Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Jul 2020 15:13:59 +0200
From: Mikhail Morfikov <mmorfikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: <Exploit Detection> Process[modprobe] is trying to remove kernel
 module but does NOT have appropriate permissions!

I accidentally tested what would happen if I loaded the LKRG module and then
blocked the sys_module capability (via AppArmor) for kmod. When I tried to 
unload some module via "modprobe -r -v sysdig-probe" in such situation, I
got the following:

kernel: [p_lkrg] <Exploit Detection> Process[modprobe] | 209106] is trying to remove kernel module but does NOT have appropriate permissions! Killing...
kernel: audit: type=1400 audit(1594127374.404:5211): apparmor="DENIED" operation="capable" profile="kmod" pid=209106 comm="modprobe" capability=16  capname="sys_module"
kernel: [p_lkrg] <Exploit Detection> Trying to kill process[modprobe] | 209106]!
kernel: BUG: kernel NULL pointer dereference, address: 0000000000000067
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 0 P4D 0
kernel: Oops: 0000 [#4] PREEMPT SMP PTI
kernel: CPU: 0 PID: 209106 Comm: modprobe Tainted: G      D    O    T 5.7.7-amd64 #14
kernel: Hardware name: LENOVO 2349BM5/2349BM5, BIOS G1ETC2WW (2.82 ) 08/07/2019
kernel: RIP: 0010:__x64_sys_delete_module+0x20/0x310
kernel: Code: ff 66 0f 1f 84 00 00 00 00 00 e8 ab 9c 9f 37 41 54 55 48 89 fd 53 48 83 ec 40 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 <48> 8b 5d 68 31 c0 b9 07 00 00 00 4c 8b 65 70 48 89 e5 48 89 ef f3
kernel: RSP: 0018:ffffac4880d8bdc8 EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: 00000000000000b0 RCX: ffffac4880d88008
kernel: RDX: ffffac4880d8be10 RSI: ffffffffffffffff RDI: ffffffffffffffff
kernel: RBP: ffffffffffffffff R08: 0000000000000000 R09: 0000000000000000
kernel: R10: 0000000000000000 R11: 0000000000000010 R12: ffffac4880d8bf58
kernel: R13: ffff9f9755efecc0 R14: 0000000000000000 R15: 0000000000000000
kernel: FS:  0000723ebc015500(0000) GS:ffff9f9796200000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000067 CR3: 000000013a4d0001 CR4: 00000000001606f0
kernel: Call Trace:
kernel:  ? __x64_sys_delete_module+0x5/0x310
kernel:  trace_clock_x86_tsc+0x10/0x10
kernel:  ? do_syscall_64+0x2e/0x334
kernel:  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
kernel: Modules linked in: sysdig_probe(O) p_lkrg(O) [last unloaded: p_lkrg]
kernel: CR2: 0000000000000067
kernel: ---[] end trace 70d2a865c18ee6a8 ]---
kernel: RIP: 0010:__x64_sys_delete_module+0x20/0x310
kernel: Code: ff 66 0f 1f 84 00 00 00 00 00 e8 ab 9c 9f 37 41 54 55 48 89 fd 53 48 83 ec 40 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 <48> 8b 5d 68 31 c0 b9 07 00 00 00 4c 8b 65 70 48 89 e5 48 89 ef f3
kernel: RSP: 0018:ffffac4881183df0 EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: 00000000000000b0 RCX: ffffac4881180008
kernel: RDX: ffffac4881183e38 RSI: ffffffffffffffff RDI: ffffffffffffffff
kernel: RBP: ffffffffffffffff R08: 0000000000000000 R09: 0000000000000000
kernel: R10: 0000000000000000 R11: 0000000000000010 R12: ffffac4881183f58
kernel: R13: ffff9f9755efdd40 R14: 0000000000000000 R15: 0000000000000000
kernel: FS:  0000723ebc015500(0000) GS:ffff9f9796200000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000067 CR3: 000000013a4d0001 CR4: 00000000001606f0

Should this happen? Is everything alright with it?



Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.