[JUMP_LABEL] Add support for variable length patching

Since kernel 5.14, JUMP_LABEL algorithm on x86(-64) architecture got a support for variable length patching: torvalds/linux@001951b#diff-64bcf62f020819f6d887d7317d30ad8ecf15f0dab09e8ccf158b29c1be5ca260 This is a major change comparing to the previous kernels and LKRG detects such behavior as a malicious kernel modification. This commit adds support for it and addresses issue #117
lkrg-org · Oct 19, 2021 · a9906a6 · a9906a6
1 parent 8fd4806
commit a9906a6
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/...database/JUMP_LABEL/p_arch_jump_label_transform_apply/p_arch_jump_label_transform_apply.c b/...database/JUMP_LABEL/p_arch_jump_label_transform_apply/p_arch_jump_label_transform_apply.c
@@ -73,10 +73,19 @@ notrace int p_arch_jump_label_transform_apply_entry(struct kretprobe_instance *p
    for (p_jl_batch_nr = 0; p_cnt < p_nr; p_cnt++) {
       p_tmp = (p_text_poke_loc *)&P_SYM(p_tp_vec)[p_jl_batch_nr*sizeof(p_text_poke_loc)];
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 6, 0)
-      if ( (p_tmp->opcode == CALL_INSN_OPCODE || p_tmp->opcode == JMP32_INSN_OPCODE)  &&
+      if ( (p_tmp->opcode == CALL_INSN_OPCODE
+            || p_tmp->opcode == JMP32_INSN_OPCODE
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 14, 0)
+            || p_tmp->opcode == JMP8_INSN_OPCODE
+#endif
+            ) &&
           p_tmp->rel_addr) {
 #else
-      if (p_tmp->len == JUMP_LABEL_NOP_SIZE &&
+      if ( (p_tmp->len == 5
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 14, 0)
+            || p_tmp->len == 2
+#endif
+            ) &&
           p_tmp->addr
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0) || \
    (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8, 3))