From 07ff9e969f2507f9d5203c6ef531b4891cae06db Mon Sep 17 00:00:00 2001
From: 0xC0ncord <me@concord.sh>
Date: Fri, 16 Oct 2020 20:55:15 -0400
Subject: [PATCH] Fix checking of umh in-memory files on Linux >= 5.9

---
 .../syscalls/p_call_usermodehelper/p_call_usermodehelper.c    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
index 3516589c..724f42e3 100644
--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
@@ -165,7 +165,7 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs
 
    if (!p_umh_allowed) {
 p_call_usermodehelper_entry_not_allowed:
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0) && LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
       if (!strcmp("none",p_subproc->path) && p_subproc->file) {
          p_print_log(P_LKRG_ERR,
                 "<Exploit Detection> UMH is executing file from memory...\n");
@@ -237,7 +237,7 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs
               break;
 
          }
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,18,0) && LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
       }
 #endif
    }