Skip to content

Instantly share code, notes, and snippets.

@agentzh
Created November 14, 2023 19:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save agentzh/814dafd2d6c8a661c7d23cbdc96e5d28 to your computer and use it in GitHub Desktop.
Save agentzh/814dafd2d6c8a661c7d23cbdc96e5d28 to your computer and use it in GitHub Desktop.

First of all, create any C program named a.out under /tmp/:

int main(void) {
    return 0;
}
gcc -O -g a.c
cp a.out /tmp/

Then, generate a test.ko using the following stap oneliner:

stap -DDEBUG_MEM -e 'probe process("/bin/ls").function("main") { println("Hi") } probe process("/tmp/a.out").function("main") { println("hi") }' -p4 -m test

Finally, remove the target program from /tmp/:

rm /tmp/a.out

Run the previously generated test.ko with staprun:

staprun test.ko

This will leak kernel memory, as evidenced by the following dmesg error:

[50386.865908] SYSTEMTAP ERROR: Memory ffff8881549aed20 len=72 allocation type: kmalloc. Not freed.

Also, at this point, if we run /bin/ls, it will trigger unattended leftover uprobes:

$ /bin/ls
Killed

And we'll also see KASAN errors like this:

[50509.842152] ==================================================================
[50509.843273] BUG: KASAN: use-after-free in filter_chain+0xc7/0xe0
[50509.843784] Read of size 8 at addr ffff8881549aed40 by task ls/1238887

[50509.844467] CPU: 11 PID: 1238887 Comm: ls Tainted: G           OE     5.11.22-100.orinc.fc32.x86_64+debug #1
[50509.845273] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014
[50509.845995] Call Trace:
[50509.846217]  dump_stack+0xae/0xe5
[50509.846509]  ? filter_chain+0xc7/0xe0
[50509.846824]  print_address_description.constprop.0+0x18/0x160
[50509.847307]  ? filter_chain+0xc7/0xe0
[50509.847620]  ? filter_chain+0xc7/0xe0
[50509.847934]  kasan_report.cold+0x7f/0x10e
[50509.848283]  ? filter_chain+0xc7/0xe0
[50509.848609]  filter_chain+0xc7/0xe0
[50509.848928]  uprobe_mmap+0x364/0xe80
[50509.849266]  ? uprobe_apply+0x120/0x120
[50509.849605]  ? vma_link+0x4f6/0x900
[50509.850650]  mmap_region+0x437/0x16c0
[50509.851735]  do_mmap+0x86f/0xe00
[50509.852738]  ? ima_file_free+0x370/0x370
[50509.853773]  ? security_mmap_file+0xca/0x160
[50509.854814]  vm_mmap_pgoff+0x13e/0x1f0
[50509.855817]  ? randomize_stack_top+0xd0/0xd0
[50509.856838]  ? lockdep_hardirqs_on_prepare+0x278/0x3f0
[50509.857893]  ? lockdep_hardirqs_on+0x74/0x120
[50509.858915]  elf_map+0xde/0x260
[50509.859830]  load_elf_binary+0xe15/0x3f10

And also kernel panics like this:

[50509.933654] BUG: unable to handle page fault for address: ffffffffc10cec10
[50509.934291] #PF: supervisor instruction fetch in kernel mode
[50509.934920] #PF: error_code(0x0010) - not-present page
[50509.935515] PGD 4c31067 P4D 4c31067 PUD 4c33067 PMD 17b0cc067 PTE 0
[50509.936289] Oops: 0010 [#1] SMP KASAN NOPTI
[50509.936847] CPU: 4 PID: 1238887 Comm: ls Tainted: G    B      OE     5.11.22-100.orinc.fc32.x86_64+debug #1
[50509.937695] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014
[50509.938486] RIP: 0010:0xffffffffc10cec10
[50509.939027] Code: Unable to access opcode bytes at RIP 0xffffffffc10cebe6.
[50509.939716] RSP: 0000:ffffc90000657df0 EFLAGS: 00010282
[50509.940324] RAX: ffffffffc10cec10 RBX: dffffc0000000000 RCX: ffffffff817244e4
[50509.941055] RDX: 0000000000000000 RSI: ffffc90000657f58 RDI: ffff8881549aed30
[50509.941805] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
[50509.942523] R10: fffffbfff0b9c32c R11: 0000000000000001 R12: 0000000000000001
[50509.943244] R13: ffffc90000657f58 R14: ffff8881549aed30 R15: 0000000000000000
[50509.943965] FS:  00007f253f2b2800(0000) GS:ffff88886ee00000(0000) knlGS:0000000000000000
[50509.944746] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[50509.945902] CR2: ffffffffc10cebe6 CR3: 00000004b72d2006 CR4: 0000000000770ee0
[50509.946932] PKRU: 55555554
[50509.947556] Call Trace:
[50509.948190]  ? uprobe_notify_resume+0x539/0x2280
[50509.948847]  ? arch_uprobe_ignore+0x20/0x20
[50509.949438]  ? atomic_notifier_call_chain+0x98/0x100
[50509.950074]  ? notify_die+0x81/0xd0
[50509.950649]  ? atomic_notifier_call_chain+0x100/0x100
[50509.951291]  ? exit_to_user_mode_prepare+0x12a/0x240
[50509.951928]  ? asm_exc_int3+0x29/0x40
[50509.952498]  ? irqentry_exit_to_user_mode+0x5/0x40
[50509.953128]  ? asm_exc_int3+0x31/0x40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment