Page Fault

Enzo Desiage enzo at desiage.org
Wed Apr 22 20:02:45 EDT 2020


Hi,

I am trying to write a proof of concept where the execve
system call gets replaced by a new one, that
would print a message if ls is launched.

However, this is giving me a page fault everytime
I try to insmod it, and I cannot figure out why.

Thanks,
Enzo

here is the code:
+++++
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kallsyms.h>
#include <asm/paravirt.h>
#include <linux/dirent.h>
#include <linux/fs.h>
#include <linux/proc_ns.h>
#include <linux/slab.h>
#include <linux/version.h>
#include <linux/fdtable.h>
#include <linux/uaccess.h>
#include <asm/unistd_64.h>


MODULE_LICENSE("Dual BSD/GPL");

/* sys call table */
static void **sct = 0;


static asmlinkage long (*orig_execve) (const char __user *filename,
const char __user *const __user *argv,
const char __user *const __user *envp);

inline void disable_write_protection(void)
{
    asm volatile("cli\n\t"
                "mov %%cr0,%%eax\n\t"
                "and $0xfffeffff,%%eax\n\t"
                "mov %%eax,%%cr0"
                :"+m"(__force_order)
                :
                :);
}

inline void enable_write_protection(void)
{
    asm volatile("mov %%cr0,%%eax\n\t"
                "or $0x10000,%%eax\n\t"
                "mov %%eax,%%cr0\n\t"
                "sti"
                :"+m"(__force_order)
                :
                :);
}

/* Custom execve */

static asmlinkage long
my_execve(const char __user *filename,
const char __user *const __user *argv,
const char __user *const __user *envp);
{

    int ret;

    if(strstr(filename, "/bin/ls") != NULL)
    {
        printk(KERN_ALERT "Executing /bin/ls detected\n");
    }

    ret = (*orig_execve) (filename, argv, envp);
    return ret;
}



static int sys_init(void)
{

    printk(KERN_ALERT "Module loading\n");

    sct = (void **)kallsyms_lookup_name("sys_call_table");
    printk( "+ sys_call_table address = %p\n", sct );

    printk("Execve syscall # %d\n", __NR_execve);

// record the original getdents handler
    orig_execve = sct[__NR_execve];

    disable_write_protection();
    sct[__NR_execve] = my_execve;
    enable_write_protection();

    return 0;
}


static void sys_exit(void)
{

    disable_write_protection();
    sct[__NR_execve] = orig_execve;
    enable_write_protection();

    printk(KERN_ALERT "Goodbye, cruel world\n");
}

module_init(sys_init);
module_exit(sys_exit);
++++++

[ 4024.772066] Module loading
[ 4024.790716] + sys_call_table address = 00000000055df43d
[ 4024.790718] Execve syscall # 59
[ 4024.791116] BUG: unable to handle page fault for address:
000000008004020b
[ 4024.792614] #PF: supervisor write access in kernel mode
[ 4024.793944] #PF: error_code(0x0002) - not-present page
[ 4024.794920] PGD 0 P4D 0
[ 4024.795411] Oops: 0002 [#1] SMP PTI
[ 4024.796072] CPU: 1 PID: 3475 Comm: insmod Tainted: G           OE
5.6.0-rc2+ #1
[ 4024.797378] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.12.0-1 04/01/2014
[ 4024.798977] RIP: 0010:sys_init+0x69/0x90 [mvee]
[ 4024.799724] Code: 6b 60 9d c0 e8 ab 97 d3 d1 48 8b 05 99 22 00 00 48 8b
90 d8 01 00 00 48 89 15 83 22 00 00 fa 0f 20 c0 25 ff ff fe ff 0f 22 c0
<48> c7 80 d8 01 00 00 00 50 9d c0 0f 20 c0 0d 00 00 01 00 0f 22 c0
[ 4024.802782] RSP: 0018:ffffac860111fc60 EFLAGS: 00010086
[ 4024.803896] RAX: 0000000080040033 RBX: 0000000000000000 RCX:
0000000000000007
[ 4024.805017] RDX: ffffffff928e9180 RSI: 0000000000000086 RDI:
ffff98c27dd19900
[ 4024.806147] RBP: ffffac860111fc60 R08: 0000000000000242 R09:
0000000000000004
[ 4024.807220] R10: ffffffff93d827e0 R11: 0000000000000001 R12:
ffffffffc09d50a0
[ 4024.808285] R13: ffff98c27a8bf280 R14: ffffac860111fe68 R15:
ffffffffc09d7000
[ 4024.809390] FS:  00007fec8368f540(0000) GS:ffff98c27dd00000(0000)
knlGS:0000000000000000
[ 4024.810855] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080040033
[ 4024.811922] CR2: 000000008004020b CR3: 00000000336e4005 CR4:
0000000000360ee0
[ 4024.813231] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 4024.814610] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 4024.815651] Call Trace:
[ 4024.816155]  do_one_initcall+0x4a/0x200
[ 4024.816778]  ? _cond_resched+0x19/0x40
[ 4024.817363]  ? kmem_cache_alloc_trace+0x15c/0x210
[ 4024.818096]  ? __vunmap+0x1bd/0x210
[ 4024.818671]  do_init_module+0x5f/0x22a
[ 4024.819317]  load_module+0x26f8/0x2cd0
[ 4024.820077]  __do_sys_finit_module+0xfc/0x120
[ 4024.820796]  ? __do_sys_finit_module+0xfc/0x120
[ 4024.821538]  __x64_sys_finit_module+0x1a/0x20
[ 4024.822583]  do_syscall_64+0x57/0x1d0
[ 4024.823195]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4024.823972] RIP: 0033:0x7fec831a0839
[ 4024.824552] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[ 4024.828363] RSP: 002b:00007ffd0cb40468 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[ 4024.829995] RAX: ffffffffffffffda RBX: 0000563be9d597a0 RCX:
00007fec831a0839
[ 4024.831531] RDX: 0000000000000000 RSI: 0000563be900cd2e RDI:
0000000000000003
[ 4024.832626] RBP: 0000563be900cd2e R08: 0000000000000000 R09:
00007fec83473000
[ 4024.833730] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[ 4024.835553] R13: 0000563be9d59770 R14: 0000000000000000 R15:
0000000000000000
[ 4024.837111] Modules linked in: mvee(OE+) kvm_intel kvm irqbypass
input_leds joydev serio_raw qemu_fw_cfg mac_hid sch_fq_codel ib_iser
rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi ip_tables x_tables btrfs blake2b_generic zstd_compress
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx
xor raid6_pq raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel cirrus drm_kms_helper aesni_intel glue_helper
crypto_simd syscopyarea sysfillrect virtio_blk sysimgblt fb_sys_fops cec
i2c_piix4 psmouse sym53c8xx pata_acpi cryptd drm virtio_net [last unloaded:
mvee]
[ 4024.847494] CR2: 000000008004020b
[ 4024.848404] ---[ end trace 0988ed522895329e ]---
[ 4024.849514] RIP: 0010:sys_init+0x69/0x90 [mvee]
[ 4024.850610] Code: 6b 60 9d c0 e8 ab 97 d3 d1 48 8b 05 99 22 00 00 48 8b
90 d8 01 00 00 48 89 15 83 22 00 00 fa 0f 20 c0 25 ff ff fe ff 0f 22 c0
<48> c7 80 d8 01 00 00 00 50 9d c0 0f 20 c0 0d 00 00 01 00 0f 22 c0
[ 4024.854386] RSP: 0018:ffffac860111fc60 EFLAGS: 00010086
[ 4024.855612] RAX: 0000000080040033 RBX: 0000000000000000 RCX:
0000000000000007
[ 4024.857080] RDX: ffffffff928e9180 RSI: 0000000000000086 RDI:
ffff98c27dd19900
[ 4024.858549] RBP: ffffac860111fc60 R08: 0000000000000242 R09:
0000000000000004
[ 4024.860335] R10: ffffffff93d827e0 R11: 0000000000000001 R12:
ffffffffc09d50a0
[ 4024.862180] R13: ffff98c27a8bf280 R14: ffffac860111fe68 R15:
ffffffffc09d7000
[ 4024.863667] FS:  00007fec8368f540(0000) GS:ffff98c27dd00000(0000)
knlGS:0000000000000000
[ 4024.865500] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080040033
[ 4024.866775] CR2: 000000008004020b CR3: 00000000336e4005 CR4:
0000000000360ee0
[ 4024.868352] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 4024.869850] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20200423/0817c99d/attachment.html>


More information about the Kernelnewbies mailing list