I am trying to create a hook on the system function open(). I've done this along the following lines.
I created a wrapper library with the following:
extern int mocked_open(const char* fn, int flags, va_list args);
int open(const char* fn, int flags, ...)
{
int r = -1;
va_list args;
va_start(args, flags);
r = mocked_open(fn, flags, args);
va_end(args);
return r;
}
I compile this into libwrapper.so, which I load using LD_PRELOAD.
The implementation of mocked_open() is as follows (I use the CPPUtest framework):
int mocked_open(const char* fn, int flags, va_list args)
{
if (strncmp(fn, test_device_id, 11) == 0)
{
return mock().actualCall("open").returnValue().getIntValue();
}
else
{
int r = -1;
int (*my_open)(const char*, int, ...);
void* fptr = dlsym(RTLD_NEXT, "open");
memcpy(&my_open, &fptr, sizeof(my_open));
if (flags & O_CREAT)
{
r = my_open(fn, flags, va_arg(args, mode_t));
}
else
{
r = my_open(fn, flags);
}
return r;
}
}
The test_device_id is a simple string ("test_device"), which I hope is not used elsewhere.
During running the tests the executable crashes with a segmentation fault. I've traced this down to the GCC profiling functionality, which wants to open/create a bunch of .gcda files and calls open() for this.
After some debugging with strace (per suggestion below), I found that the line r = my_open(fn, flags, va_arg(args, mode_t)); is indeed the culprit. It is being called recursively, or so it seems: I see a lot of calls to this line, without the function returning. Then a segfault. The file being opened is the corresponding .gcda file (for profiling). In fact, the segfault only occurs with profiling enabled.
Try this
typedef int (*OpenFunction)(const char* fn, int flags, ...);
then
OpenFunction function;
void **pointer;
pointer = (void **)&function;
*pointer = dlsym(RTLD_NEXT, "open");
this is a complete working example
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
typedef int (*OpenFunction)(const char* fn, int flags, ...);
int main(int argc, char **argv)
{
OpenFunction function;
void *dl;
int fd;
void **pointer;
if (argc < 2)
return -1;
pointer = (void **)&function;
*pointer = dlsym(RTLD_NEXT, "open");
fd = function(argv[1], O_RDONLY);
if (fd != -1)
{
printf("file opened succesfully\n");
close(fd);
}
else
{
printf("%s: cannot open the file\n", strerror(errno));
}
return 0;
}
When you compile with gcov profiling enabled, the compiler inserts extra code into your functions, to keep track of which code has been executed. In rough pseudocode, that inserted code will do (among other things):
if (!output_file_has_been_opened) {
fd = open(output_filename, ...);
check_ok(fd);
output_file_has_been_opened = TRUE;
track_coverage();
}
... so if the output file hasn't yet been successfully opened (as at the start of your program), it will attempt to open it. Unfortunately, in this case that will call your mocked open() function - which has the same inserted code; since the file still hasn't been successfully opened, and since the gcov code isn't aware that there's something unusual going on, it will attempt the open() call again - and this is what's causing the recursion (and eventual segfault, once the stack is exhausted).
You are passing va_list incorrectly. Try following hope it helps
r = my_open(fn, flags, args);
For more info
http://c-faq.com/varargs/handoff.html
Related
I was solving the pwnable.kr's fd problem and wondered how does the fd.c code works.
So I copied the c code and I put it on GCC to see how it works. And it has an error says: "implicit declaration of function ‘read’; did you mean ‘fread’?" Does GCC not recognize the Read function on C?
The code looks like:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
Thank you
From the man page (man 2 read) :
NAME
read - read from a file descriptor
SYNOPSIS
#include <unistd.h>
ssize_t read(int fd, void *buf, size_t count);
You must include unistd.h and the warning will go away.
There is a process (not process that I wrote) in Arm Linux that write the stdout for /dev/console that unaccessible to me.
How can I redirect that stdout to file ,so I can watch this process output?
Of course I have root on this Arm Linux and I can compile code .
I would write a minimal dynamic library that interposes open(), handling open("/dev/console", ...) separately. Then, run the other binary with LD_PRELOAD environment variable set to point to that library.
At minimum, something like the following libnoconsole.c should work:
#define _POSIX_C_SOURCE 200809L
#define _GNU_SOURCE
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <dlfcn.h>
#include <errno.h>
#ifndef OLD_PATH
#define OLD_PATH "/dev/console"
#endif
#ifndef NEW_PATH
#define NEW_PATH "/tmp/log"
#endif
static int (*original_open)(const char *, int, ...) = NULL;
static int (*original_openat)(int, const char *, int, ...) = NULL;
static int match(const char *a, const char *b)
{
while (*a == *b)
if (!*a) {
return 1;
} else {
a++;
b++;
}
return 0;
}
int open(const char *pathname, int flags, ...)
{
if (!original_open)
original_open = dlsym(RTLD_NEXT, "open");
if (!original_open) {
errno = ENOSYS;
return -1;
}
if (match(pathname, OLD_PATH))
return original_open(NEW_PATH, O_RDWR | O_CREAT, 0600);
if (flags & (O_CREAT | O_TMPFILE)) {
va_list args;
mode_t mode;
va_start(args, flags);
mode = va_arg(args, mode_t);
va_end(args);
return original_open(pathname, flags, mode);
} else
return original_open(pathname, flags);
}
int openat(int dirfd, const char *pathname, int flags, ...)
{
if (!original_openat)
original_openat = dlsym(RTLD_NEXT, "openat");
if (!original_openat) {
errno = ENOSYS;
return -1;
}
if (match(pathname, OLD_PATH))
return original_openat(AT_FDCWD, NEW_PATH, O_RDWR | O_CREAT, 0600);
if (flags & (O_CREAT | O_TMPFILE)) {
va_list args;
mode_t mode;
va_start(args, flags);
mode = va_arg(args, mode_t);
va_end(args);
return original_openat(dirfd, pathname, flags, mode);
} else
return original_openat(dirfd, pathname, flags);
}
Compile it using
gcc -Wall -O2 -c libnoconsole.c
gcc -Wall -O2 -shared -Wl,-soname,libnoconsole.so libnoconsole.o -ldl -o libnoconsole.so
and run your program via
env LD_PRELOAD=$PWD/libnoconsole.so the-other-program
and it should save its output to /tmp/log instead of /dev/console.
The reason for above using the silly match() instead of !strcmp() is that strcmp() wasn't always an async-signal safe function, whereas open() and openat() are: it's a small wart to avoid potential issues.
I am running the following C code, where trying to read in buffer which
is allocated on caller's stack, but fails with errno 14 (Bad Address).
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
void wrapper(int fd, char **buf)
{
int res = read(fd, *buf, 10);
printf("res: %d, errno: %d\n", res, errno);
printf("Buf: %s\n", *buf);
}
int main()
{
char buffer[10];
memset(buffer, 0, 10);
int fd = open("main.c", O_RDONLY);
wrapper(fd, (char **)&buffer);
return 0;
}
The output is
res: -1, errno: 14
Buf: (null)
I have been searching for explanation why it fails, whereas changing it to
void wrapper(int fd, char *buf)
...
wrapper(fd, (char *)buffer);
works, but without result so far.
why it fails
Arrays are not pointers. buffer is not a char*. Consequently, &buffer is not a char**, is not compatible with char**, and should not be cast to char**. If it is cast to char** and then dereferenced, the behaviour is undefined.
After analyzed your intention, of course it is possible to create something like a "wrapper" containing read string by read(2) syscall and use that buffer away from wrapper() function. You wanted to pass amount of characters which would be read from file being in a table of files whom index of the table (file descriptor) was return by open(2) syscall. But as n.m. said, arrays are not pointers and your solution cannot work properly.
Let me explain my simple fix to your code:
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#define AMOUNT 20
#define assert_msg(x) for ( ; !(x) ; assert(x) )
void
wrapper(int fd, char **buf, size_t size)
{
ssize_t res;
char *out;
out = calloc(size + 1, sizeof(char));
assert(out != NULL);
res = read(fd, out, size);
assert_msg(res != -1) {
fprintf(stderr, "Error ocurred: %s\n", strerror(errno));
}
out[size] = '\0';
fprintf(stdout, "Inside function: %s\n", out);
fprintf(stdout, "res: %d, size: %d, errno: (%d: %s)\n", res, size,
errno, strerror(errno));
*buf = out;
}
int
main(int argc, char **argv)
{
int fd;
char *buf;
buf = NULL;
assert(argc == 2);
errno = 0;
fd = open(argv[1], O_RDONLY);
assert_msg(fd != -1) {
fprintf(stderr, "Error ocurred: %s\n", strerror(errno));
}
wrapper(fd, &buf, AMOUNT);
fprintf(stdout, "Outside function: %s\n", buf);
free(buf);
return (EXIT_SUCCESS);
}
I pass a filename as an input argument. It was a bit easier for me instead of hardcoding the name.
As you can see, inside my wrapper() implementation I allocate memory for an out buffer which size I am passing by a value of size variable. I know that the same value as AMOUNT value defined as macro but it would be easy to change in any other solution.
Then, I read given amount of characters using read(2) syscall, from a file descriptor returned by open(2) syscall in main() function which I pass to wrapper().
At the end of that function I tell that I would like to save an address to the beginning of allocated out buffer and I would like that *buf indicates on that address. It is a buffer of size + 1 char elements, allocated on heap, not on a local stack. Therefore program cannot "reuse" that addresses during his execution. Every address for variables declared like int a;, struct type name; or char tab[10]; are "freed" automatically after the end of function and you do not have an access to it. To be clear, you may have an access (e.g. print data from address saved to indicator) but you cannot be sure that you would not lose the data being saved there. Space allocated manually still exist on a heap until calling free(3) function.
So if we would do something like:
void
wrapper(int fd, char **buf, const size_t size)
{
ssize_t res;
char out[size];
(...)
*buf = out;
}
you may lost your data being saved on a local stack during continuing program execution.
Additionally, in my solution I also defined my own macro assert_msg(x) which is able to run assert(3) function and shows a text message with error. But it is only a feature but thanks to that we are able to see string corresponding to an errno number.
Of course, my program need better handling errors but it had to present the idea only.
Furthermore, you should also specify file permissions during using open(2) syscall as a third argument. It looks similar to the second argument because it is a bitwise 'or' separated list of values. Example flags: S_IRUSR, S_IRGRP, S_IWOTH etc.
In that argument, you can also just write proper value describing permissions, for example 0755.
Programming Language C
below is the code that uses multiple threads to print out a file. There are no errors, however the code doesn't work correctly. However, when compiled it shows this warning 5 times:
'cast from pointer to integer of different size'
I've tried everything I can think of to resolve this issue, but haven't been success and now are just shooting in the dark. Does anyone see where my mistake is? Any help is greatly appreciated and will gladly provide any other information upon request.
Thanks.
#include <sys/mman.h>
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#define NUM_THREAD 4
struct fileParams {
int fd;
int size;
};
void *printFile(void *stuff)
{
struct fileParams *params = stuff;
int addr;
addr=(unsigned char *)mmap(NULL, (int) ¶ms->size, PROT_READ,
MAP_PRIVATE,(int) ¶ms->fd,0);
write(STDOUT_FILENO, addr, (int)¶ms->size);
}
int main (int argc, char * argv[])
{
pthread_t threads[NUM_THREAD];
unsigned char *addr;
int fd,rc;
struct stat sb;
int numCPU=sysconf(_SC_NPROCESSORS_ONLN);
struct fileParams params;
printf("Number of aviable cores: %d\n",numCPU);
printf("Using 4 processors\n");
if (argc != 2 || strcmp(argv[1], "—help") == 0)
printf("Usage: %s file\n", argv[0]);
fd=open(argv[1],O_RDONLY);
if (fd == -1)
{
printf("File open fdailed.\n");
exit(EXIT_FAILURE);
}
if (fstat(fd, &sb) == -1)
{
printf ("fstat error\n");
exit(EXIT_FAILURE);
}
params.fd=fd;
params.size=sb.st_size/4;
for (int n = 0; n<4; n++)
rc=pthread_create(&threads[n],NULL,printFile,¶ms);
exit(EXIT_SUCCESS);
}
You need provide inputs to functions that match the function - passing pointers where integers are wanted (or the other way around) will generate warnings or errors depending on compile options.
mmap takes an size_t as the 2nd parameter, but you are giving it a cast int to a pointer (¶ms->size), the same with mmaps 5th parameter.
Get rid of the '&' so it is just a int.
mmap also returns a void *, which you are then assigning to addr (an int).
Change int to a void * pointer type which should also fix the 5th warning.
I want to be able to check to see if a file could be opened on Linux (for read or for read and write). However I don't have control of the code which will be opening the file, so I can't do what I would normally do which is to open it and then handle the error.
I appreciate that there will always be race conditions on any check due to permissions changing after the call has returned but before the open call, but I'm trying to avoid some undesirable error logging from a library which I have no control over.
I'm aware of stat, but I'd prefer not to need to try to replicate the logic of checking user IDs and group IDs.
You can use:
access("filename", R_OK);
or
euidaccess("filename", R_OK);
To check if your UID or EUID have read access to a respective file. (UID and EUID will be different if your are running setuid)
Use euidaccess or access, although you almost certainly always want to use the former.
(edit: the reason for adding this was that with this approach you can ensure you can avoid the race conditions. That said, it is quite a tricky approach, so maybe just coping with potential race conditions is a better practical approach).
If your goal is to shield the code that you do not own from unhandled errors, using LD_PRELOAD to intercept the open call itself might be of use. An example of it with malloc is here: Overriding 'malloc' using the LD_PRELOAD mechanism
here my quick improvisation on how you could do it - basically an interceptor that will launch an interactive shell to you to correct the error.
WARNING: lots of open calls actually do fail for legit reasons, e.g. when the program is going over different directories in the path trying to find the file, so treat this code as an educational example only to be used with this example code - if you are any close to real world use, your code definitely will need to be smarter. With all this said, let's get to the meat.
First, the "offensive" program that you do not have the control over:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char *argv[]) {
int res = 0;
printf("About to try to open the file...\n");
res = open("/tmp/unreadable", O_RDONLY);
printf("The result after opening: %d\n", res);
if (res < 0) {
perror("Could not open, and here is what the errno says");
} else {
char buf[1024];
int fd = res;
res = read(fd, buf, sizeof(buf));
printf("Read %d bytes, here are the first few:\n", res);
buf[30] = 0;
printf("%s\n", buf);
close(fd);
}
}
Then the interceptor:
#include <stdio.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdlib.h>
#define __USE_GNU
#include <dlfcn.h>
static int (*real_open)(const char *pathname, int flags, ...)=NULL;
static void __open_trace_init(void)
{
real_open = dlsym(RTLD_NEXT, "open");
if (NULL == real_open) {
fprintf(stderr, "Error in `dlsym`: %s\n", dlerror());
return;
}
}
int open(const char *pathname, int flags, ...)
{
if(real_open==NULL)
__open_trace_init();
va_list va;
int res = 0;
do {
if (flags & O_CREAT) {
int mode = 0;
va_start(va, flags);
mode = va_arg(va, int);
va_end(va);
fprintf(stderr, "open(%s, %x, %x) = ", pathname, flags, mode);
res = real_open(pathname, flags, mode);
fprintf(stderr, "%d\n", res);
} else {
fprintf(stderr, "open(%s, %x) = ", pathname, flags);
res = real_open(pathname, flags);
fprintf(stderr, "%d\n", res);
}
if (res < 0) {
printf("The open has returned an error. Please correct and we retry.\n");
system("/bin/sh");
}
} while (res < 0);
return res;
}
And here is how it looks like when running:
ayourtch#ayourtch-lnx:~$ echo This is unreadable >/tmp/unreadable
ayourtch#ayourtch-lnx:~$ chmod 0 /tmp/unreadable
ayourtch#ayourtch-lnx:~/misc/stackoverflow$ LD_PRELOAD=./intercept ./a.out
About to try to open the file...
open(/tmp/unreadable, 0) = -1
The open has returned an error. Please correct and we retry.
open(/dev/tty, 802) = 3
open(/dev/tty, 802) = 3
open(/home/ayourtch/.bash_history, 0) = 3
open(/home/ayourtch/.bash_history, 0) = 3
open(/lib/terminfo/x/xterm, 0) = 3
open(/etc/inputrc, 0) = 3
sh-4.1$ ls -al /tmp/unreadable
---------- 1 ayourtch ayourtch 19 2011-10-18 13:03 /tmp/unreadable
sh-4.1$ chmod 444 /tmp/unreadable
sh-4.1$ exit
open(/home/ayourtch/.bash_history, 401) = 3
open(/home/ayourtch/.bash_history, 0) = 3
open(/home/ayourtch/.bash_history, 201) = 3
open(/tmp/unreadable, 0) = 3
The result after opening: 3
Read 19 bytes, here are the first few:
This is unreadable
�0
ayourtch#ayourtch-lnx:~/misc/stackoverflow$
By the way this example also exposes an obvious bug in the first "test" code - I should have checked that the number of the chars read was at least 30 and put the null char accordingly.
Anyway, that code is supposed to be buggy and outside of the control, so it is kind of good to have a bug in it - else you would not need to use this kind of hack :-)