memflow-kvm icon indicating copy to clipboard operation
memflow-kvm copied to clipboard
verified publisher icon memflow

Segementation fault on kernel module initalization

Open Tacodiva opened this issue 2 years ago • 5 comments

I have spent my afternoon unsuccessfully trying to get the kernel module to work. When I try to load it I get a segfault:

$ sudo modprobe memflow 
[1]    1805 segmentation fault (core dumped)  sudo modprobe memflow

I tried the release version and building it from this repo but both yield the same result. After the segfault the module seems to be in a weird half-loaded state and nothing really seems to work. The error is logged in dmsg and you can find the full error here, but I believe the relevant sections are:

[   40.792764] traps: Missing ENDBR: kallsyms_lookup_name+0x4/0xd0
[   40.792770] kernel BUG at arch/x86/kernel/traps.c:255!
[   40.792775] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
...
[   40.792815]  ? kallsyms_lookup_name+0x4/0xd0
[   40.792818]  memflow_init+0x25/0xb0 [memflow 727e9b5a735aa1e5b976faa4c5d2f17ff899d55f]
[   40.792823]  ? __pfx_init_module+0x10/0x10 [memflow 727e9b5a735aa1e5b976faa4c5d2f17ff899d55f]
[   40.792826]  do_one_initcall+0x5a/0x240
[   40.792830]  do_init_module+0x4a/0x200
[   40.792833]  __do_sys_init_module+0x17f/0x1b0
[   40.792835]  do_syscall_64+0x5c/0x90
...

My kernel is 6.2.13-arch1-1 and both CONFIG_KALLSYMS=y, and CONFIG_KALLSYMS_ALL=y are present in my /proc/config.gz.

Tacodiva avatar May 03 '23 05:05 Tacodiva

Ok I spent the last too long trying to fix this and have officially given up. For some reason I can't decipher, on my laptop using kprobes to get the address of kallsyms_lookup_name just seems to give the wrong pointer (it gives me kallsyms_lookup_name+0x4/0xd0). I thought if I subtracted four from that it could work but that also segfaults. I tried using a completely different method of finding kallsyms_lookup_name from here but that also gave pointers which segfaulted. Every time I tried something I had to reboot my laptop because the segfault messes everything up so badly that I can't unload the module (even with -f) so I just have to reboot to try again. I'm officially out of ideas and need someone who knows what they're doing to help.

TLDR: I tried my best :sob:

Tacodiva avatar May 03 '23 12:05 Tacodiva

Best of luck, I wish I knew Linux better XD

nexensys avatar May 03 '23 12:05 nexensys

Finally I (or more accurately someone on stackoverflow) worked out the problem. You can fix this by using the ibt=off kernel parameter.

Because kallsyms_lookup_name is not exported, it does not contain the ENDBR instruction. ENDBR is an instruction for intel's security feature 'IBT'. With IBT enabled you cannot indirectly branch to any point in memory, you can only branch to places that start with the ENDBR instruction, hence when the module indirectly branches to kallsyms_lookup_name, it crashes. That kernel parameter disables the IBT security feature, so it's not an ideal solution but it's a solution nonetheless. If a better solution cannot be found, this should probably be mentioned in the README.

Tacodiva avatar May 08 '23 01:05 Tacodiva

I can't reproduce this on linux 6.11.1. Can you confirm this is still an issue on newer kernels?

ko1N avatar Oct 04 '24 19:10 ko1N

I can't reproduce this on linux 6.11.1. Can you confirm this is still an issue on newer kernels?

Does your system/processor have IBT? I can't imagine this has been resolved, though I can't test it at the moment.

Tacodiva avatar Oct 07 '24 22:10 Tacodiva