Diamorphine ported to ARM

[awerv]

Syscall params modified to match the pt_regs struct of ARM
Write protection extended, the set_kernel_text functions cover the syscall table too

Tested on 5.1.0 armv7l

[Gryk3l]

Hi!

First of all, thank you, I was trying to make Diamorphine to work in my Raspberry Pi 4
(Raspbian) myself and I was struggling with a weird error (some permission error when trying 'insmod diamorphine.ko').

I've tried the code you proposed and although I'm not getting that error anymore, my Raspberry crashes when loading the module. I'm using Raspbian and I've tried with kernels 4.19.188, 5.4.51 and 5.4.79 (seems like it skips from 4.19.188 to 5.4.51, so 5.1.0 is not available for me).

If anyone wants to help I will be glad to give any debug or additional information.

If this is not the right place for this comment, just tell me and I will remove and post it on Issues. I just think this is ok since these changes are the closest I've been to a solution.

[awerv]

@GrizzlyMiki please clone my master branch and compile it as it is, so we can check if the crash is caused by my code, or any modification you might have applied. If my master branch still crashes your Pi, describe please how and where did you compile the rootkit, send me the output of uname -a and the full crash report, hopefully I'll be able to help.

[Gryk3l]

@awerv I'm running it without any modification.

My uname -a output is:
Linux sensor 5.4.79-v7l+ #1373 SMP Mon Nov 23 13:27:40 GMT 2020 armv7l GNU/Linux

I compiled the rootkit as "root" under /root/Diamorphine/ with a simple make and in order to load it I've tried insmod diamorphine.ko and separatedly, in a different try, copying diamorphine.ko under /lib/modules/`uname -r\`/kernel/drivers and running depmod and modprobe -vvv diamorphine (I tried this second method since using it I can get a verbose output).

I think I cannot send the full crash report (I guess you are referring to the kernel logs) since this Pi is not logging the events properly (I've been told logging was probably disabled) but I here I leave the full verbose output when trying to load the module with modprobe -vvv diamorphine:

modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.4.79-v7l+/modules.dep.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.4.79-v7l+/modules.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.4.79-v7l+/modules.symbols.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:755 index_mm_open() file=/lib/modules/5.4.79-v7l+/modules.builtin.bin
modprobe: DEBUG: ../libkmod/libkmod-module.c:556 kmod_module_new_from_lookup() input alias=diamorphine, normalized=diamorphine
modprobe: DEBUG: ../libkmod/libkmod-module.c:562 kmod_module_new_from_lookup() lookup modules.dep diamorphine
modprobe: DEBUG: ../libkmod/libkmod.c:574 kmod_search_moddep() use mmaped index 'modules.dep' modname=diamorphine
modprobe: DEBUG: ../libkmod/libkmod.c:402 kmod_pool_get_module() get module name='diamorphine' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:410 kmod_pool_add_module() add 0x11d4f08 key='diamorphine'
modprobe: DEBUG: ../libkmod/libkmod-module.c:202 kmod_module_parse_depline() 0 dependencies for diamorphine
modprobe: DEBUG: ../libkmod/libkmod-module.c:583 kmod_module_new_from_lookup() lookup diamorphine=0, list=0x11d4fa0
modprobe: DEBUG: ../libkmod/libkmod.c:501 lookup_builtin_file() use mmaped index 'modules.builtin' modname=diamorphine
modprobe: DEBUG: ../libkmod/libkmod-module.c:1750 kmod_module_get_initstate() could not open '/sys/module/diamorphine/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1760 kmod_module_get_initstate() could not open '/sys/module/diamorphine': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_pcsp mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_usb_audio mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=cx88_alsa mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_atiixp_modem mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_intel8x0m mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_via82xx_modem mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=8250 mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_bcm2835 mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=snd_bcm2835 mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=bcm2708_fb mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=bcm2708_fb mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=bcm2708_fb mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=smsc95xx mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=vc_mem mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=vc_mem mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=dwc_otg mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1393 kmod_module_get_options() modname=fsck mod->name=diamorphine mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1750 kmod_module_get_initstate() could not open '/sys/module/diamorphine/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1760 kmod_module_get_initstate() could not open '/sys/module/diamorphine': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:744 kmod_module_get_path() name='diamorphine' path='/lib/modules/5.4.79-v7l+/kernel/drivers/diamorphine.ko'
modprobe: DEBUG: ../libkmod/libkmod-module.c:744 kmod_module_get_path() name='diamorphine' path='/lib/modules/5.4.79-v7l+/kernel/drivers/diamorphine.ko'
insmod /lib/modules/5.4.79-v7l+/kernel/drivers/diamorphine.ko 
modprobe: DEBUG: ../libkmod/libkmod-module.c:744 kmod_module_get_path() name='diamorphine' path='/lib/modules/5.4.79-v7l+/kernel/drivers/diamorphine.ko'
modprobe: DEBUG: ../libkmod/libkmod-module.c:468 kmod_module_unref() kmod_module 0x11d4f08 released
modprobe: DEBUG: ../libkmod/libkmod.c:418 kmod_pool_del_module() del 0x11d4f08 key='diamorphine'
modprobe: INFO: ../libkmod/libkmod.c:331 kmod_unref() context 0x11d32d0 released

Is that output showing any problem I cannot spot?

After that, I'm sure it crashes or reboots since I get a client_loop: send disconnect: Broken pipe in my SSH connection and dmesg output is reseted (it would not reset if it was only a connection problem).

I understand this information might not be enough, if that is the case, I will try to install and configure a logging service (I've been trying today in order to answer to this but I was getting no logs and wanted to answer as soon as possible).

Thank you very much for trying and for answering so quickly

[awerv]

@GrizzlyMiki I was trying to test it on my Raspberry Pi 4, but it runs 5.10, so I could not compile Diamorphine for that kernel due to the same issue presented in #26. I'll try with an older kernel, probably by installing Raspbian on a vm.
Unfortunately I cannot see the cause of the issue from the verbose log modprobe, I don't think this can be resolved without kernel logs.
Can't you connect your Pi to a some sort of display, or to your computer via UART?
Please post kernel logs if you manage to get them and I'll report report my results about reproducing the crash on Raspbian.

[Gryk3l]

@awerv Instead of trying to enable the logs I did a clean Raspbian installation and downgraded to kernel 5.4.79. This has logging enabled by default so I can give you a little extra info.

Cloned your branch under /home/pi/Diamorphine, used make to compile and sudo insmod diamorphine.ko to install the module. The output of uname -a is Linux raspberrypi 5.4.79-v7l+ #1373 SMP Mon Nov 23 13:27:40 GMT 2020 armv7l GNU/Linux.

And I got this in the shell after executing insmod which, as far as I understand, is not the output from insmod but a message from rsyslogd that goes to the shell because of its importance:

 kernel:[  170.797932] Internal error: Oops: 207 [#1] SMP ARM

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798231] Process dhcpcd-run-hook (pid: 1273, stack limit = 0xb5543ffb)

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798244] Stack: (0xd768df70 to 0xd768e000)

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798256] df60:                                     00e93af4 000000d9 c02011c4 00e93af0

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798275] df80: 00e93b10 00e93af4 000000d9 c02011c4 d768c000 000000d9 00000000 d768dfa8

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798292] dfa0: c0201000 bf38e068 00e93af0 00e93b10 00000003 00e93b10 00008000 00000000

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798310] dfc0: 00e93af0 00e93b10 00e93af4 000000d9 00e9059d 000361c4 00e93af0 00035d90

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798327] dfe0: 00035fc8 bef3e8c0 b6e0c474 b6e0c3a8 60000010 00000003 00000000 00000000

Message from syslogd@raspberrypi at Apr 28 08:50:04 ...
 kernel:[  170.798468] Code: e24dd00c e52de004 e8bd4000 e3003280 (e5907004) 
client_loop: send disconnect: Broken pipe

After that, I had to manually restart the Pi.

Also tried to update and upgrade and, after downgrading the kernel again (it got updated too), I ran make and sudo insmod diamorphine.ko, but the results were very similar, having to manually restart again ang getting this output in the shell:

 kernel:[  169.787016] Internal error: Oops: 207 [#1] SMP ARM

Message from syslogd@raspberrypi at Apr 28 09:33:51 ...
 kernel:[  169.787502] Process dhcpcd-run-hook (pid: 1231, stack limit = 0x05145401)

Message from syslogd@raspberrypi at Apr 28 09:33:51 ...
 kernel:[  169.787522] Stack: (0xd788bf70 to 0xd788c000)

If you want the content of any particular file you just need to tell me, although I'd swear there is no log entry from the load of the module until the new boot.

Thanks for your help.

[Gryk3l]

@awerv For a final test I tried to remove dhcpcd to see how the error would change and the resulting output shows that dhcpcd wasn't the problem, since now the program triggering it is a different one (systemd-udevd):

 kernel:[  252.726278] Internal error: Oops: 206 [#1] SMP ARM

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726751] Process systemd-udevd (pid: 149, stack limit = 0xb0b7ddd5)

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726771] Stack: (0xd8669f70 to 0xd866a000)

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726790] 9f60:                                     c020b6e0 c02fc6a8 c0201d1c 013f8f60

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726819] 9f80: 013f8f80 013f8f64 000000d9 c02011c4 d8668000 000000d9 00000000 d8669fa8

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726848] 9fa0: c02011a4 bf262068 013f8f60 013f8f80 0000000e 013f8f80 00008000 00000000

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726877] 9fc0: 013f8f60 013f8f80 013f8f64 000000d9 013cd490 bea348a0 b6dce004 013b84f8

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.726905] 9fe0: b6dcdf94 bea34730 b6e69474 b6e693a8 60000010 0000000e 00000000 00000000

Message from syslogd@raspberrypi at Apr 29 10:06:57 ...
 kernel:[  252.727140] Code: e24dd00c e52de004 e8bd4000 e3043280 (e5907004) 

[awerv]

@GrizzlyMiki the issue is not dhcpd, one of the syscall hooks went wrong. The Raspbian in a vm idea seems to be a dead end, I'll downgrade the kernel on my Pi, when I'll have some time to debug this.

[awerv]

@GrizzlyMiki I managed to downgrade & crash my Pi with Diamorphine. It turned out, that above kernel version 4.16.0 only some architectures changed the convention how syscalls are called, platforms where CONFIG_ARCH_HAS_SYSCALL_WRAPPER is not enabled, still use the old convention.
Thank you very much for spotting this bug, I fixed it, now the syscalls are not failing on my Pi. Test it please if you can, just to make sure. I don't know though, how my initial test environment was not crashing.
Also the reason of your permission issue on 4.19 was that the kernel was configured to allow only signed modules to be loaded.

[Gryk3l]

@awerv Sure, I will try it right now. Is it possible that you pushed the wrong version, though? Because I'm getting some compilation errors (I'm cloning from https://github.com/awerv/Diamorphine and my kernel is 5.4.79-v7l+). I'm going to try to fix them by myself while waiting for your answer, the errors are as follow:

make[1]: Entering directory '/usr/src/linux-headers-5.4.79-v7l+'
  CC [M]  /root/Diamorphine/diamorphine.o
/root/Diamorphine/diamorphine.c: In function ‘hacked_getdents64’:
/root/Diamorphine/diamorphine.c:124:28: warning: passing argument 1 of ‘orig_getdents64’ makes pointer from integer without a cast [-Wint-conversion]
  int ret = orig_getdents64(fd, dirent, count), err;
                            ^~
/root/Diamorphine/diamorphine.c:124:28: note: expected ‘const struct pt_regs *’ but argument is of type ‘unsigned int’
/root/Diamorphine/diamorphine.c:124:12: error: too many arguments to function ‘orig_getdents64’
  int ret = orig_getdents64(fd, dirent, count), err;
            ^~~~~~~~~~~~~~~
/root/Diamorphine/diamorphine.c: In function ‘hacked_getdents’:
/root/Diamorphine/diamorphine.c:190:26: warning: passing argument 1 of ‘orig_getdents’ makes pointer from integer without a cast [-Wint-conversion]
  int ret = orig_getdents(fd, dirent, count), err;
                          ^~
/root/Diamorphine/diamorphine.c:190:26: note: expected ‘const struct pt_regs *’ but argument is of type ‘unsigned int’
/root/Diamorphine/diamorphine.c:190:12: error: too many arguments to function ‘orig_getdents’
  int ret = orig_getdents(fd, dirent, count), err;
            ^~~~~~~~~~~~~
/root/Diamorphine/diamorphine.c: In function ‘hacked_kill’:
/root/Diamorphine/diamorphine.c:330:21: warning: passing argument 1 of ‘orig_kill’ makes pointer from integer without a cast [-Wint-conversion]
    return orig_kill(pid, sig);
                     ^~~
/root/Diamorphine/diamorphine.c:330:21: note: expected ‘const struct pt_regs *’ but argument is of type ‘pid_t’ {aka ‘int’}
/root/Diamorphine/diamorphine.c:330:11: error: too many arguments to function ‘orig_kill’
    return orig_kill(pid, sig);
           ^~~~~~~~~
/root/Diamorphine/diamorphine.c: In function ‘diamorphine_init’:
/root/Diamorphine/diamorphine.c:408:19: error: ‘orig_getdents_t’ undeclared (first use in this function); did you mean ‘orig_getdents64’?
  orig_getdents = (orig_getdents_t)__sys_call_table[__NR_getdents];
                   ^~~~~~~~~~~~~~~
                   orig_getdents64
/root/Diamorphine/diamorphine.c:408:19: note: each undeclared identifier is reported only once for each function it appears in
/root/Diamorphine/diamorphine.c:408:35: error: expected ‘;’ before ‘__sys_call_table’
  orig_getdents = (orig_getdents_t)__sys_call_table[__NR_getdents];
                                   ^~~~~~~~~~~~~~~~
                                   ;
/root/Diamorphine/diamorphine.c:409:21: error: ‘orig_getdents64_t’ undeclared (first use in this function); did you mean ‘orig_getdents64’?
  orig_getdents64 = (orig_getdents64_t)__sys_call_table[__NR_getdents64];
                     ^~~~~~~~~~~~~~~~~
                     orig_getdents64
/root/Diamorphine/diamorphine.c:409:39: error: expected ‘;’ before ‘__sys_call_table’
  orig_getdents64 = (orig_getdents64_t)__sys_call_table[__NR_getdents64];
                                       ^~~~~~~~~~~~~~~~
                                       ;
/root/Diamorphine/diamorphine.c:410:15: error: ‘orig_kill_t’ undeclared (first use in this function); did you mean ‘orig_kill’?
  orig_kill = (orig_kill_t)__sys_call_table[__NR_kill];
               ^~~~~~~~~~~
               orig_kill
/root/Diamorphine/diamorphine.c:410:27: error: expected ‘;’ before ‘__sys_call_table’
  orig_kill = (orig_kill_t)__sys_call_table[__NR_kill];
                           ^~~~~~~~~~~~~~~~
                           ;
scripts/Makefile.build:265: recipe for target '/root/Diamorphine/diamorphine.o' failed
make[2]: *** [/root/Diamorphine/diamorphine.o] Error 1
Makefile:1732: recipe for target '/root/Diamorphine' failed
make[1]: *** [/root/Diamorphine] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.4.79-v7l+'
Makefile:7: recipe for target 'all' failed
make: *** [all] Error 2

Also tried with kernel 5.4.83-v7l+ and the errors are still there.

[awerv]

@GrizzlyMiki 1 && IS_ENABLED(CONFIG_ARCH_HAS_SYSCALL_WRAPPER) was missing at the beginning, where the pointers for the original syscalls are defined, fixed it.

[Gryk3l]

@awerv Been testing on kernel 5.4.83-v7l+ and it works fine now, although I would recommend you to check the "Sending a signal 64(to any pid) makes the given user become root" functionality since it wasn't working for me. To be clear I don't need that specific functionality, so for me in particular this is not important.

I was checking it by running sleep 20; touch /etc/test from an unprivileged user (the sleep would give me time to send him the desired signal) but It wasn't making any difference.

Thank you very much for your work, I kind of needed to get this to work and I couldn't have done it myself ^^

[awerv]

@GrizzlyMiki glad I could help, and thank you for uncovering my mistake :)
Checked the signal too, it seems fine to me. Tested it this way:

test ➜ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),...
test ➜ (sleep 30; touch file)&
[1] 1043
test ➜ kill -64 1043
test ➜ id
uid=0(root) gid=0(root) groups=0(root),...
test ➜ ls
test ➜ ls -la
total 8
drwxr-xr-x  2 pi pi 4096 May  4 04:20 .
drwxr-xr-x 21 pi pi 4096 May  4 04:21 ..
test ➜ 
[1]  + 1043 done       ( sleep 30; touch file; )
test ➜ ls -la
total 8
drwxr-xr-x  2 pi pi 4096 May  4 04:21 .
drwxr-xr-x 21 pi pi 4096 May  4 04:21 ..
-rw-r--r--  1 pi pi    0 May  4 04:21 file
test ➜ id
uid=0(root) gid=0(root) groups=0(root),...

The shell got escalated, however the file is created with the id of the old user.

[m0nad]

Thanks for your contribution - again - @awerv, and thanks @GrizzlyMiki for helping with this.
I tried to run this commit on 4.19.97+ and got this error on dmesg:

[  144.808814] ------------[ cut here ]------------                                                                                                                   
[  144.813664] kernel BUG at Returning to usermode but unexpected PSR bits set?:5!                                                                           [47/1973]
[  144.821235] Internal error: Oops - BUG: 0 [#1] ARM                                                                                                                 
[  144.826197] Modules linked in: ctr ccm 8021q garp stp llc arc4 joydev evdev hid_logitech_hidpp rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 sha256_generic cf
g80211 hid_logitech_dj rfkill raspberrypi_hwmon hwmon snd_bcm2835(C) snd_pcm snd_timer snd bcm2835_codec(C) bcm2835_v4l2(C) v4l2_mem2mem bcm2835_mmal_vchiq(C) v4l2_co
mmon videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev vc_sm_cma(C) media uio_pdrv_genirq uio fixed ip_tables x_tables 
ipv6                                                                               
[  144.871548] CPU: 0 PID: 482 Comm: insmod Tainted: G         C O      4.19.97+ #1294
[  144.879446] Hardware name: BCM2835
[  144.882990] PC is at no_work_pending+0x30/0x34
[  144.887621] LR is at set_kernel_text_ro+0x112c/0xffffede4 [diamorphine]
[  144.894462] pc : [<c0009094>]    lr : [<bf586348>]    psr: 00000093
[  144.900935] sp : d69e3d38  ip : c0a2741c  fp : 00000000
[  144.906332] r10: 00000002  r9 : d69e2000  r8 : c00091a4
[  144.911705] r7 : 00000000  r6 : 00000000  r5 : bf585000  r4 : bf585200
[  144.918449] r3 : 40000093  r2 : d69e3d74  r1 : 00000013  r0 : c0009068
[  144.925192] Flags: nzcv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  144.932655] Control: 00c5387d  Table: 168a8008  DAC: 00000055
[  144.938601] Process insmod (pid: 482, stack limit = 0x0a5315ea)
[  144.944693] Stack: (0xd69e3d38 to 0xd69e4000)
[  144.949200] 3d20:                                                       fffffffc c01ad418
[  144.957648] 3d40: bf585218 c01ad680 bf585200 bf585000 00000000 00000000 d705ce00 00000002
[  144.966101] 3d60: d705ce40 d69e3d9c c0a2741c bea4e620 0000006c bf586348 00000013 57040800
[  144.974550] 3d80: bf585000 bf588000 c0a27028 00000000 d69e3e14 d69e3da0 c000aea8 bf58800c
[  144.982997] 3da0: 0080007f c0a27028 d705ce00 00000002 0080007e 0002123a d8f93d60 c0150ebc
[  144.991450] 3dc0: c0a27028 0002123a d8f93de0 c0173138 c0a27028 c0183b30 d69e3e14 d69e3de8
[  144.999898] 3de0: c0183b30 c018ff10 c0184d68 ab5cbdcc bf585000 bf585000 bf585000 d6924f20
[  145.008346] 3e00: c0a27028 d705ce00 d69e3e3c d69e3e18 c00941d0 c000ae68 d69e3f30 bf585000
[  145.016797] 3e20: d69e3e3c d69e3f30 bf585000 00000002 d69e3f0c d69e3e40 c0093048 c0094170
[  145.025246] 3e40: bf58500c 00007fff bf585000 c009081c 00000000 ddefc000 bf5850f4 bf5851d4
[  145.033697] 3e60: bf58998c bf586000 00000000 bf585048 d69e3e94 c08eb440 c0198ed4 c0198d40
[  145.042146] 3e80: 00002420 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  145.050594] 3ea0: 6e72656b 00006c65 00000000 00000000 00000000 00000000 00000000 00000000
[  145.059039] 3ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ab5cbdcc
[  145.067486] 3ee0: 7fffffff c0a27028 00000000 00000003 0002d064 7fffffff 00000000 00000000
[  145.075935] 3f00: d69e3fa4 d69e3f10 c00939dc c00915b8 7fffffff 00000000 00000003 00000000
[  145.084386] 3f20: 00000000 ddefc000 00002420 00000000 ddefc99a ddefce20 ddefc000 00002420
[  145.092833] 3f40: ddefdea8 ddefdd40 ddefd73c 00003000 00003340 00000000 00000000 00000000
[  145.101280] 3f60: 0000198c 00000020 00000021 00000018 00000016 00000012 00000000 ab5cbdcc
[  145.109731] 3f80: a1394300 beaae6c4 0003fce8 0000017b c00091a4 d69e2000 00000000 d69e3fa8
[  145.118180] 3fa0: c0009000 c0093930 a1394300 beaae6c4 00000003 0002d064 00000000 b6fa6d64
[  145.126629] 3fc0: a1394300 beaae6c4 0003fce8 0000017b 014db248 00000000 00000002 00000000
[  145.135080] 3fe0: beaae4f8 beaae4e8 00022cb8 b6ca1af0 60000010 00000003 00000000 00000000
[  145.143540] Code: e9527fff e1a00000 e28dd048 e1b0f00e (e7f001f2) 
[  145.149839] ---[ end trace 9b2b0d8244842a8c ]---

I also tested on 5.10 using the kprobe technique to fix the kallsyms_lookup_name non-exported symbol but got a crash.
I don't have a raspberry pi, and I was using one via ssh from a friend, so it was a bit clunky to debug it, maybe you can figure it out :)

[awerv]

Sorry for the inactivity, I had a couple of busy weeks, but I didn't forget this, will look into the issue in the near future.

[m0nad]

Hi @awerv, do you still plan to work on this?

[awerv]

Yes, I intend to. Hopefully this or the next weekend I will have time to work on this.

[awerv]

Hey @m0nad! I finally did some investigation, but I couldn't replicate your crash.
I tested the following versions:

• 4.18.20
• 4.19.127
• 4.20.17
  I also checked the source, to see if any config might affect how the set_kernel_text_ro & set_kernel_text_rw functions work, but I only found this:

#ifdef CONFIG_STRICT_KERNEL_RWX
void set_kernel_text_rw(void);
void set_kernel_text_ro(void);
#else
static inline void set_kernel_text_rw(void) { }
static inline void set_kernel_text_ro(void) { }
#endif

I don't think this config option has anything to do with your crash...
I will try to get the exact same version you mentioned.

[Zibri]

@awerv hi! I am trying to write a kernel module for android (linux kernel 4.14.180-190 on ARM64) and I need to patch a couple of bytes in KERNEL code area.
set_kernel_text_rw/set_kernel_text_ro are not present in kernel.
I tried everything but as I do the write, the phone reboots.
Obviously I can patch the code directly and then boot it, but I wised to do a kernel module that just patches 8 bytes (two NOPs)

Can you help?

[awerv]

@Zibri check the code of the boot flow, somewhere there the kernel marks its memory read-only. That's how I found set_kernel_text_rw/set_kernel_text_ro, which by the way are for 32 bit ARM. For 64 bit ARM I could use update_mapping_prot, but for Android I have no idea what you will need to use.

[Zibri]

@awerv I didn't find a solution.. or I would not have asked you.
By the way there are also functions like aarch64_insn_patch_text but I don't know if they work...
Are you available anywhere for a chat?