Skip to content

ft-mugurel/VKM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
compile_commands.json
compile_commands.json
 
 

Repository files navigation

Initial setup for debugging

  1. Install the VKM project for our vurnable kernel module.
git clone https://github.com/ft-mugurel/VKM.git
cd VKM
  • Now we need an kernel with debugging enabled.
  1. Install the linux kernel.
wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.9.tar.xz
tar xvf linux-6.9.tar.xz
mv linux-6.9 linux
cd linux
  1. Create the default configuration file.
make defconfig
make kvm_guest.config
  1. Enable the following options by adding them to the .config file:
# Coverage collection.
CONFIG_KCOV=y

# Debug info for symbolization.
CONFIG_DEBUG_INFO_DWARF4=y

# Memory bug detector
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
CONFIG_KASAN_MULTI_SHOT=y

# Required for Debian Stretch and later
CONFIG_CONFIGFS_FS=y
CONFIG_SECURITYFS=y

Or just run the following command:

echo -e "\nCONFIG_KCOV=y\nCONFIG_DEBUG_INFO_DWARF4=y\nCONFIG_KASAN=y\nCONFIG_KASAN_INLINE=y\nCONFIG_KASAN_MULTI_SHOT=y\nCONFIG_CONFIGFS_FS=y\nCONFIG_SECURITYFS=y" >> .config

After that you need to run this command to update the configuration:

make olddefconfig
  1. Compile the kernel.
make CC="gcc -std=gnu11" -j16
  1. Create and debootstrap. First you need to install debootstrap for your distribution. Then run:
cd ..
mkdir image
cd image
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh
./create-image.sh
cd ..

Building the kernel module and runnning inside of the qemu:

  1. Build the kernel module.
make build
  1. Run the kernel module inside of the qemu.
make loadmodule

This will upload the module in to qemu and load it into the kernel.

  1. To unload the module, run:
make unloadmodule

Vulnerabilities in the VKM module

Stack buffer overflow [x]

  • Stack boffer overflow happens when the product name readed in to a fixt lengt buffer is longer than the buffer size, causing the overflow of the stack memory.

Heap buffer overflow

  • The channel count wil be readed and stored in a int variable, but there is no check for the size of the channel count, and it is not unsined int and can be negative, if the channel count is smaller then the actual channels it will couse a heap buffer overflow.

Use after free

  • When the device is connected, there will be key for security, but if the device is send reset command it will be freed, and if we don't send the key again, it will read the freed memory and couse a use after free.

Double free

  • If after reset command send we call it again it will couse a double free, because the device is already freed.

Integer overflow

  • There is no limit to channel count it will couse the integer overflow, if the channel count is bigger then the max value of the int, it will couse the integer overflow.

Integer underflow

  • There is no limit to channel count it will couse the integer underflow, if the channel count is smaller then the min value of the int, it will couse the integer underflow.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages