search

504ensicsLabs / LiME

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
GNU General Public License v2.0
1.71k stars 339 forks source link

OS Crash While Writing Dumped RAM to Storage/TCP #82

Closed TheFrozenDuck closed 3 years ago

TheFrozenDuck commented 4 years ago

General

I'm currently playing around with the module to do some memory forensics on a Google Pixel 2. To do so I modified a kernel for the Pixel 2 to support the load, and unload of LKMs. When inserting the kernel module it runs fine for the first few seconds but eventually crashes with an oops, that I was able to get via the pstore. No matter if I dump to storage or tcp (surprisingly I can dump more via TCP), it always results in a kernel oops as follows:

[  186.212947] Internal error: Oops: 96000007 [#1] PREEMPT SMP
[  186.212954] Modules linked in: lime(O+)
[  186.212969] CPU: 5 PID: 4116 Comm: insmod Tainted: G        W  O    4.4.225-Caesium #4
[  186.212974] Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
[  186.212978] task: 0000000000000000 task.stack: 0000000000000000
[  186.212988] PC is at __memcpy+0x100/0x180
[  186.212995] LR is at iov_iter_copy_from_user_atomic+0x208/0x2c0
[  186.213000] pc : [<ffffff976d763780>] lr : [<ffffff976d77bb38>] pstate: 20000145
[  186.213003] sp : ffffffe4aa33b580
[  186.213006] x29: ffffffe4aa33b580 x28: 0000000000000f20 
[  186.213018] x27: 0000000000000000 x26: ffffff976e7285c8 
[  186.213026] x25: 00000000000000e0 x24: 0000000000000000 
[  186.213034] x23: ffffffe4aa35ba00 x22: ffffffe4aa33b7c8 
[  186.213040] x21: 0000000000000f20 x20: 0000000000000000 
[  186.213047] x19: ffffffe50848b000 x18: 00000000000002d8 
[  186.213054] x17: 0000000000000270 x16: 0000000000000208 
[  186.213060] x15: 00000000000001a0 x14: 0000000000000000 
[  186.213067] x13: 0000000000000000 x12: 0000000000000000 
[  186.213074] x11: 0000000000000000 x10: 0000000000000001 
[  186.213080] x9 : ffffffe51a9ab430 x8 : 0000000000000f20 
[  186.213087] x7 : 0000000000000000 x6 : ffffffe50848a0e0 
[  186.213094] x5 : 0000000000000000 x4 : 0000000000000000 
[  186.213100] x3 : ffffffff70000000 x2 : 0000000000000ea0 
[  186.213107] x1 : ffffffe4f5d00000 x0 : ffffffe50848a0e0 
[  186.213114] 
[  186.213114] PC: 0xffffff976d763740:
[  186.213118] 3740  a8c12027 a88120c7 a8c12829 a8c1302b a88128c9 a88130cb a8c1382d a88138cd
[  186.213141] 3760  f240145f 54fffba1 1400001b d503201f d503201f d503201f d503201f d503201f
[  186.213161] 3780  a8c12027 a8c12829 a8c1302b a8c1382d a88120c7 a8c12027 a88128c9 a8c12829
[  186.213182] 37a0  a88130cb a8c1302b a88138cd a8c1382d f9808021 f1010042 54fffeca a88120c7
[  186.213203] 
[  186.213203] LR: 0xffffff976d77baf8:
[  186.213206] baf8  8b204274 aa1303e0 cb0302b3 0b050042 97fffe22 b50003f3 aa1503e0 17ffffbf
[  186.213228] bb18  b4000614 f94002c1 aa1403e2 aa1303e0 8b140273 8b050021 cb1402b4 97ff9ed3
[  186.213249] bb38  b4fffed4 a90363f7 910042d6 f94006d7 aa1303e0 eb1402ff 9a9492f7 b4ffff77
[  186.213269] bb58  f94002c1 aa1703e2 8b170273 97ff9ec7 eb170294 54fffea1 a94363f7 aa1503e0
[  186.213290] 
[  186.213290] SP: 0xffffffe4aa33b540:
[  186.213294] b540  6d77bb38 ffffff97 aa33b580 ffffffe4 6d763780 ffffff97 20000145 00000000
[  186.213315] b560  66cff0e0 00000000 aa33b800 ffffffe4 ffffffff ffffffff 00000f20 00000000
[  186.213335] b580  aa33b5e0 ffffffe4 6d55ad18 ffffff97 66cff0e0 00000000 aa33b800 ffffffe4
[  186.213355] b5a0  1a9ab428 ffffffe5 00000f20 00000000 00000000 00000000 6e7285c8 00000001
[  186.213375] 
[  186.213379] Process insmod (pid: 4116, stack limit = 0x0000000000000000)
[  186.213383] Call trace:
[  186.213388] Exception stack(0xffffffe4aa33b390 to 0xffffffe4aa33b4c0)
[  186.213392] b380:                                   ffffffe50848b000 0000007fffffffff
[  186.213397] b3a0: ffffffe4aa33b580 ffffff976d763780 0000000020000145 ffffff976e71e2a0
[  186.213402] b3c0: ffffffe4aa33b460 ffffff976d65bac4 ffffffe51a9ab2c8 ffffffe51a9ab1e0
[  186.213407] b3e0: ffffffe4f48ab270 ffffff976f006000 ffffffe5720a4800 ffffff976e71e190
[  186.213411] b400: 0000000066cff000 00000000000000e0 ffffffe4f48ab270 ffffffe51a9ab1e0
[  186.213416] b420: ffffffe4aa33b4e0 ffffff976d69dbe8 ffffffe4f48ab270 ffffffe5720a5800
[  186.213420] b440: 0000000000000b06 e54124f88b495e72 ffffffe50848a0e0 ffffffe4f5d00000
[  186.213425] b460: 0000000000000ea0 ffffffff70000000 0000000000000000 0000000000000000
[  186.213429] b480: ffffffe50848a0e0 0000000000000000 0000000000000f20 ffffffe51a9ab430
[  186.213433] b4a0: 0000000000000001 0000000000000000 0000000000000000 0000000000000000
[  186.213439] [<ffffff976d763780>] __memcpy+0x100/0x180
[  186.213447] [<ffffff976d55ad18>] generic_perform_write+0xf8/0x1d0
[  186.213452] [<ffffff976d55c2c8>] __generic_file_write_iter+0x128/0x1b0
[  186.213460] [<ffffff976d652f48>] ext4_file_write_iter+0xd8/0x420
[  186.213466] [<ffffff976d5b84fc>] __vfs_write+0xcc/0x110
[  186.213471] [<ffffff976d5b8e7c>] vfs_write+0x1ac/0x270
[  186.213477] [<ffffff976d6b6170>] sdcardfs_write+0x70/0x160
[  186.213481] [<ffffff976d5b8460>] __vfs_write+0x30/0x110
[  186.213485] [<ffffff976d5b8e7c>] vfs_write+0x1ac/0x270
[  186.213499] [<ffffff976723b36c>] write_vaddr_disk+0x6c/0xd0 [lime]
[  186.213508] [<ffffff976723bb90>] init_module+0x4b0/0x9f0 [lime]
[  186.213515] [<ffffff976d4831e4>] do_one_initcall+0xa4/0x1c0
[  186.213521] [<ffffff976d52dad4>] do_init_module+0x54/0x210
[  186.213526] [<ffffff976d530098>] load_module+0x23f8/0x27a0
[  186.213530] [<ffffff976d530794>] SyS_finit_module+0x1a4/0x200
[  186.213534] [<ffffff976d482ef0>] el0_svc_naked+0x24/0x28
[  186.213540] Code: d503201f d503201f d503201f d503201f (a8c12027) 
[  186.213544] ---[ end trace 5f043e7b007b0198 ]---

Setup

Google Pixel 2: Android 10 + modified "Caesium Kernel" (available here) Compiler: gcc10 with no LTO regarding the kernel and the module compilation

TheFrozenDuck commented 4 years ago

I forgot to add the crash. Following the end of the trace the kernel panic is shown:

[  186.216172] Kernel panic - not syncing: Fatal exception
[  186.216184] CPU3: stopping
[  186.216192] 
[  186.216198] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G      D W  O    4.4.225-Caesium #4
[  186.216201] Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
[  186.216205] task: 0000000000000000 task.stack: 0000000000000000
[  186.216214] PC is at lpm_cpuidle_enter+0x20c/0x350
[  186.216218] LR is at lpm_cpuidle_enter+0x188/0x350
[  186.216221] pc : [<ffffff976dda642c>] lr : [<ffffff976dda63a8>] pstate: 80000145
[  186.216224] sp : ffffffe57950be90
[  186.216227] x29: ffffffe57950be90 x28: ffffff976f006a68 
[  186.216233] x27: 0000002b5b594263 x26: ffffffe57776fc18 
[  186.216239] x25: ffffffe573c29018 x24: 0000002b5b5253e4 
[  186.216244] x23: 0000000000000000 x22: ffffff976f006d80 
[  186.216249] x21: ffffffe57e3de1d0 x20: ffffff976ec503b0 
[  186.216254] x19: 0000000000000000 x18: 0000007f08276000 
[  186.216259] x17: 0000000000000000 x16: 0000000000000000 
[  186.216265] x15: 0000000000000000 x14: 0000000000000000 
[  186.216270] x13: 0000000000000000 x12: 000000000000ec95 
[  186.216276] x11: 0000000000000003 x10: 0000000000000000 
[  186.216281] x9 : 0000000000000000 x8 : 00000000000003b3 
[  186.216287] x7 : 000000000003ffff x6 : 00000000e3b871d2 
[  186.216292] x5 : 0000000000000002 x4 : ffffff976f0b2000 
[  186.216297] x3 : 0000000000000003 x2 : ffffffe57e3de3b0 
[  186.216302] x1 : 00000000000001c6 x0 : 0000000000000005 
[  186.216308] 
[  186.216308] PC: 0xffffff976dda63ec:
[  186.216312] 63ec  b9402c45 35000640 2a0503e0 110004a3 b8207841 8b000840 b9001413 b9402840
[  186.216329] 640c  7100101f 5400006c 11000400 b9002840 7100107f 1a9f9063 b9002c43 d50342ff
[  186.216344] 642c  3968a080 350005a0 f9402bfb 2a1303e0 a94153f3 a9425bf5 a94363f7 a9446bf9
[  186.216359] 644c  a8c67bfd d65f03c0 97de7b07 17ffffa0 52800020 97ddf104 17ffff92 aa1b03e4
[  186.216375] 
[  186.216375] LR: 0xffffff976dda6368:
[  186.216379] 6368  8b000f40 39403000 34000060 52800000 97ddf13e 8b1706e2 d37ef442 cb170042
[  186.216394] 6388  8b020f42 b9400840 51000800 7100041f 540008c9 39413040 35000880 97ddcb7f
[  186.216410] 63a8  cb180001 d29ef9e3 f2bc6a63 d343fc21 f2d374a3 f2e41883 90009864 3968a080
[  186.216425] 63c8  aa1403e2 9bc37c21 d344fc21 b9000aa1 34000280 b94006a0 f8607ac0 8b000042
[  186.216440] 
[  186.216440] SP: 0xffffffe57950be50:
[  186.216444] be50  6dda63a8 ffffff97 7950be90 ffffffe5 6dda642c ffffff97 80000145 00000000
[  186.216459] be70  00000000 00000000 6ec503b0 ffffff97 ffffffff ffffffff 8b495e72 e54124f8
[  186.216474] be90  7950bef0 ffffffe5 6dda17b8 ffffff97 00000000 00000000 6f379000 ffffff97
[  186.216490] beb0  77734418 ffffffe5 7e3de1d0 ffffffe5 77734400 ffffffe5 5b52537c 0000002b
...
...
...
kd8bny commented 3 years ago

can you compile with make debug and post dmesg log

TheFrozenDuck commented 3 years ago

I have to close this issue, due to lacking the setup used in the creation of this issue.