cve-2021-33909_core.c

#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>

#include <linux/kprobes.h>
#include <linux/ptrace.h>

#include <linux/sched.h>
#include <linux/printk.h>

#ifdef CONFIG_PREEMPT_RT
#   error   There have been crashs/panics reported using this module in realtime kernels.
#else
#   include <linux/version.h>
#   if LINUX_VERSION_CODE < KERNEL_VERSION(5,10,0)
#       warning This module is intended for kernels >= 5.10 (check functions of "cve-2021-33909_seq_file.c" for compatibility).
#   endif
#endif

//funnctions using "seq_buf_alloc"
//seq_read_iter
//seq_lseek
//single_open_size
#include "cve-2021-33909_seq_file.c"

#include <linux/atomic.h>
static atomic_t cve_2021_33909_ispatched = ATOMIC_INIT(0);

static int cve_2021_33909_seq_read_iter_thehook(struct kprobe *p, struct pt_regs *regs) {
    int i = atomic_read(&cve_2021_33909_ispatched);
    if (!i) return 0; // execute unpachted code

    instruction_pointer_set(regs, (unsigned long)cve_2021_33909_seq_read_iter);
    return 1;
}
static int cve_2021_33909_seq_lseek_thehook(struct kprobe *p, struct pt_regs *regs) {
    int i = atomic_read(&cve_2021_33909_ispatched);
    if (!i) return 0; // execute unpachted code

    instruction_pointer_set(regs, (unsigned long)cve_2021_33909_seq_lseek);
    return 1;
}
static int cve_2021_33909_single_open_size_thehook(struct kprobe *p, struct pt_regs *regs) {
    int i = atomic_read(&cve_2021_33909_ispatched);
    if (!i) return 0; // execute unpachted code

    // using regs->ip directly causes problems with plattform independence (some ISAs use different names)  - use ptrace wrappers instead...
    instruction_pointer_set(regs, (unsigned long)cve_2021_33909_single_open_size);
    return 1;
}



static struct kprobe seq_read_iter_hook = {
    .symbol_name    = "seq_read_iter",
    .pre_handler    = cve_2021_33909_seq_read_iter_thehook,
};
static struct kprobe seq_lseek_hook = {
    .symbol_name    = "seq_lseek",
    .pre_handler    = cve_2021_33909_seq_lseek_thehook,
};
static struct kprobe single_open_size_hook = {
//  .flags          = KPROBE_FLAG_DISABLED,
    .symbol_name    = "single_open_size",
    .pre_handler    = cve_2021_33909_single_open_size_thehook,
};


static int __init cve_2021_33909_init(void) {
    static int registeringsuccess = 0;
    
    /* of course the set of patched functions can race against unpachted set here    */
    /* because of the nature of the patch we don't really care - do some basic stuff */
    atomic_set(&cve_2021_33909_ispatched, 0);
    
    registeringsuccess = register_kprobe(&single_open_size_hook);
    if (registeringsuccess == 0) {
        registeringsuccess = register_kprobe(&seq_lseek_hook);
        if (registeringsuccess == 0) {
            registeringsuccess = register_kprobe(&seq_read_iter_hook);
            if (registeringsuccess == 0) {
                atomic_set(&cve_2021_33909_ispatched, 1);
                printk(KERN_INFO "cve-2021-33909: successfully patched\n");
                return 0;
            } else {
                unregister_kprobe(&seq_lseek_hook);
                unregister_kprobe(&single_open_size_hook);
            }
        } else  {
            unregister_kprobe(&single_open_size_hook);
        }
    }

    printk(KERN_ALERT "ERROR registering cve-2021-33909\n");
    if (registeringsuccess >= 0) registeringsuccess=-ENXIO;
    return registeringsuccess;
}

static void __exit cve_2021_33909_exit(void) {
    atomic_set(&cve_2021_33909_ispatched, 0);
    printk(KERN_WARNING "cve-2021-33909: deregistered... ...now you are vulnerable again!\n");

    unregister_kprobe(&seq_read_iter_hook);
    unregister_kprobe(&seq_lseek_hook);
    unregister_kprobe(&single_open_size_hook);
}


module_init(cve_2021_33909_init);
module_exit(cve_2021_33909_exit);

MODULE_LICENSE( "GPL" );
MODULE_AUTHOR( "Stephan Baerwolf" );
MODULE_DESCRIPTION( "cve-2021-33909 fixes an issue in the kernels filesystem layer by kprobe-replacing vulnerable functions during runtime" );