centos lkm create strange behavior and panic eventually

danielhaish · 06-26-2020, 02:23 AM

I got this massage in dmesg log module verification failed: signature and/or required key missing - tainting kernel
when loading the lkm and sometimes before crashin i get
systemd-journald[1131]: Failed to generate stream ID: No such file or directory
. and also when the lkm is loaded i get strange behavior (the root authentication is taking a lot longer and the chrome browser is crashing the system)

tinfoil3d · 06-26-2020, 11:13 PM

Great, now you know it's caused by your module, next thing is to fix the source!
Writing anything in C takes decades learning and yet mistakes happen anyway. The point is, though, that you must never have any mistakes in kernel code. ideally. So ideally you should also never use C these days(it's 2020 out there!) unless... unless you 10^google% sure you know what you're doing. I played around with C for the most part of my life and frankly I'm not sure what I'm doing at all.
Anyway writing kernel module isn't the same thing as writing hello world. There are thousands of things to consider before each operation. Regardless, it should never be taken lightly.
If you want some real help post some real code with some real research you did. Otherwise there's no way to help you without knowing a thing on what and how you're trying to achieve.

danielhaish · 06-27-2020, 02:38 PM

Quote:

Originally Posted by tinfoil3d

Great, now you know it's caused by your module, next thing is to fix the source!
Writing anything in C takes decades learning and yet mistakes happen anyway. The point is, though, that you must never have any mistakes in kernel code. ideally. So ideally you should also never use C these days(it's 2020 out there!) unless... unless you 10^google% sure you know what you're doing. I played around with C for the most part of my life and frankly I'm not sure what I'm doing at all.
Anyway writing kernel module isn't the same thing as writing hello world. There are thousands of things to consider before each operation. Regardless, it should never be taken lightly.
If you want some real help post some real code with some real research you did. Otherwise there's no way to help you without knowing a thing on what and how you're trying to achieve.

well after i found out that the module is trigger the kernel panic i build very simple one and the methods in module work because the module doing is job it not crashing on some action . maybe it how i build it how can I fix the signature problem

tinfoil3d · 06-28-2020, 07:58 PM

you don't need to fix it, it doesn't affect the execution. you CAN sign your own module with your own key (there are helper scripts for that in scripts/ directory) but again, that would simply remove the message.

danielhaish · 06-29-2020, 08:54 AM

Quote:

Originally Posted by tinfoil3d

you don't need to fix it, it doesn't affect the execution. you CAN sign your own module with your own key (there are helper scripts for that in scripts/ directory) but again, that would simply remove the message.

thanks you I also found few more logs my lkm code is okey because i compiled it on other version and i worked fine this is the logs I found
traps: chrome[pid] general protection fault
traps: chrome[pid] trap int3 ip:55ece3d43014 sp:7ffeff71de90 error:0 in chrome[55ecdf647000+7858000]

when attempt to open chrome
another log which i found on the internet but the fix i found didn't worked is
journald[<pid>]: Failed to open runtime journal: No such file or directory
do you think it means anything

tinfoil3d · 06-29-2020, 09:35 AM

there's nothing to think about without the source.

danielhaish · 06-29-2020, 09:40 AM

Quote:

Originally Posted by tinfoil3d

there's nothing to think about without the source.

ok this is my code it just simple hooking and proc entry craetor but i remove the hook part even though it worked fine

Code:

static int lkm_example_init(void)
{
write_cr0(read_cr0()&(~ 0x10000));
 struct proc_dir_entry *pde;
 pde = proc_create("commm",S_IRUGO | S_IWUGO,NULL,&test_hello_proc_fops);

    sys_call_table = (void*)kallsyms_lookup_name("sys_call_table");   
  sys_call_table[316]=comu;
  sys_call_table[318]=zero;
execl=sys_call_table[__NR_execve];
//sys_call_table[__NR_execve]=our_execl;
original_call=sys_call_table[__NR_kill];
//[sys_call_table[__NR_kill]=our_sys_kill;
write_cr0(read_cr0() | 0X10000);
return 0;

}

tinfoil3d · 06-29-2020, 08:09 PM

I kinda have the feeling you're trying to do something nasty there.
If not, you probably should know why it's not working from reading the similar articles about making a module on google or elsewhere.

danielhaish · 06-29-2020, 10:48 PM

Quote:

Originally Posted by tinfoil3d

I kinda have the feeling you're trying to do something nasty there.
If not, you probably should know why it's not working from reading the similar articles about making a module on google or elsewhere.

I am sorry but not at all i am working on security system and i hooked those system call for monitoring them and also the module is working fine its just that change the behavior of the system for some how maybe there is some security module that blocked it because it worked fine on ubuntu kernel 14.5 of curse i made the necessary changes betweens the kernels other wise it wouldn't work at all the problem is that the module is does works but it change a bit the behavior of the kernel

tinfoil3d · 06-30-2020, 12:43 AM

There's strace and gdb and ltrace and tons of other tools that can help you do it without such invasive and highly [time-]costly solutions

danielhaish · 07-01-2020, 04:06 AM

Quote:

Originally Posted by tinfoil3d

There's strace and gdb and ltrace and tons of other tools that can help you do it without such invasive and highly [time-]costly solutions

But I went to do prevention not only monitoring it . no way to hook centos kernel ? because in the other kernels it worked fine

tinfoil3d · 07-01-2020, 05:44 AM

And those kernels were like 10, 15 years old, right?
There is of course but it doesn't involve .ko there. Just add your code to the tree. sc table isn't exported to the modules.

tinfoil3d · 07-01-2020, 05:47 AM

But then again, there's selinux for that, there's also old grsecurity patches. There's even fanotify.

tinfoil3d · 07-01-2020, 05:55 AM

Let me also add that there's never been a secure system built which is based on blacklists. That's not how it works. You only need to allow what you only need to do, that's it. We'll leave the speculation over whether secure systems exist at all out of this, just concentrate on the idea of granting a limited set of permissions rather than taking unneeded away.

danielhaish · 07-02-2020, 02:04 AM

Quote:

Originally Posted by tinfoil3d

Let me also add that there's never been a secure system built which is based on blacklists. That's not how it works. You only need to allow what you only need to do, that's it. We'll leave the speculation over whether secure systems exist at all out of this, just concentrate on the idea of granting a limited set of permissions rather than taking unneeded away.

well I fixed it thanks but the true is that i wanted to build something spacial based on ML