Skip to content

create_module

Intro

create_module - a system call that creates a new loadable kernel module.

Description

The create_module syscall allows user-space programs to create and register a new kernel module. This syscall provides the necessary parameters for defining the module's code, data, name and description, which are then compiled into a loadable kernel object file. After being created, the kernel module can be used for performing various operations such as extending the kernel's functionality or adding device drivers to the kernel.

The main advantages of using create_module are that it offers a reliable method of loading and registering a new kernel module, while also providing a degree of flexibility that allows the programmer to customize the module to their needs. Additionally, it is worth noting that create_module can be more efficient than manually creating a kernel module, since it handles most of the necessary steps for creating a kernel module automatically.

Arguments

  • name:char *[K, U] - the name of the kernel module. Must be unique.
  • code:void *[U] - a pointer to the module's code.
  • len:unsigned long[K] - the size of the module's code.
  • mode:mode_t[K] - specifies the kernel module's access privileges.
  • flags:int[K] - flags to specify additional parameters for the module.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_init_module

Type

KProbe

Purpose

Hook sys_init_module to validate the arguments of the create_module syscall before the module is loaded.

Example Use Case

The create_module syscall can be used to create a new kernel module that extends the kernel's functionality, or adds device drivers to the kernel. For example, a kernel module could be used to detect new hardware in the system, or to add a new system call that could be used to perform a specific operation.

Issues

Some versions of the create_module syscall are vulnerable to TOCTOU (Time of Check Time of Use) race conditions, which can be exploited by malicious users to subvert the loading process of the module. To mitigate this issue, it is recommended to hook the sys_init_module function using a KProbe and to validate the module's code and arguments before allowing it to be loaded.

  • delete_module: the syscall used to unload a module created with create_module.
  • sys_init_module: the kernel entry point for the create_module syscall, which can be hooked to validate the arguments of the create_module syscall before the module is loaded.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.