使用 lkdtm 内核模块进行内核崩溃测试

内核源码位置

drivers/misc/lkdtm

测试环境

debian10 vmware 虚拟机

内核配置参数

CONFIG_LKDTM

使用方法

加载模块的时候指定参数触发异常
模块加载后通过 debugfs 文件操作来触发异常
示例命令如下：

    mount -t debugfs debugfs /sys/kernel/debug
    echo EXCEPTION > /sys/kernel/debug/provoke-crash/INT_HARDWARE_ENTRY
1
2

使用示例

加载 lkdtm 内核模块

执行 insmod lkdtm.ko 命令加载之。

写入 sys 文件，触发内核 crash

触发 EXEC_STACK 异常：

    root@debian:/sys/kernel/debug/provoke-crash# echo EXEC_STACK > INT_HARDWARE_ENTRY
    [  256.275861] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 9 rounds
    root@debian:/sys/kernel/debug/provoke-crash# [  256.278619] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 8 rounds
    [  256.284414] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 7 rounds
    [  256.415029] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 6 rounds
    ................................................................................................
    [  256.858127] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 1 rounds
    [  256.872340] lkdtm: Crash point INT_HARDWARE_ENTRY of type EXEC_STACK hit, trigger in 0 rounds
    [  256.874736] lkdtm: attempting ok execution at ffffffffc070b8a0
    [  256.876703] lkdtm: attempting bad execution at ffff899c7bc43e78
    [  256.878628] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
    [  256.880441] BUG: unable to handle kernel paging request at ffff899c7bc43e78
    [  256.882056] PGD 21202067 P4D 21202067 PUD 21206067 PMD 800000007bc000e3
    [  256.883743] Oops: 0011 [#1] SMP PTI
    [  256.884544] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G           OE     4.19.0-18-amd64 #1 Debian 4.19.208-1
    [  256.886766] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
    [  256.889292] RIP: 0010:0xffff899c7bc43e78
    [  256.890481] Code: ff ff 10 00 00 00 00 00 00 00 46 00 01 00 00 00 00 00 70 3e c4 7b 9c 89 ff ff 18 00 00 00 00 00 00 00 a4 c5 70 c0 ff ff ff ff <0f> 1f 44 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53
    [  256.895082] RSP: 0018:ffff899c7bc43e70 EFLAGS: 00010046
    ..............................................................................
    [  256.915046] Call Trace:
    [  256.915801]  <IRQ>
    [  256.916433]  ? lkdtm_EXEC_STACK+0x26/0x40 [lkdtm]
    [  256.917657]  ? lkdtm_kprobe_handler+0xa4/0xc0 [lkdtm]
    [  256.919327]  ? kprobe_ftrace_handler+0x92/0xf0
    [  256.921424]  ? ftrace_ops_assist_func+0x7e/0x120
    [  256.922945]  ? rebalance_domains+0x274/0x2c0
    [  256.924618]  ? 0xffffffffc01700bf
    [  256.925600]  ? __sched_text_end+0x7/0x7
    [  256.926581]  ? common_interrupt+0xa/0xf
    [  256.927747]  ? do_IRQ+0x1/0xe0
    [  256.928757]  ? do_IRQ+0x5/0xe0
    [  256.929817]  ? common_interrupt+0xf/0xf
    [  256.931096]  </IRQ>
    .....................................................
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

触发 HARDLOCKUP 异常：

root@debian://sys/kernel/debug/provoke-crash# echo HARDLOCKUP > INT_HARDWARE_ENTRY
[   99.455223] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 9 rounds
root@debian://sys/kernel/debug/provoke-crash# [   99.458569] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 8 rounds
[   99.517818] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 7 rounds
[   99.702486] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 6 rounds
[   99.903978] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 5 rounds
................................................................................................
[  100.188117] lkdtm: Crash point INT_HARDWARE_ENTRY of type HARDLOCKUP hit, trigger in 0 rounds
[  125.364108] rcu: INFO: rcu_sched self-detected stall on CPU
[  125.366256] rcu:     2-....: (5249 ticks this GP) idle=70a/1/0x4000000000000002 softirq=6036/6036 fqs=2551
[  125.369938] rcu:      (t=5250 jiffies g=7421 q=123)
[  125.371442] NMI backtrace for cpu 2
[  125.372564] CPU: 2 PID: 300 Comm: kworker/2:2 Tainted: G           OE     4.19.0-18-amd64 #1 Debian 4.19.208-1
[  125.375570] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019
[  125.378761] Workqueue: events netstamp_clear
[  125.380100] Call Trace:
[  125.380931]  <IRQ>
[  125.381491]  dump_stack+0x66/0x81
[  125.382391]  nmi_cpu_backtrace.cold.4+0x13/0x50
[  125.383787]  ? lapic_can_unplug_cpu+0x80/0x80
[  125.385224]  nmi_trigger_cpumask_backtrace+0xf9/0x100
[  125.386747]  rcu_dump_cpu_stacks+0x9b/0xcb
[  125.387906]  rcu_check_callbacks.cold.81+0x1db/0x335
[  125.389275]  ? tick_sched_do_timer+0x60/0x60
[  125.390794]  update_process_times+0x28/0x60
[  125.392255]  tick_sched_handle+0x22/0x60
[  125.393266]  tick_sched_timer+0x37/0x70
[  125.394187]  __hrtimer_run_queues+0x100/0x280
[  125.395516]  hrtimer_interrupt+0x100/0x210
[  125.396531]  smp_apic_timer_interrupt+0x6a/0x140
[  125.397634]  apic_timer_interrupt+0xf/0x20
[  125.398643]  </IRQ>
..........................................................
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

资源链接

https://www.kernel.org/doc/html/latest/fault-injection/provoke-crashes.html

相关阅读:
【一起学Rust | 基础篇 | rust新特性】Rust 1.65.0——泛型关联类型、let-else语句
 关于分离式编译（.h和.cpp，编译哪些东西）
饲料行业调研：2022年饲料和水产饲料市场发展前景与市场趋势分析
 【vue3】for循环多选框勾选必填校验
 模式植物GO背景基因集制作
 Kubernetes hostPort 使用
 Java注释
 【Spring】IoC容器的一些总结与补充
 Vue 3的Diff算法相比Vue 2有哪些具体的改进？
RCE远程控制漏洞（上）
原文地址：https://blog.csdn.net/Longyu_wlz/article/details/125955389