First of all, create any C program named a.out
under /tmp/
:
int main(void) {
return 0;
}
gcc -O -g a.c
cp a.out /tmp/
Then, generate a test.ko
using the following stap oneliner:
stap -DDEBUG_MEM -e 'probe process("/bin/ls").function("main") { println("Hi") } probe process("/tmp/a.out").function("main") { println("hi") }' -p4 -m test
Finally, remove the target program from /tmp/
:
rm /tmp/a.out
Run the previously generated test.ko
with staprun
:
staprun test.ko
This will leak kernel memory, as evidenced by the following dmesg error:
[50386.865908] SYSTEMTAP ERROR: Memory ffff8881549aed20 len=72 allocation type: kmalloc. Not freed.
Also, at this point, if we run /bin/ls
, it will trigger unattended leftover uprobes:
$ /bin/ls
Killed
And we'll also see KASAN errors like this:
[50509.842152] ==================================================================
[50509.843273] BUG: KASAN: use-after-free in filter_chain+0xc7/0xe0
[50509.843784] Read of size 8 at addr ffff8881549aed40 by task ls/1238887
[50509.844467] CPU: 11 PID: 1238887 Comm: ls Tainted: G OE 5.11.22-100.orinc.fc32.x86_64+debug #1
[50509.845273] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014
[50509.845995] Call Trace:
[50509.846217] dump_stack+0xae/0xe5
[50509.846509] ? filter_chain+0xc7/0xe0
[50509.846824] print_address_description.constprop.0+0x18/0x160
[50509.847307] ? filter_chain+0xc7/0xe0
[50509.847620] ? filter_chain+0xc7/0xe0
[50509.847934] kasan_report.cold+0x7f/0x10e
[50509.848283] ? filter_chain+0xc7/0xe0
[50509.848609] filter_chain+0xc7/0xe0
[50509.848928] uprobe_mmap+0x364/0xe80
[50509.849266] ? uprobe_apply+0x120/0x120
[50509.849605] ? vma_link+0x4f6/0x900
[50509.850650] mmap_region+0x437/0x16c0
[50509.851735] do_mmap+0x86f/0xe00
[50509.852738] ? ima_file_free+0x370/0x370
[50509.853773] ? security_mmap_file+0xca/0x160
[50509.854814] vm_mmap_pgoff+0x13e/0x1f0
[50509.855817] ? randomize_stack_top+0xd0/0xd0
[50509.856838] ? lockdep_hardirqs_on_prepare+0x278/0x3f0
[50509.857893] ? lockdep_hardirqs_on+0x74/0x120
[50509.858915] elf_map+0xde/0x260
[50509.859830] load_elf_binary+0xe15/0x3f10
And also kernel panics like this:
[50509.933654] BUG: unable to handle page fault for address: ffffffffc10cec10
[50509.934291] #PF: supervisor instruction fetch in kernel mode
[50509.934920] #PF: error_code(0x0010) - not-present page
[50509.935515] PGD 4c31067 P4D 4c31067 PUD 4c33067 PMD 17b0cc067 PTE 0
[50509.936289] Oops: 0010 [#1] SMP KASAN NOPTI
[50509.936847] CPU: 4 PID: 1238887 Comm: ls Tainted: G B OE 5.11.22-100.orinc.fc32.x86_64+debug #1
[50509.937695] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014
[50509.938486] RIP: 0010:0xffffffffc10cec10
[50509.939027] Code: Unable to access opcode bytes at RIP 0xffffffffc10cebe6.
[50509.939716] RSP: 0000:ffffc90000657df0 EFLAGS: 00010282
[50509.940324] RAX: ffffffffc10cec10 RBX: dffffc0000000000 RCX: ffffffff817244e4
[50509.941055] RDX: 0000000000000000 RSI: ffffc90000657f58 RDI: ffff8881549aed30
[50509.941805] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
[50509.942523] R10: fffffbfff0b9c32c R11: 0000000000000001 R12: 0000000000000001
[50509.943244] R13: ffffc90000657f58 R14: ffff8881549aed30 R15: 0000000000000000
[50509.943965] FS: 00007f253f2b2800(0000) GS:ffff88886ee00000(0000) knlGS:0000000000000000
[50509.944746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[50509.945902] CR2: ffffffffc10cebe6 CR3: 00000004b72d2006 CR4: 0000000000770ee0
[50509.946932] PKRU: 55555554
[50509.947556] Call Trace:
[50509.948190] ? uprobe_notify_resume+0x539/0x2280
[50509.948847] ? arch_uprobe_ignore+0x20/0x20
[50509.949438] ? atomic_notifier_call_chain+0x98/0x100
[50509.950074] ? notify_die+0x81/0xd0
[50509.950649] ? atomic_notifier_call_chain+0x100/0x100
[50509.951291] ? exit_to_user_mode_prepare+0x12a/0x240
[50509.951928] ? asm_exc_int3+0x29/0x40
[50509.952498] ? irqentry_exit_to_user_mode+0x5/0x40
[50509.953128] ? asm_exc_int3+0x31/0x40