libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007f6c67e60000)
 libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f6c67e57000)
 libe2p.so.2 => /lib/x86_64-linux-gnu/libe2p.so.2 (0x00007f6c67e49000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6c679d8000)
 libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f6c67e44000)
 libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6c67e3f000)
 libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6c67e3a000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f6c67f6d000)

I haven't explicitly configured anything environment-related to alter handling of libraries; here is my env. I've removed a couple of SSH variables but the rest is printed as-is.

clayton@ubuserver:~$ env
SHELL=/bin/bash
JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre/
PWD=/home/clayton
LOGNAME=clayton
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/clayton
LANG=C.UTF-8
LC_TERMINAL=iTerm2
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=clayton
LC_TERMINAL_VERSION=3.4.20
SHLVL=1
XDG_SESSION_ID=403
XDG_RUNTIME_DIR=/run/user/1000
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/bin/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/clayton/.go/bin:/home/clayton/go/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_TTY=/dev/pts/0
GOPATH=/home/clayton/go
_=/usr/bin/env
OLDPWD=/boot

Same issue if I run apt and something has triggered initramfs rebuild. Attached a log of that as well.

Revision history for this message
Benjamin Drung (bdrung) wrote :

The ldd looks correct and the environment clean. Parsing of that output should not end up in "/lib/libgcwrap.so". So let's check if the output is the same when running as root in that environment.

Can you modify copy_exec in /usr/share/initramfs-tools/hook-functions to print the ldd output:

```
 # Copy the dependant libraries
        echo "DEBUG: ldd ${src}"
        env --unset=LD_PRELOAD ldd "${src}"
```

Revision history for this message
Clayton M. (cemarrio) wrote :

Sure, please see the attached output with the additional debug statement.

Benjamin Drung (bdrung)
summary: package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to
install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools
- exited with return code 1
+ exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck
+ failed with return 1
Revision history for this message
Benjamin Drung (bdrung) wrote : Re: package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck failed with return 1

That log output is interesting. It contains /lib/libgcwrap.so. You could add a "env" call to copy_exec to see if the environment is different to when run a normal user. Do you have a /etc/ld.so.preload file?

Revision history for this message
Benjamin Drung (bdrung) wrote :

Feel free to join #ubuntu-devel on IRC to interactively debug this failure.

Revision history for this message
Clayton M. (cemarrio) wrote :

I see there is no /etc/ld.so.preload file. I also do not see /lib/libgcwrap.so.

Attached the log with "env" call in copy_exec, after the previously added DEBUG statement.

Sorry for the back and forth here - I am replying as I have a free moment but can't spend much time during the day.

Revision history for this message
Benjamin Drung (bdrung) wrote :

The environment variables look sane to me. I have no clue where /lib/libgcwrap.so should come from - except for a virus. Searching on the web for libgcwrap did not reveal anything. To figure out if some file were modified on your system, you can use debsums to check:

sudo debsums -c

It will list the files that were modified. Otherwise you could search for text/configuration files that refer to libgcwrap:

sudo grep -r gcwrap /etc/ /usr/ /var/

Revision history for this message
Clayton M. (cemarrio) wrote :

I shut down the VM and used a live ISO to take a look at the filesystem. You were correct - there is an /etc/ld.so.preload which points to /lib/libgcwrap.so. There is also a /usr/lib/libgcwrap.so copy.

These files were marked as immutable and were not visible from the booted system. I took a look at the cron configurations and found the root user had an entry for "perfcc". Looking this up, perfcc/perfctl is a crypto-miner malware.

Thanks for all your help in troubleshooting this. I hope it clarifies for someone what may be afoot if they find libgcwrap present on their system; there was nothing available on the popular search engines about it.

Revision history for this message
Benjamin Drung (bdrung) wrote :

Thanks for the analysis. I am closing this bug report as invalid then.

Changed in initramfs-tools (Ubuntu):
status: Confirmed → Invalid
Changed in e2fsprogs (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
ROCHE (guyroche08-6) wrote : Re :[Bug 1641230] Re: package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck failed with return 1
Download full text (5.2 KiB)

Sorry for making you so hard work... I am using now, since 2023 /04... Ubuntu 23.04... Which works very well on my Asus rog... Thank you so much to do what you do Best regards G. Roche

Envoyé par AOL sur Android

  Le mar., août 29, 2023 à 12:13, Benjamin Drung<email address hidden> a écrit: Thanks for the analysis. I am closing this bug report as invalid then.

** Changed in: initramfs-tools (Ubuntu)
      Status: Confirmed => Invalid

** Changed in: e2fsprogs (Ubuntu)
      Status: Confirmed => Invalid

--
You received this bug notification because you are subscribed to a
duplicate bug report (1861888).
https://bugs.launchpad.net/bugs/1641230

Title:
  package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to
  install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools
  exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck
  failed with return 1

Status in e2fsprogs package in Ubuntu:
  Invalid
Status in initramfs-tools package in Ubuntu:
  Invalid

Bug description:
  Do you want to continue? [Y/n] y
  (Reading database ... 254369 files and directories currently installed.)
  Removing linux-image-extra-4.4.0-43-generic (4.4.0-43.63) ...
  run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
  run-parts: executing /etc/kernel/postinst.d/dkms 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
  Error! Your kernel headers for kernel 4.4.0-43-generic cannot be found.
  Please install the linux-headers-4.4.0-43-generic package,
  or use the --kernelsourcedir option to tell DKMS where it's located
  run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.0-43-generic /boot/vmlinuz-4.4.0-43-generic
  update-initramfs: Generating /boot/initrd.img-4.4.0-43-generic
  E: /usr/share/initramfs-tools/hooks/fsck failed with return 1.
  update-initramfs: failed for /boot/initrd.img-4.4.0-43-generic with 1.
  run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
  dpkg: error processing package linux-image-extra-4.4.0-43-generic (--remove):
  subprocess installed post-removal script returned error exit status 1
  Removing linux-image-extra-4.4.0-47-generic (4.4.0-47.68) ...
  run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
  run-parts: executing /etc/kernel/postinst.d/dkms 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
  run-parts: executing /etc/kernel/postinst.d/initramfs-tools 4.4.0-47-generic /boot/vmlinuz-4.4.0-47-generic
  update-initramfs: Generating /boot/initrd.img-4.4.0-47-generic
  E: /usr/share/initramfs-tools/hooks/fsck failed with return 1.
  update-initramfs: failed for /boot/initrd.img-4.4.0-47-generic with 1.
  run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
  dpkg: error processing package linux-image-extra-4.4.0-47-generic (--remove):
  subprocess installed post-removal script returned error exit status 1
  Errors were encountered while processing:
  linux-image-extra-4.4.0-43-generic
  linux-image-extra-4.4.0-47-generic
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  ProblemType: Package
  DistroRelease: Ubuntu 16.0...

Read more...

Benjamin Drung (bdrung)
summary: - package linux-image-4.4.0-43-generic 4.4.0-43.63 failed to
- install/upgrade: run-parts: /etc/kernel/postinst.d/initramfs-tools
- exited with return code 1 due to /usr/share/initramfs-tools/hooks/fsck
- failed with return 1
+ /usr/share/initramfs-tools/hooks/fsck failed with return 1 due to
+ /lib/libgcwrap.so in ldd output caused by crypto-miner malware
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.