MSR_LSTAR modification double faults
I am trying to set up a trampoline using MSR_LSTAR by this tutorial
The code in question is this:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/syscalls.h>
#include <asm/errno.h>
#include <asm/unistd.h>
#include <linux/mman.h>
#include <asm/proto.h>
#include <asm/delay.h>
#include <linux/init.h>
#include <linux/highmem.h>
#include <linux/sched.h>
static struct file_operations chdir_ops;
asmlinkage long (*real_chdir)(const char __user *filename);
void (*syscall_handler)(void);
long unsigned int orig_reg;
void fake_syscall_dispatcher(void){
/* steps:
* 1- reverse the function prolouge
* 2- store the GP-registers/FLAGS
* 3- do [Nice] things
* 4- restore GP-registers/FLAGS
* 5- call system call
*/
__asm__ __volatile__ (
"mov %rbp,%rsp\n"
"pop %rbp\n");
__asm__ __volatile__ (
"push %rsp\n"
"push %rax\n"
"push %rbp\n"
"push %rdi\n"
"push %rsi\n"
"push %rdx\n"
"push %rcx\n"
"push %rbx\n"
"push %r8\n"
"push %r9\n"
"push %r10\n"
"push %r11\n"
"push %r12\n"
"push %r15\n"
);
// Hook Goes here.
__asm__ __volatile__(
"\tpop %%r15\n"
"\tpop %%r12\n"
"\tpop %%r11\n"
"\tpop %%r10\n"
"\tpop %%r9\n"
"\tpop %%r8\n"
"\tpop %%rbx\n"
"\tpop %%rcx\n"
"\tpop %%rdx\n"
"\tpop %%rsi\n"
"\tpop %%rdi\n"
"\tpop %%rbp\n"
"\tpop %%rax\n"
"\tpop %%rsp\n"
"\tjmp *%0\n"
:: "m"(syscall_handler));
}
int __initchdir_init(void){
unsigned int low = 0, high = 0, lo=0;
long unsigned int address;
rdmsr(0xC0000082,low,high);
printk("Low:%x\tHigh:%x\n", low,high);
address = 0;
address |= high;
address = address << 32;
address |= low;
orig_reg = address;
printk("Syscall Handler: %lx\n", address);
syscall_handler = (void (*)(void)) address;
lo = (unsigned int) (((unsigned long)fake_syscall_dispatcher)
& 0xFFFFFFFF);
printk("Lo: %x\tHi:%x\n", lo,high);
asm volatile ("wrmsr" :: "c"(0xC0000082), "a"(lo),
"d"(high) : "memory");
return 0;
}
void __exit
chdir_cleanup(void){
printk("Exit\n");
asm volatile ("wrmsr" :: "c"(0xC0000082),
"a"((unsigned int) (orig_reg & 0xFFFFFFFF)),
"d"(0xffffffff) : "memory");
return;
}
static struct file_operations chdir_ops= {
.owner = THIS_MODULE,
};
module_init(chdir_init);
module_exit(chdir_cleanup);
MODULE_LICENSE("GPL");
This code works great under Ubuntu 16.04 kernel version 4.1.12-1
Under CentOS 7 kernel 4.4.206-1.el7 the module double faults
[ 47.876081] PANIC: double fault, error_code: 0x0
[ 47.877081] CPU: 1 PID: 1515 Comm: libvirtd : P O 4.4.206-1.el7.elrepo.x86_64 #1
[ 47.878999] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[ 47.880965] PANIC: double fault, error_code: 0x0
[ 47.880968] CPU: 0 PID: 1526 Comm: InputThread : P O 4.4.206-1.el7.elrepo.x86_64 #1
[ 47.880968] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[ 47.880969] task: ffff8801347a5d00 ti: ffff8801347f8000 task.ti: ffff8801347f8000
[ 47.880977] RIP: 0010:[<ffffffffa0752d80>] [<ffffffffa0752d80>] fake_syscall_dispatcher+0x0/0x70 [chdir_module]
[ 47.880978] RSP: 0018:00007fdfcb577df0 EFLAGS: 00010093
[ 47.880978] RAX: 0000000000000000 RBX: 000056438917e5d0 RCX: 00007fdfd5bc671d
[ 47.880979] RDX: 0000000000001c20 RSI: 000056438917edd0 RDI: 0000000000000016
[ 47.880979] RBP: 00007fdfcb577f10 R08: 000056438745a0e0 R09: 00000000000001a1
[ 47.880980] R10: 00000000ffffffff R11: 0000000000003293 R12: 0000000000000000
[ 47.880980] R13: 0000000000000000 R14: 0000000000000000 R15: 00007fdfcb579700
[ 47.880981] FS: 00007fdfcb579700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[ 47.880981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 47.880982] CR2: 00007fdfcb577de8 CR3: 00000000adb40000 CR4: 0000000000360670
[ 47.881006] Stack:
[ 47.881032] BUG: unable to handle kernel paging request at 00007fdfcb577df0
[ 47.881075] IP: [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.881078] PGD 80000000adb2a067 PUD ad8fa067 PMD 13470b067 PTE 8000000132895067
[ 47.881079] Oops: 0001 [#1] SMP
[ 47.881092] Modules linked in: chdir_module tcp_lp nls_utf8 isofs rfcomm fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_mangle iptable_security iptable_raw nf_conntrack ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bnep vmw_vsock_vmci_transport vsock sunrpc snd_seq_midi snd_seq_midi_event kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel vmw_balloon aesni_intel lrw gf128mul glue_helper ablk_helper cryptd snd_ens1371 snd_rawmidi snd_ac97_codec snd_seq snd_seq_device joydev btusb input_leds btrtl btbcm btintel pcspkr snd_pcm sg bluetooth snd_timer rfkill snd soundcore ac97_bus gameport vmw_vmci i2c_piix4 shpchp fjes 8250_fintek ip_tables xfs libcrc32c sr_mod cdrom ata_generic sd_mod pata_acpi e1000 crc32c_intel vmwgfx serio_raw drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptspi mptscsih ttm drm mptbase ata_piix scsi_transport_spi libata dm_mirror dm_region_hash dm_log dm_mod
[ 47.881104] CPU: 0 PID: 1526 Comm: InputThread : P O 4.4.206-1.el7.elrepo.x86_64 #1
[ 47.881105] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[ 47.881105] task: ffff8801347a5d00 ti: ffff8801347f8000 task.ti: ffff8801347f8000
[ 47.881106] RIP: 0010:[<ffffffff8101b1b9>] [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.881107] RSP: 0018:ffff880139607e70 EFLAGS: 00010046
[ 47.881107] RAX: 00007fdfcb577df7 RBX: 0000000000000000 RCX: 0000000000000000
[ 47.881108] RDX: ffff880139600000 RSI: ffff880139607f58 RDI: 0000000000000000
[ 47.881108] RBP: ffff880139607ec0 R08: ffffffff819903ea R09: 0000000000000006
[ 47.881109] R10: ffff88013feb2866 R11: 0000000000000000 R12: ffff880139603fc0
[ 47.881109] R13: 0000000000000040 R14: ffffffff819903ea R15: 00007fdfcb577df0
[ 47.881110] FS: 00007fdfcb579700(0000) GS:ffff880139600000(0000) knlGS:0000000000000000
[ 47.881110] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 47.881111] CR2: 00007fdfcb577df0 CR3: 00000000adb40000 CR4: 0000000000360670
[ 47.881115] Stack:
[ 47.881116] 0000000000000000 ffff880139607f58 0000000000000000 ffff8801395fffc0
[ 47.881117] 00007fdfcb577df0 ffff880139607f58 00007fdfcb577df0 0000000000000040
[ 47.881118] 0000000000000000 00007fdfcb579700 ffff880139607f08 ffffffff8101b34c
[ 47.881118] Call Trace:
[ 47.881120] <#DF>
[ 47.881120] [<ffffffff8101b34c>] show_regs+0xac/0x1c0
[ 47.881122] [<ffffffff810617d3>] df_debug+0x23/0x40
[ 47.881123] [<ffffffff810196bc>] do_double_fault+0x7c/0xf0
[ 47.881126] [<ffffffff81723ac8>] double_fault+0x28/0x30
[ 47.881130] <<EOE>>
[ 47.881130] <UNK>
[ 47.881140] Code: 00 8b 05 ff 3e a9 00 31 db 85 c0 7f 49 eb 57 4c 3b 7d c8 72 46 4d 39 e7 0f 84 d6 00 00 00 f6 c3 03 75 78 85 db 0f 85 b6 00 00 00 <49> 8b 17 4d 8d 6f 08 4c 89 f6 48 c7 c7 e0 03 99 81 31 c0 4d 89
[ 47.881141] RIP [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.881141] RSP <ffff880139607e70>
[ 47.881142] CR2: 00007fdfcb577df0
[ 47.881143] ---[ end trace e77028c9bfadc869 ]---
[ 47.881144] Kernel panic - not syncing: Fatal exception
[ 47.970871] task: ffff8800ab2f0000 ti: ffff8800adb94000 task.ti: ffff8800adb94000
[ 47.970882] RIP: 0010:[<ffffffffa0752d80>] [<ffffffffa0752d80>] fake_syscall_dispatcher+0x0/0x70 [chdir_module]
[ 47.970883] RSP: 0018:00007f6fe3bcdb40 EFLAGS: 00010093
[ 47.970884] RAX: 000000000000002f RBX: 00007f6fdc0ebde0 RCX: 00007f70107d5b6d
[ 47.970884] RDX: 0000000000000000 RSI: 00007f6fe3bcdbc0 RDI: 0000000000000014
[ 47.970884] RBP: 00007f6fe3bcdc80 R08: 00007f6fdc0ebdf0 R09: 0000000000000024
[ 47.970885] R10: 0000000000000000 R11: 0000000000000293 R12: 00007f6fdc0f2220
[ 47.970885] R13: 00007f6fe3bcdbc0 R14: 00007f6fe7c018c8 R15: 00007f6fe3bd0550
[ 47.970886] FS: 00007f6fe3bd0700(0000) GS:ffff880139640000(0000) knlGS:0000000000000000
[ 47.970887] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 47.970887] CR2: 00007f6fe3bcdb38 CR3: 00000001346ee000 CR4: 0000000000360670
[ 47.970909] Stack:
[ 47.970983] BUG: unable to handle kernel paging request at 00007f6fe3bcdb40
[ 47.970986] IP: [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.970988] PGD 8000000134645067 PUD ada6c067 PMD adb33067 PTE 80000000b66f0067
[ 47.970988] Oops: 0001 [#2] SMP
[ 47.971001] Modules linked in: chdir_module tcp_lp nls_utf8 isofs rfcomm fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat iptable_mangle iptable_security iptable_raw nf_conntrack ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bnep vmw_vsock_vmci_transport vsock sunrpc snd_seq_midi snd_seq_midi_event kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel vmw_balloon aesni_intel lrw gf128mul glue_helper ablk_helper cryptd snd_ens1371 snd_rawmidi snd_ac97_codec snd_seq snd_seq_device joydev btusb input_leds btrtl btbcm btintel pcspkr snd_pcm sg bluetooth snd_timer rfkill snd soundcore ac97_bus gameport vmw_vmci i2c_piix4 shpchp fjes 8250_fintek ip_tables xfs libcrc32c sr_mod cdrom ata_generic sd_mod pata_acpi e1000 crc32c_intel vmwgfx serio_raw drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptspi mptscsih ttm drm mptbase ata_piix scsi_transport_spi libata dm_mirror dm_region_hash dm_log dm_mod
[ 47.971012] CPU: 1 PID: 1515 Comm: libvirtd : P D O 4.4.206-1.el7.elrepo.x86_64 #1
[ 47.971012] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[ 47.971013] task: ffff8800ab2f0000 ti: ffff8800adb94000 task.ti: ffff8800adb94000
[ 47.971014] RIP: 0010:[<ffffffff8101b1b9>] [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.971015] RSP: 0018:ffff880139647e70 EFLAGS: 00010046
[ 47.971015] RAX: 00007f6fe3bcdb47 RBX: 0000000000000000 RCX: 0000000000000000
[ 47.971015] RDX: ffff880139640000 RSI: ffff880139647f58 RDI: 0000000000000000
[ 47.971016] RBP: ffff880139647ec0 R08: ffffffff819903ea R09: 0000000000000002
[ 47.971016] R10: ffff88013feb3b72 R11: 0000000000000000 R12: ffff880139643fc0
[ 47.971017] R13: 0000000000000040 R14: ffffffff819903ea R15: 00007f6fe3bcdb40
[ 47.971017] FS: 00007f6fe3bd0700(0000) GS:ffff880139640000(0000) knlGS:0000000000000000
[ 47.971018] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 47.971018] CR2: 00007f6fe3bcdb40 CR3: 00000001346ee000 CR4: 0000000000360670
[ 47.971021] Stack:
[ 47.971022] 0000000000000000 ffff880139647f58 0000000000000000 ffff88013963ffc0
[ 47.971022] 00007f6fe3bcdb40 ffff880139647f58 00007f6fe3bcdb40 0000000000000040
[ 47.971023] 00007f6fe7c018c8 00007f6fe3bd0550 ffff880139647f08 ffffffff8101b34c
[ 47.971023] Call Trace:
[ 47.971026] <#DF>
[ 47.971026] [<ffffffff8101b34c>] show_regs+0xac/0x1c0
[ 47.971028] [<ffffffff810617d3>] df_debug+0x23/0x40
[ 47.971029] [<ffffffff810196bc>] do_double_fault+0x7c/0xf0
[ 47.971031] [<ffffffff81723ac8>] double_fault+0x28/0x30
[ 47.971035] <<EOE>>
[ 47.971035] <UNK>
[ 47.971045] Code: 00 8b 05 ff 3e a9 00 31 db 85 c0 7f 49 eb 57 4c 3b 7d c8 72 46 4d 39 e7 0f 84 d6 00 00 00 f6 c3 03 75 78 85 db 0f 85 b6 00 00 00 <49> 8b 17 4d 8d 6f 08 4c 89 f6 48 c7 c7 e0 03 99 81 31 c0 4d 89
[ 47.971046] RIP [<ffffffff8101b1b9>] show_stack_log_lvl+0x89/0x170
[ 47.971046] RSP <ffff880139647e70>
[ 47.971047] CR2: 00007f6fe3bcdb40
[ 47.971048] ---[ end trace e77028c9bfadc86a ]---
[ 48.981303] Shutting down cpus with NMI
[ 48.981350] Kernel Offset: disabled
[ 49.083461] ---[ end Kernel panic - not syncing: Fatal exception
The only noticeable change i saw between the versions and that is related to MSR_LSTAR is that the MSR_LSTAR entry point in 4.1.12 was called system_call and in 4.4.206 it's now called entry_syscall_64
What changed?
lys
red0ct0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0