From owner-freebsd-security@freebsd.org  Wed Dec 28 02:10:01 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 707CBC91418
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 28 Dec 2016 02:10:01 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 66512114D
 for <freebsd-security@freebsd.org>; Wed, 28 Dec 2016 02:10:00 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [206.40.34.50])
 by mx5.roble.com (Postfix) with ESMTP id 96D7595E3
 for <freebsd-security@freebsd.org>; Tue, 27 Dec 2016 18:04:25 -0800 (PST)
Date: Tue, 27 Dec 2016 18:04:25 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
Subject: /tmp/ecp.* created during kernel build?
Message-ID: <1612271756590.79526@mx5.roble.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Dec 2016 02:10:01 -0000

Found a couple of ecp binaries in /tmp, apparently created concurrent
with an 11.0 x86_64 kernel build.  Anyone else seen this?  Could they
be related to a "make buildkernel"?

# ls -l /tmp/ecp*
  -rw-r--r--   1 root  wheel  4229 Dec 27 06:21 ecp.Aak1ruL8
  -rw-r--r--   1 root  wheel  2371 Dec 27 06:21 ecp.8Wba0TzO

# file /tmp/ecp.*
  /tmp/ecp.8Wba0TzO: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped
  /tmp/ecp.Aak1ruL8: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped

# strings /tmp/ecp.Aak1ruL8
  belX
  __vdso_clock_gettime
  __vdso_getcpu
  __vdso_gettimeofday
  __vdso_time
  linux_platform
  linux_rt_sigcode
  linux_vdso.so.1
  LINUX_2.6
  x86_64
  .symtab
  .strtab
  .shstrtab
  .gnu.hash
  .dynsym
  .dynstr
  .gnu.version
  .gnu.version_d
  .eh_frame_hdr
  .eh_frame
  .dynamic
  .data
  .text
  .endrtsigcode
  .getip
  .startrtsigcode
  _DYNAMIC
  _GLOBAL_OFFSET_TABLE_
  clock_gettime
  LINUX_2.6
  __vdso_gettimeofday
  __vdso_getcpu
  gettimeofday
  time
  getcpu
  __vdso_clock_gettime
  linux_platform
  linux_rt_sigcode
  __vdso_time

# strings /tmp/ecp.8Wba0TzO
  linux32_rt_sigcode
  linux32_sigcode
  linux32_vsyscall
  linux_platform
  linux32_vdso.so.1
  LINUX_2.5
  i686
  .shstrtab
  .gnu.hash
  .dynsym
  .dynstr
  .gnu.version
  .gnu.version_d
  .eh_frame_hdr
  .eh_frame
  .dynamic
  .data
  .text

Is there anything else that might trace the origin of these files other
than possibly another buildkernel?

Thanks,
Roger