The quick summary of this backdoor is:
- Register a protocol handler for an unused IP protocol number .
- Call usermodhelper to execute the payload of the packet (skb->data).
- Remote system now executes any command that you send it as root.
Further investigations reveal that this is due to us calling a sleepy method from an atomic one... call_usermodhelper will eventually call wait_for_common which sleeps. You do not want to sleep in an ISR routine.
The fix for this is to use a deferrable; we need to stop working in an interrupt context and schedule the non atomic work for future processing.
One possible solution is to use work queues for deferrable work. Here's an example implementation in github using work queues.
And here's an example session: