[ 494.250386] init kernel rcv buf size [20971520]
[ 494.252194] security_bprm_check hooks success
[ 494.253444] do_sys_open hooks success
[ 494.255155] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 494.255158] BUG: unable to handle kernel paging request at ffff8800278b1800
[ 494.255160] IP: [<ffff8800278b1800>] 0xffff8800278b1800
[ 494.255163] PGD 2212067 PUD 2213067 PMD 80000000278000e3
[ 494.255166] Oops: 0011 [#1] SMP
[ 494.255168] Modules linked in: xxnd(OE+) rfcomm bnep snd_ens1371 snd_ac97_codec gameport ac97_bus coretemp snd_pcm snd_seq_midi snd_seq_midi_event crct10dif_pclmul snd_rawmidi crc32_pclmul snd_seq ghash_clmulni_intel snd_seq_device snd_timer aesni_intel aes_x86_64 snd soundcore lrw gf128mul glue_helper ablk_helper cryptd btusb btrtl btbcm btintel bluetooth vmw_balloon ecdh_generic joydev input_leds serio_raw 8250_fintek shpchp i2c_piix4 vmw_vmci mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid vmwgfx psmouse ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mptspi ahci libahci e1000 mptscsih mptbase scsi_transport_spi drm pata_acpi fjes
[ 494.255193] CPU: 0 PID: 339 Comm: systemd-udevd Tainted: G OE 4.4.0-169-generic #198-Ubuntu
[ 494.255195] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 494.255196] task: ffff880073238000 ti: ffff8800358cc000 task.ti: ffff8800358cc000
[ 494.255197] RIP: 0010:[<ffff8800278b1800>] [<ffff8800278b1800>] 0xffff8800278b1800
[ 494.255199] RSP: 0018:ffff8800358cff20 EFLAGS: 00010202
[ 494.255200] RAX: ffff8800278b1800 RBX: 00000000ffffffff RCX: 00000000000001a4
[ 494.255202] RDX: 0000000000088141 RSI: 0000555f5a775a66 RDI: 00000000ffffff9c
[ 494.255203] RBP: ffff8800358cff38 R08: 0000000000000001 R09: c3488152e767770d
[ 494.255204] R10: ddfeacca19626bc8 R11: 0000000000000246 R12: 0000555f5b7ff010
[ 494.255205] R13: 00000000fffffffe R14: 0000000000000000 R15: 0000555f5b80a690
[ 494.255207] FS: 00007f1bd03f48c0(0000) GS:ffff88007b600000(0000) knlGS:0000000000000000
[ 494.255208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 494.255209] CR2: ffff8800278b1800 CR3: 0000000076664000 CR4: 0000000000360670
[ 494.255250] Stack:
[ 494.255251] ffffffffc04238e2 00000000ffffffff 0000555f5b7ff010 ffff8800358cff48
[ 494.255253] ffffffff8121d19e 0000555f5a775a66 ffffffff8186671b 0000555f5b80ff90
[ 494.255255] 0000000000002710 0000555f5b846e20 00007f1bcf540b78 0000000000000120
[ 494.255257] Call Trace:
[ 494.255268] [<ffffffffc04238e2>] ? hook_do_sys_open+0x22/0x70 [xxdefend]
[ 494.255271] [<ffffffff8121d19e>] SyS_open+0x1e/0x20
[ 494.255274] [<ffffffff8186671b>] entry_SYSCALL_64_fastpath+0x22/0xcb
[ 494.255276] Code: 00 2f 00 00 00 00 00 2f 00 00 00 00 01 2f 00 00 00 00 02 00 03 51 00 00 00 50 2b 00 00 04 44 00 00 00 03 00 0e 00 00 00 00 2c 2c <0f> 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 89 ff 53
[ 494.255295] RIP [<ffff8800278b1800>] 0xffff8800278b1800
[ 494.255297] RSP <ffff8800358cff20>
[ 494.255298] CR2: ffff8800278b1800
问题分析:
4.15.0-60-generic #67~16.04.1-Ubuntu
root@virtual-machine:/linux-source-4.15.0# cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial
[root@xx-ISP linux]# uname -a
Linux xx-ISP 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
arch/x86/kernel/module.c
void *module_alloc(unsigned long size)
{
void *p;
if (PAGE_ALIGN(size) > MODULES_LEN)
return NULL;
p = __vmalloc_node_range(size, MODULE_ALIGN,
MODULES_VADDR + get_module_load_offset(),
MODULES_END, GFP_KERNEL | __GFP_HIGHMEM,
PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
__builtin_return_address(0));
if (p && (kasan_module_alloc(p, size) < 0)) {
vfree(p);
return NULL;
}
return p;
}
出问题的内核:4.15.0-60-generic #67~16.04.1-Ubuntu
linux/arch/x86/kernel/module.c
void *module_alloc(unsigned long size)
{
void *p;
if (PAGE_ALIGN(size) > MODULES_LEN)
return NULL;
p = __vmalloc_node_range(size, MODULE_ALIGN,
MODULES_VADDR + get_module_load_offset(),
MODULES_END, GFP_KERNEL,
PAGE_KERNEL, 0, NUMA_NO_NODE, //缺少可执行标识PAGE_KERNEL_EXEC
__builtin_return_address(0));
if (p && (kasan_module_alloc(p, size) < 0)) {
vfree(p);
return NULL;
}
return p;
}
解决:
使module_alloc分配的地址具有可执行权限
set_memory_x((unsigned long)sym->new_addr,1);