search

f0rb1dd3n / Reptile

LKM Linux rootkit
2.53k stars 571 forks source link

copy_from_user cause system crash on centos7.8 #111

Closed fadinglr closed 1 year ago

fadinglr commented 1 year ago

https://github.com/f0rb1dd3n/Reptile/blob/1e17bc82ea8e4f9b4eaf15619ed6bcd283ad0e17/kernel/main.c#L388

[  665.125845] reptile_module: loading out-of-tree module taints kernel.
[  665.125900] reptile_module: module verification failed: signature and/or required key missing - tainting kernel
[  677.503376] p args:ffff894777045f00  p &args:ffff894736e6bdc8    p *args:ffff894777045f00    p arg:00007ffe8a1b9fa0
[ 1507.928955] usercopy: kernel memory overwrite attempt detected to ffff8947486c7dc0 (<process stack>) (16 bytes)
[ 1507.928992] ------------[ cut here ]------------
[ 1507.928994] kernel BUG at mm/usercopy.c:72!
[ 1507.928996] invalid opcode: 0000 [#1] SMP 
[ 1507.928998] Modules linked in: reptile_module(OE) tcp_lp fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun devlink ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_mangle iptable_security iptable_raw nf_conntrack ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter vmw_vsock_vmci_transport vsock sunrpc snd_seq_midi snd_seq_midi_event iosf_mbi crc32_pclmul ghash_clmulni_intel ppdev snd_ens1371 snd_rawmidi snd_ac97_codec ac97_bus snd_seq aesni_intel snd_seq_device vmw_balloon lrw gf128mul glue_helper ablk_helper cryptd
[ 1507.929019]  snd_pcm pcspkr joydev snd_timer sg snd soundcore vmw_vmci i2c_piix4 parport_pc parport ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi vmwgfx sd_mod crc_t10dif crct10dif_generic drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common crc32c_intel nfit libnvdimm ata_piix libata mptspi serio_raw e1000 scsi_transport_spi mptscsih mptbase drm_panel_orientation_quirks dm_mirror dm_region_hash dm_log dm_mod [last unloaded: reptile_module]
[ 1507.929037] CPU: 0 PID: 6881 Comm: cmd Kdump: loaded Tainted: G           OE  ------------   3.10.0-1127.el7.x86_64 #1
[ 1507.929038] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020
[ 1507.929040] task: ffff894748793150 ti: ffff8947486c4000 task.ti: ffff8947486c4000
[ 1507.929041] RIP: 0010:[<ffffffffa0649bb7>]  [<ffffffffa0649bb7>] __check_object_size+0x87/0x250
[ 1507.929047] RSP: 0018:ffff8947486c7d90  EFLAGS: 00010246
[ 1507.929048] RAX: 0000000000000063 RBX: ffff8947486c7dc0 RCX: 0000000000000000
[ 1507.929049] RDX: 0000000000000000 RSI: ffff89477b6138d8 RDI: ffff89477b6138d8
[ 1507.929051] RBP: ffff8947486c7db0 R08: 0000000000000073 R09: 0000000000000029
[ 1507.929052] R10: 0000000000000721 R11: 7479622036312820 R12: 0000000000000010
[ 1507.929053] R13: 0000000000000000 R14: ffff8947486c7dd0 R15: 0000000000000000
[ 1507.929055] FS:  00007f2869f1a740(0000) GS:ffff89477b600000(0000) knlGS:0000000000000000
[ 1507.929056] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1507.929057] CR2: 00007f2869a3a4a0 CR3: 0000000048748000 CR4: 00000000003607f0
[ 1507.929088] Call Trace:
[ 1507.929093]  [<ffffffffc07bd47f>] khook_inet_ioctl+0x9f/0xe0 [reptile_module]
[ 1507.929101]  [<ffffffffa0a316bb>] ? sock_ioctl+0x1eb/0x2d0
[ 1507.929103]  [<ffffffffa0a3149b>] ? sock_do_ioctl+0x2b/0x60
[ 1507.929105]  [<ffffffffa0a316bb>] ? sock_ioctl+0x1eb/0x2d0
[ 1507.929108]  [<ffffffffa0662810>] ? do_vfs_ioctl+0x3a0/0x5b0
[ 1507.929110]  [<ffffffffa0b8d678>] ? __do_page_fault+0x238/0x500
[ 1507.929112]  [<ffffffffa0662ac1>] ? SyS_ioctl+0xa1/0xc0
[ 1507.929115]  [<ffffffffa0b92ed2>] ? system_call_fastpath+0x25/0x2a
[ 1507.929116] Code: 45 d1 48 c7 c6 d1 68 e8 a0 48 c7 c1 2b 01 e9 a0 48 0f 45 f1 49 89 c0 4d 89 e1 48 89 d9 48 c7 c7 18 cf e8 a0 31 c0 e8 a1 fa 52 00 <0f> 0b 0f 1f 80 00 00 00 00 48 c7 c0 00 00 40 a0 4c 39 f0 73 0d 
[ 1507.929135] RIP  [<ffffffffa0649bb7>] __check_object_size+0x87/0x250
[ 1507.929137]  RSP <ffff8947486c7d90>
[centos78@localhost Reptile]$ uname -a
Linux localhost.localdomain 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
fadinglr commented 1 year ago

i already fixed it, so close the issue