Kernel panic after insmod

Kernel panic after insmod

[Manavendra Nath Manav]

Can someone explain the following kernel module code. I'm not familiar with
x86 assembly so have problem understanding this part. Also it seems this
code is able to modify the kernel stack.

/******************start****************/

#include <linux/module.h>

MODULE_LICENSE("GPL");

int __init init(void) __attribute__((noreturn))
{
unsigned long long cr0 = read_cr0();
write_cr0(cr0 & ~(1 << 4)); /* Clear Extension Type (ET) bit */
*(unsigned char *)sys_kill = 0xc3; /* opcode for "ret" */
write_cr0(cr0);

/* Optional code ahead to hide traces of this module. */
__this_module.refcnt = 1;
__this_module.state = MODULE_STATE_LIVE;

asm
(
"mov %0, %%rsp\n\t"
"mov %1, %%rdi\n\t" /* name = __this_module.name */
"xor %%rsi, %%rsi\n\t" /* flags = 0 */
"jmp sys_delete_module\n\t" /* call delete_module(name, flags) */
:: "r"(current->stack + THREAD_SIZE - sizeof(struct pt_regs) - 8), "r"(__
this_module.name) :
);
}

void __exit exit(void)
{
return;
}

/*******************end*****************/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160626/50b70a47/attachment.html 

Kernel panic after insmod

[Greg KH]

On Sun, Jun 26, 2016 at 09:35:55AM +0000, Manavendra Nath Manav wrote:
> Can someone explain the following kernel module code. I'm not familiar with x86
> assembly so have problem understanding this part. Also it seems this code is
> able to modify the kernel stack.
> 
> /******************start****************/
> 
> #include <linux/module.h>
> 
> MODULE_LICENSE("GPL");
> 
> int __init init(void) __attribute__((noreturn))
> {
> unsigned long long cr0 = read_cr0();
> write_cr0(cr0 & ~(1 << 4)); /* Clear Extension Type (ET) bit */
> *(unsigned char *)sys_kill = 0xc3; /* opcode for "ret" */
> write_cr0(cr0);
> 
> /* Optional code ahead to hide traces of this module. */
> __this_module.refcnt = 1;
> __this_module.state = MODULE_STATE_LIVE;
> 
> asm
> (
> "mov %0, %%rsp\n\t"
> "mov %1, %%rdi\n\t" /* name = __this_module.name */
> "xor %%rsi, %%rsi\n\t" /* flags = 0 */
> "jmp sys_delete_module\n\t" /* call delete_module(name, flags) */
> :: "r"(current->stack + THREAD_SIZE - sizeof(struct pt_regs) - 8), "r"(__
> this_module.name) :
> );
> }
> 
> void __exit exit(void)
> {
> return;
> }
> 
> /*******************end*****************/

What exactly was the crash?  And where did you find this kernel module
source from?

greg k-h

Kernel panic after insmod

[Aruna Hewapathirane]

> What exactly was the crash?  And where did you find this kernel module
> source from?

Greg,

A little digging around using Google threw this up :
http://superuser.com/questions/1092083/how-to-disable-kill-command-on-linux

If you scroll down you will see the exact same code :)

And completely off-topic what are the options for some of us who very much
wish to attend the Linux conference North America (
http://events.linuxfoundation.org/events/linuxcon-north-america ) but
simply cannot afford the standard registration fee of US$950 ?

And I notice Microsoft is a Diamond sponsor ? Interesting !

Aruna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160626/e15f52b0/attachment.html 

Kernel panic after insmod

[Greg KH]

On Sun, Jun 26, 2016 at 12:38:29PM -0400, Aruna Hewapathirane wrote:
> > What exactly was the crash?? And where did you find this kernel module
> > source from?
> 
> Greg,
> 
> A little digging around using Google threw this up :
> http://superuser.com/questions/1092083/how-to-disable-kill-command-on-linux
> 
> If you scroll down you will see the exact same code :)

Hah, that's funny, and it makes more sense now, thanks.

Use that code at your own risk, you get to keep the kernel pieces it
leaves behind, they are yours to deal with now.

good luck!

greg k-h

Kernel panic after insmod

[Silvan Jegen]

Am 2016-06-26 18:38, schrieb Aruna Hewapathirane:
> And completely off-topic what are the options for some of us who very 
> much
> wish to attend the Linux conference North America (
> http://events.linuxfoundation.org/events/linuxcon-north-america ) but
> simply cannot afford the standard registration fee of US$950 ?

Let me give you my thoughts on this.

I, too, think the price is rather steep. The reason for that is that the 
Linux Foundation is not expecting individuals to pay the registration 
fee (though I did it before. If you do, I would recommend to first 
become a member of the Linux Foundation because the registration fee 
reductions you get that way pay for the member fee about three times 
over). Rather, it is the company you work for that is expected to pay 
for you going there.


> And I notice Microsoft is a Diamond sponsor ? Interesting !

Probably due to Microsoft profiting off of Linux running on Azure. It's 
a very good thing in any case!


Cheers,

Silvan