linux_kernel_hacking icon indicating copy to clipboard operation
linux_kernel_hacking copied to clipboard

Published 20 hours ago verified publisher icon xcellerator

Seg fault with custom proc device

Open ninjamar opened this issue 1 year ago • 0 comments

I decided to make a simple input/output proc device using https://xcellerator.github.io/posts/docker_escape/ and editing the code. https://gist.github.com/ninjamar/fbf236cc09d3a00460b880d0220054b3 The idea is you echo text to /proc/input and it the text is read from /proc/output

vagrant@ubuntu2004:~/proc$ echo 'foo' > /proc/input
vagrant@ubuntu2004:~/proc$ cat /proc/output
foo

Instead of foo I get segmentation fault

vagrant@ubuntu2004:~/proc$ sudo dmesg
[   46.930281] proc: module verification failed: signature and/or required key missing - tainting kernel
[   46.930668] input: loaded
[   46.930669] output: loaded
[   72.082289] Echoing to /proc/output
[   76.900432] general protection fault: 0000 [#1] SMP PTI
[   76.900509] CPU: 0 PID: 1530 Comm: cat Tainted: G           OE     5.4.0-122-generic #138-Ubuntu
[   76.900555] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   76.900628] RIP: 0010:proc_reg_release+0x3f/0x70
[   76.900658] Code: 4d 8d 6c 24 18 4c 89 ef e8 9e 61 78 00 49 8b 44 24 08 48 8d 70 f8 4c 39 e6 75 0f eb 23 48 8b 76 08 48 83 ee 08 4c 39 e6 74 16 <48> 39 1e 75 ee 4c 89 e7 e8 a4 fe ff ff 31 c0 5b 41 5c 41 5d 5d c3
[   76.900763] RSP: 0018:ffffa7f78053fe38 EFLAGS: 00010207
[   76.900797] RAX: 7074756f2f636f72 RBX: ffff8ac6f57adf00 RCX: 0000000000000001
[   76.900837] RDX: 0000000000000001 RSI: 7074756f2f636f6a RDI: ffff8ac6f25233d8
[   76.900875] RBP: ffffa7f78053fe50 R08: 0000000000000000 R09: 0000000000000000
[   76.900912] R10: 0000000000000010 R11: ffff8ac6f9044d90 R12: ffff8ac6f25233c0
[   76.900956] R13: ffff8ac6f25233d8 R14: ffff8ac6fcd702a0 R15: ffff8ac6f911d6c0
[   76.900994] FS:  00007ff192d4e580(0000) GS:ffff8ac6fda00000(0000) knlGS:0000000000000000
[   76.901037] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.901068] CR2: 00007ff1925c9000 CR3: 0000000070f22005 CR4: 00000000000606f0
[   76.901111] Call Trace:
[   76.901136]  __fput+0xcc/0x260
[   76.901158]  ____fput+0xe/0x10
[   76.901182]  task_work_run+0x8f/0xb0
[   76.901208]  exit_to_usermode_loop+0x131/0x160
[   76.901236]  do_syscall_64+0x163/0x190
[   76.901271]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   76.901302] RIP: 0033:0x7ff192c69817
[   76.901326] Code: ff ff e8 7c 12 02 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 b3 5d f8 ff
[   76.901417] RSP: 002b:00007ffe37cad108 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[   76.901458] RAX: 0000000000000000 RBX: 00007ff1925ca000 RCX: 00007ff192c69817
[   76.901496] RDX: 000000000000000f RSI: 0000000000022000 RDI: 0000000000000003
[   76.901534] RBP: 0000000000000001 R08: 00007ff1925c9000 R09: 0000000000000000
[   76.901572] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000000
[   76.901610] R13: 0000000000000fff R14: 0000000000020000 R15: 0000000000020000
[   76.901649] Modules linked in: proc(OE) vboxsf(O) dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua input_leds vboxguest(O) serio_raw mac_hid sch_fq_codel ipmi_devintf ipmi_msghandler msr ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul vboxvideo crc32_pclmul drm_vram_helper ttm ghash_clmulni_intel drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel crypto_simd cryptd glue_helper ahci psmouse pata_acpi video libahci drm e1000 i2c_piix4
[   76.901967] ---[ end trace 6f242403edf302ec ]---
[   76.902006] RIP: 0010:proc_reg_release+0x3f/0x70
[   76.902035] Code: 4d 8d 6c 24 18 4c 89 ef e8 9e 61 78 00 49 8b 44 24 08 48 8d 70 f8 4c 39 e6 75 0f eb 23 48 8b 76 08 48 83 ee 08 4c 39 e6 74 16 <48> 39 1e 75 ee 4c 89 e7 e8 a4 fe ff ff 31 c0 5b 41 5c 41 5d 5d c3
[   76.902126] RSP: 0018:ffffa7f78053fe38 EFLAGS: 00010207
[   76.902157] RAX: 7074756f2f636f72 RBX: ffff8ac6f57adf00 RCX: 0000000000000001
[   76.902194] RDX: 0000000000000001 RSI: 7074756f2f636f6a RDI: ffff8ac6f25233d8
[   76.902232] RBP: ffffa7f78053fe50 R08: 0000000000000000 R09: 0000000000000000
[   76.903913] R10: 0000000000000010 R11: ffff8ac6f9044d90 R12: ffff8ac6f25233c0
[   76.905237] R13: ffff8ac6f25233d8 R14: ffff8ac6fcd702a0 R15: ffff8ac6f911d6c0
[   76.906543] FS:  00007ff192d4e580(0000) GS:ffff8ac6fda00000(0000) knlGS:0000000000000000
[   76.908201] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.909520] CR2: 00007ff1925c9000 CR3: 0000000070f22005 CR4: 00000000000606f0

ninjamar avatar Jul 25 '22 23:07 ninjamar