Consider the following minimal example of kernel module that attempts to write to a non-mapped page, and tries to continue execution but handling the exception through the exception table:
#include <linux/mm_types.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("test");
MODULE_DESCRIPTION("test");
MODULE_VERSION("1.01");
void inc_non_present_page(void)
{
asm volatile("mov $0, %%rax;"
"1: inc (%%rax);"
"2:nop\t\n"
"\t.section .fixup,\"ax\"\n"
"3:\tnop\n"
"\tjmp\t2b\n"
"\t.previous\n" _ASM_EXTABLE(1b, 3b)
:
:
: "%rax");
pr_warn("Init done\n");
}
static int __init lkm_example_init(void)
{
inc_non_present_page();
return 0;
}
module_init(lkm_example_init);
static void __exit lkm_example_exit(void)
{
printk(KERN_INFO "Goodbye, World!\n");
}
module_exit(lkm_example_exit);
Compiled with the makefile:
obj-m += reproducer.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
Running this on my virtual machine (running Debian Bookworm, Linux kernel v6.0.12 6.0.0-6-amd64) works fine -- but running this on the host (Fedora Linux 36, Linux kernel v6.0.11 6.0.11-200.fc36.x86_64) the module crashes with the error message:
[36053.061936] #PF: supervisor write access in kernel mode
[36053.061938] #PF: error_code(0x0002) - not-present page
[36053.061940] PGD 0 P4D 0
[36053.061943] Oops: 0002 [#3] PREEMPT SMP PTI
[36053.061946] CPU: 1 PID: 116017 Comm: insmod Tainted: G D OE 6.0.11-200.fc36.x86_64 #1
[36053.061951] RIP: 0010:inc_non_present_page+0xc/0x1a [reproducer2]
[36053.061957] Code: Unable to access opcode bytes at RIP 0xffffffffc0ae6fe2.
It is totally unclear to me why that is the case? How can I go about debugging this? I tried catching another exception (divide by zero) like so:
void blatant_div_by_zero(void)
{
/* quotient and divisor */
int q, d;
d = 0;
asm volatile ("movl $20, %%eax;"
"movl $0, %%edx;"
"1: div %1;"
"movl %%eax, %0;"
"2:\t\n"
"\t.section .fixup,\"ax\"\n"
"3:\tmov\t$-1, %0\n"
"\tjmp\t2b\n"
"\t.previous\n"
_ASM_EXTABLE(1b, 3b)
: "=r"(q)
: "b"(d)
:"%eax"
);
pr_warn("quotient is %d\n", q);
}
-- this seems to work fine on the host as well.
in my kernel's arch/x86/entry/syscalls/syscall_64.tbl, there is its content:
# ...
447 common memfd_secret sys_memfd_secret
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
#
# Due to a historical design error, certain syscalls are numbered differently
# in x32 as compared to native x86_64. These syscalls have numbers 512-547.
# Do not add new syscalls to this range. Numbers 548 and above are available
# for non-x32 use.
#
512 x32 rt_sigaction compat_sys_rt_sigaction
513 x32 rt_sigreturn compat_sys_x32_rt_sigreturn
# ...
As you see, no system call's id is 451 and I want to create a linux module, which can add a system call, named sys_helloworld and its id is 451.
Following a book (the book is for kernel 4.16.10 but my kernel's version is 5.17.7), I write code below:
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Peterlits Zo 1927405082");
MODULE_DESCRIPTION("Just Hello World");
#define NUM 451
#define SYS_CALL_TABLE_ADDRESS 0xffffffffb1600240
#define HW_INFO "[helloworld INFO] "
int orig_cr0;
unsigned long *sys_call_table_my = NULL;
static int (*anything_saved)(void);
static int clear_cr0(void) {
unsigned int cr0 = 0;
unsigned int ret;
asm volatile("movq %%cr0, %%rax" : "=a"(cr0));
ret = cr0;
cr0 &= 0xfffffffffffeffff;
asm volatile("movq %%rax, %%cr0" :: "a"(cr0));
return ret;
}
static void setback_cr0(int val) {
asm volatile("movq %%rax, %%cr0" :: "a"(val));
}
// SYSCALL_DEFINE0(helloworld) { // sys_helloworld
asmlinkage long sys_helloworld(void) {
printk(HW_INFO "Hello world, from Peterlits Zo (1927405082)\n");
printk(HW_INFO "pid: %d, comm: %s\n", current->pid, current->comm);
return current->pid;
}
static int __init helloworld_init(void) {
printk(HW_INFO "Hello World From Module Helloworld by 1927405082.\n");
sys_call_table_my = (unsigned long*) (SYS_CALL_TABLE_ADDRESS);
anything_saved = (int (*)(void)) sys_call_table_my[NUM];
orig_cr0 = clear_cr0();
sys_call_table_my[NUM] = (unsigned long) &sys_helloworld;
setback_cr0(orig_cr0);
return 0;
}
static void __exit helloworld_exit(void) {
printk(HW_INFO "Byebye From Module Helloworld by 1927405082.\n");
orig_cr0 = clear_cr0();
sys_call_table_my[NUM] = (unsigned long) anything_saved;
setback_cr0(orig_cr0);
}
module_init(helloworld_init);
module_exit(helloworld_exit);
There are some macros:
NUM: The id of the new system call.
SYS_CALL_TABLE_ADDRESS: I run sudo cat /proc/kallsyms | grep sys_call_table to get its address.
It is easy to get its meaning:
Set the cr0 to make the kernel's memory to be writable.
Write the system call table.
Set back the cr0.
So I try to compile this module and install:
# In Makefile
obj-m += helloworld.o
PWD := $(CURDIR)
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
# In bash
$ make
$ sudo insmod helloworld.ko
zsh: killed sudo insmod helloworld.ko
I do not know why zsh want to kill my process, but the module is now in my kernel:
$ lsmod
Module Size Used by
helloworld 16384 1
efivarfs 16384 1
And I cannot remove it:
$ rmmod helloworld
rmmod: ERROR: Module helloworld is in use
$ rmmod -f helloworld
rmmod: ERROR: could not remove 'helloworld': Device or resourcee busy
rmmod: ERROR: could not remove module helloworld: Device or resource busy
But it looks failed and I cannot call the 451 system call:
long a = syscall(451); // -> -1
The log is:
May 20 13:24:56 PeterlitsArchVm kernel: [helloworld INFO] Hello World From Module Helloworld by 1927405082.
May 20 13:24:56 PeterlitsArchVm kernel: RIP: 0010:helloworld_init+0x17/0x1000 [helloworld]
May 20 13:24:56 PeterlitsArchVm kernel: Modules linked in: helloworld(O+) efivarfs
May 20 13:24:56 PeterlitsArchVm kernel: RIP: 0010:helloworld_init+0x17/0x1000 [helloworld]
May 20 13:27:25 PeterlitsArchVm dbus-daemon[234]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.10' (uid=0 pid=809 comm="sudo rmmod helloworld" label="kernel")
May 20 13:27:25 PeterlitsArchVm sudo[809]: peterlits : TTY=pts/0 ; PWD=/home/peterlits/proj/linux/01-01-模块,但是是HelloWorld ; USER=root ; COMMAND=/usr/bin/rmmod helloworld
May 20 13:28:10 PeterlitsArchVm dbus-daemon[234]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.11' (uid=0 pid=812 comm="sudo rmmod -f helloworld" label="kernel")
May 20 13:28:10 PeterlitsArchVm sudo[812]: peterlits : TTY=pts/0 ; PWD=/home/peterlits/proj/linux/01-01-模块,但是是HelloWorld ; USER=root ; COMMAND=/usr/bin/rmmod -f helloworld
And something looks not good (Why there is sys_call_table_my):
$ cat /proc/kallsyms | grep sys_call_table
0000000000000000 D sys_call_table
0000000000000000 D ia32_sys_call_table
0000000000000000 b sys_call_table_my [helloworld]
#craig-estey Hello, I try to use long for cr0, but it still do not work:
-int orig_cr0;
+long orig_cr0;
unsigned long *sys_call_table_my = NULL;
static int (*anything_saved)(void);
-static int clear_cr0(void) {
- unsigned int cr0 = 0;
- unsigned int ret;
+static long clear_cr0(void) {
+ unsigned long cr0 = 0;
+ unsigned long ret;
asm volatile("movq %%cr0, %%rax" : "=a"(cr0));
ret = cr0;
cr0 &= 0xfffffffffffeffff;
I've written a little linux kernel module, to see, how nowadays implement kernel function hijacking.
https://pastebin.com/99YJFnaq
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/syscalls.h>
#include <linux/version.h>
#include <linux/unistd.h>
#include <linux/time.h>
#include <linux/preempt.h>
#include <asm/uaccess.h>
#include <asm/paravirt.h>
#include <asm-generic/bug.h>
#include <asm/segment.h>
#define BUFFER_SIZE 512
#define MODULE_NAME "hacked_read"
#define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
#define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )
#define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
#define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )
MODULE_DESCRIPTION( MODULE_NAME );
MODULE_VERSION( "0.1" );
MODULE_LICENSE( "GPL" );
MODULE_AUTHOR( "module author <mail#domain.com>" );
static char debug_buffer[ BUFFER_SIZE ];
unsigned long ( *original_read ) ( unsigned int, char *, size_t );
void **sct;
unsigned long icounter = 0;
static inline void rw_enable( void ) {
asm volatile ( "cli \n"
"pushq %rax \n"
"movq %cr0, %rax \n"
"andq $0xfffffffffffeffff, %rax \n"
"movq %rax, %cr0 \n"
"popq %rax " );
}
static inline uint64_t getcr0(void) {
register uint64_t ret = 0;
asm volatile (
"movq %%cr0, %0\n"
:"=r"(ret)
);
return ret;
}
static inline void rw_disable( register uint64_t val ) {
asm volatile(
"movq %0, %%cr0\n"
"sti "
:
:"r"(val)
);
}
static void* find_sym( const char *sym ) {
static unsigned long faddr = 0; // static !!!
// ----------- nested functions are a GCC extension ---------
int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
if( 0 == strcmp( (char*)data, sym ) ) {
faddr = addr;
return 1;
} else return 0;
};// --------------------------------------------------------
kallsyms_on_each_symbol( symb_fn, (void*)sym );
return (void*)faddr;
}
unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {
unsigned long r = 1;
if ( fd != 0 ) { // fd == 0 --> stdin (sh, sshd)
return original_read( fd, buf, count );
} else {
icounter++;
if ( icounter % 1000 == 0 ) {
info( "test2 icounter = %ld\n", icounter );
info( "strlen( debug_buffer ) = %ld\n", strlen( debug_buffer ) );
}
r = original_read( fd, buf, count );
strncat( debug_buffer, buf, 1 );
if ( strlen( debug_buffer ) > BUFFER_SIZE - 100 )
debug_buffer[0] = '\0';
return r;
}
}
int hacked_read_init( void ) {
register uint64_t cr0;
info( "Module was loaded\n" );
sct = find_sym( "sys_call_table" );
original_read = (void *)sct[ __NR_read ];
cr0 = getcr0();
rw_enable();
sct[ __NR_read ] = hacked_read_test;
rw_disable( cr0 );
return 0;
}
void hacked_read_exit( void ) {
register uint64_t cr0;
info( "Module was unloaded\n" );
cr0 = getcr0();
rw_enable();
sct[ __NR_read ] = original_read;
rw_disable( cr0 );
}
module_init( hacked_read_init );
module_exit( hacked_read_exit );
Makefile:
CURRENT = $(shell uname -r)
KDIR = /lib/modules/$(CURRENT)/build
PWD = $(shell pwd)
TARGET = hacked_read
obj-m := $(TARGET).o
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
clean:
#rm -f *.o .*.cmd .*.flags *.mod.c *.order
#rm -f .*.*.cmd *.symvers *~ *.*~ TODO.*
#rm -fR .tmp*
#rm -rf .tmp_versions
Thereafter, I'm making the module and inserting it.
Of-course, the better way is to do it - inside qemu machine. I'm using default Kali 2018.1 installed on image hdd.qcow2 [30Gb]. Kernel 4.14.13 is a default kernel built by me with DEBUG flags:
# diff /boot/config-4.14.13 /boot/config-4.14.0-kali3-amd64
3c3
< # Linux/x86_64 4.14.13 Kernel Configuration
---
> # Linux/x86 4.14.12 Kernel Configuration
7620c7620
< CONFIG_GDB_SCRIPTS=y
---
> # CONFIG_GDB_SCRIPTS is not set
7652,7655c7652
< CONFIG_DEBUG_KMEMLEAK=y
< CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=400
< CONFIG_DEBUG_KMEMLEAK_TEST=m
< # CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF is not set
---
> # CONFIG_DEBUG_KMEMLEAK is not set
CONFIG_DEBUG_KMEMLEAK - is useless on amd64, so there is only CONFIG_GDB_SCRIPTS plays a role.
Back to the game:
# make
# cp hacked_read.ko /lib/modules/4.14.13/hacked_read.ko
# depmod
# modprobe hacked_read
Thereafter, I'm typing different symbols, mostly a and left arrow and delete, as you can see from syslog: icounter = 44000, so it is 44k symbols was typed by me, before bug appears, sometimes more, sometimes less... To get this number faster I'm using /usr/bin/xset r rate 20 60,
or even insert false in if/else statement like this if ( fd != 0 && false ) { // fd == 0 --> stdin (sh, sshd) - this will automate the process.
The Bug
/var/log/syslog/
Aug 30 10:20:37 kali kernel: [ 1540.483650] hacked_read: test2 icounter = 44000
Aug 30 10:20:37 kali kernel: [ 1540.483654] hacked_read: strlen( debug_buffer ) = 202
Aug 30 10:20:42 kali kernel: [ 1546.187954] hacked_read: test2 icounter = 45000
Aug 30 10:20:42 kali kernel: [ 1546.187958] hacked_read: strlen( debug_buffer ) = 376
Aug 30 10:20:58 kali kernel: [ 1561.366421] BUG: unable to handle kernel paging request at ffffffffc071909b
Aug 30 10:20:58 kali kernel: [ 1561.366434] IP: 0xffffffffc071909b
Aug 30 10:20:58 kali kernel: [ 1561.366436] PGD b3a0e067 P4D b3a0e067 PUD b3a10067 PMD 2346c4067 PTE 0
Aug 30 10:20:58 kali kernel: [ 1561.366441] Oops: 0010 [#1] SMP PTI
Aug 30 10:20:58 kali kernel: [ 1561.366443] Modules linked in: hacked_read(O) 9p fscache fuse ppdev bochs_drm sg ttm 9pnet_virtio evdev joydev drm_kms_helper pcspkr serio_raw 9pnet drm parport_pc parport button binfmt_misc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb sr_mod cdrom sd_mod ata_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc ata_piix libata scsi_mod aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse floppy virtio_pci virtio_ring virtio e1000 i2c_piix4 [last unloaded: hacked_read]
Aug 30 10:20:58 kali kernel: [ 1561.366488] CPU: 0 PID: 1788 Comm: tee Tainted: G O 4.14.13 #1
Aug 30 10:20:58 kali kernel: [ 1561.366490] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Aug 30 10:20:58 kali kernel: [ 1561.366491] task: ffff9939ac178000 task.stack: ffffb2570359c000
Aug 30 10:20:58 kali kernel: [ 1561.366493] RIP: 0010:0xffffffffc071909b
Aug 30 10:20:58 kali kernel: [ 1561.366494] RSP: 0018:ffffb2570359ff38 EFLAGS: 00010292
Aug 30 10:20:58 kali kernel: [ 1561.366496] RAX: 000000000000005e RBX: 00007ffe554f8940 RCX: 0000000000000000
Aug 30 10:20:58 kali kernel: [ 1561.366497] RDX: 0000000000000000 RSI: ffff9939a0af7c10 RDI: ffff9939c0a20bb8
Aug 30 10:20:58 kali kernel: [ 1561.366498] RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000000000
Aug 30 10:20:58 kali kernel: [ 1561.366499] R10: 000000000000005e R11: 00000000000003f1 R12: ffffffffc071b360
Aug 30 10:20:58 kali kernel: [ 1561.366501] R13: 000055ae361bb4a0 R14: 0000000000000010 R15: 00007ffe554faa98
Aug 30 10:20:58 kali kernel: [ 1561.366502] FS: 00007f60491184c0(0000) GS:ffff9939ffc00000(0000) knlGS:0000000000000000
Aug 30 10:20:58 kali kernel: [ 1561.366504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Aug 30 10:20:58 kali kernel: [ 1561.366505] CR2: ffffffffc071909b CR3: 00000001d9018005 CR4: 00000000000606f0
Aug 30 10:20:58 kali kernel: [ 1561.366514] Call Trace:
Aug 30 10:20:58 kali kernel: [ 1561.366524] ? system_call_fast_compare_end+0xc/0x6f
Aug 30 10:20:58 kali kernel: [ 1561.366526] Code: Bad RIP value.
Aug 30 10:20:58 kali kernel: [ 1561.366532] RIP: 0xffffffffc071909b RSP: ffffb2570359ff38
Aug 30 10:20:58 kali kernel: [ 1561.366532] CR2: ffffffffc071909b
Aug 30 10:20:58 kali kernel: [ 1561.366535] ---[ end trace ca74de96d373ac0b ]---
Could somebody, please, tell me which way to dig?
There is no overflows inside debug_buffer array - it is completely true.
There is no conflicts in asm code, while hijacking is carried out.
It is tiny, light script... Where is the BUG?
Update1:
Looks like I've found a reason why it starts crashing. The BUG appears right after command rmmod hacked_read. So module_exit() is wrong, probably asm's cli & sti not enough.
As the module is removed from the Linux kernel, all memory used by the module (data and code) is released. The exit() function of the module restores the pointer to the original function. However, the kernel may be executing the code of the substitute function at the time the module is removed. Suddenly, right in the middle of that the function disappears as the memory taken by the module's code is released. Hence the bug.
Obviously you can't remove the module after you restore the pointer to the original function until you're sure that there are no kernel threads that (may) execute the code of the substitute function. After the pointer is restored, all new kernel threads will execute the original function, so you need to wait until any current threads finish the execution of the substitute function. How to do that is another issue. You may need to employ some tricks like reference counters, etc.
As #Aleksey mentioned, the issue was outside of the module.
The tee command used read() in its sleeping manner. While I've removed module nothing happened, but there was my little bash script:
#!/bin/bash
logfile="micro-test.log"
while sleep 0;do
echo -n "$(date): $(uptime): "
echo "1 2" | awk '{print $1}'
sleep 60;
done | tee -a $logfile
How I've found the piece of BUG:
As I said, my guest's kernel was compiled with CONFIG_GDB_SCRIPTS=y. Now I'm attaching guest from the host's gdb:
# gdb
(gdb) set logging file gdbcmd2.out
(gdb) set logging on
Copying output to gdbcmd2.out.
(gdb)
Already logging to gdbcmd2.out.
(gdb) target remote :1234
Remote debugging using :1234
warning: No executable has been specified and target does not support
determining executable automatically. Try using the "file" command.
0xffffffff99082e42 in ?? ()
(gdb) add-auto-load-safe-path /usr/src/linux-source-4.14/scripts/gdb/vmlinux-gdb.py
(gdb) file /usr/src/linux-source-4.14/vmlinux
A program is being debugged already.
Are you sure you want to change the file? (y or n) y
Reading symbols from /usr/src/linux-source-4.14/vmlinux...done
On the guest side, I'm extracting addresses:
root#kali:~# cat /sys/module/hacked_read/sections/.text
0xffffffffc06e9000
root#kali:~# cat /sys/module/hacked_read/sections/.bss
0xffffffffc06eb34
On the host side, adding module to debugging:
(gdb) add-symbol-file /usr/src/hacked_read/hacked_read.ko 0xffffffffc06e9000 -s .bss 0xffffffffc06eb34
(gdb) p hacked_read_test
$1 = {unsigned long (unsigned int, char *, size_t)} 0xffffffffc06e9030 <hacked_read_test>
(gdb) maintenance info line-table
... BIG-BIG-OUT-PUT ...
Thereafter, I can see in logfile: gdbcmd2.out - listing of my code with addresses. For example, 0xffffffffc06e9030 - the address of hacked_read_test function:
# grep 0xffffffffc06e9030 gdbcmd2.out
$1 = {unsigned long (unsigned int, char *, size_t)} 0xffffffffc06e9030 <hacked_read_test>
6 77 0xffffffffc06e9030
77 - line of code
$ head -n 77 hacked_read.c | tail -n 1
unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {
Bingo!
Now, on the guest side, I'm doing rmmod hacked_read. After 60+- seconds appears BUG:
Sep 9 06:35:28 kali kernel: [281996.592759] hacked_read: Module was unloaded
Sep 9 06:36:11 kali kernel: [282040.218523] BUG: unable to handle kernel paging request at ffffffffc06e909b
Sep 9 06:36:11 kali kernel: [282040.218530] IP: 0xffffffffc06e909b
Sep 9 06:36:11 kali kernel: [282040.218531] PGD 22980e067 P4D 22980e067 PUD 229810067 PMD 2356e3067 PTE 0
Sep 9 06:36:11 kali kernel: [282040.218534] Oops: 0010 [#9] SMP PTI
Sep 9 06:36:11 kali kernel: [282040.218536] Modules linked in: sctp_diag sctp libcrc32c tcp_diag udp_diag dccp_diag dccp inet_diag unix_diag 9p fscache fuse bochs_drm ttm ppdev drm_kms_helper joydev evdev serio_raw pcspkr sg 9pnet_virtio 9pnet parport_pc parport button drm binfmt_misc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb sr_mod cdrom sd_mod ata_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd ata_piix psmouse floppy virtio_pci virtio_ring virtio e1000 i2c_piix4 libata scsi_mod [last unloaded: hacked_read]
Sep 9 06:36:11 kali kernel: [282040.218567] CPU: 0 PID: 32196 Comm: tee Tainted: G D O 4.14.13 #1
Comm: tee & BUG: unable to handle kernel paging request at ffffffffc06e909b
Host:
# grep ffffffffc06e909b gdbcmd2.out
18 88 0xffffffffc06e909b
88 - line of code:
$ head -n 88 hacked_read.c | tail -n 1
strncat( debug_buffer, buf, 1 );
It is easy to see, that kernel unable to give tee the address of the next line after original_read():
77:unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {
78. unsigned long r = 1;
79. if ( fd != 0 ) { // fd == 0 --> stdin (sh, sshd)
80. return original_read( fd, buf, count );
81. } else {
82. icounter++;
83. if ( icounter % 1000 == 0 ) {
84. info( "test2 icounter = %ld\n", icounter );
85. info( "strlen( debug_buffer ) = %ld\n", strlen( debug_buffer ) );
86. }
87. r = original_read( fd, buf, count );
88. strncat( debug_buffer, buf, 1 );
if ( strlen( debug_buffer ) > BUFFER_SIZE - 100 )
debug_buffer[0] = '\0';
return r;
}
}
I would like to dispatch some tasks out via fork, and collect some information about the results of those tasks in an array.
My thought is to use mmap to share a data structure between the two, and have the child process update the array of structs with the result of the activity, but i'm having some issues.
#include <time.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/mman.h>
#include <stdlib.h>
typedef struct message_s {
int status;
char message[256];
} message_t;
void child(message_t **result) {
result[0]->status = 2;
sprintf((char *) &result[0]->message, "Hello World!");
usleep(1);
}
void parent() {
printf("Parent\n");
usleep(1);
return;
}
int main() {
size_t result_size = 1000 * sizeof(message_t);
message_t **result_ar = mmap(NULL, result_size,
PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANON, -1, 0);
pid_t child_pid = fork();
switch (child_pid) {
case 0:
child(result_ar);
exit(0);
case -1:
exit(-1);
break;
default:
parent();
}
int child_status;
waitpid(child_pid, &child_status, 0);
printf("\nRESULT: %i: %s\n\n", result_ar[0]->status, result_ar[0]->message);
msync(result_ar, result_size, MS_SYNC);
munmap(result_ar, result_size);
return 0;
}
I'm really sort of lost here, and while i can find "similar" questions on SO, they either do not have answers or are plagued with other issues, or both.
When the code above runs, i get the following concatenated result.
Process: concurrent_test [2537]
Path: /Users/USER/Library/Caches/*/concurrent_test
Identifier: concurrent_test
Version: 0
Code Type: X86-64 (Native)
OS Version: Mac OS X 10.10.5 (14F1509)
Report Version: 11
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
VM Regions Near 0:
-->
__TEXT 000000010144a000-000000010144c000 [ 8K] r-x/rwx SM=COW /Users/USER/Library/Caches/*
Application Specific Information:
crashed on child side of fork pre-exec
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 concurrent_test 0x000000010144bb33 child + 35
1 concurrent_test 0x000000010144bc1f main + 127
2 concurrent_test 0x000000010144b5a9 _start + 247
3 concurrent_test 0x000000010144b4b1 start + 33
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x00007fff5e7b5908 rcx: 0x000000010144beb3 rdx: 0xffffffffffffffff
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x00007fff5e7b5730 rsp: 0x00007fff5e7b5720
r8: 0x0000000000000303 r9: 0x0000000000000000 r10: 0x0000000000000030 r11: 0x0000000000000206
r12: 0x00007fff5e7b57e0 r13: 0x0000000000000000 r14: 0x00007fff5e7b57f0 r15: 0x0000000000000001
rip: 0x000000010144bb33 rfl: 0x0000000000010246 cr2: 0x0000000000000000
Logical CPU: 6
Error Code: 0x00000006
Trap Number: 14
And I'm using:
Apple LLVM version 7.0.2 (clang-700.1.81)
Target: x86_64-apple-darwin14.5.0
Thread model: posix
You have one indirection too much in your code. Try message_t *result_ar = mmap(...); and result[0].status = 2; to fix this issue. Also, don't forget the error checking! mmap() can fail.
Using kprobes pre_handler, I am trying to access the system call arguments from struct pt_regs and modify them(which is the main goal), before calling the actual system call itself.
Say I am probing sys_link.
asmlinkage long sys_link(const char __user *oldname, const char __user *newname);
The pre_handler is defined as follows:(from here)
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
printk(KERN_INFO "eax: %08lx ebx: %08lx ecx: %08lx edx: %08lx\n",
regs->orig_ax, regs->bx, regs->cx, regs->dx);
printk(KERN_INFO "esi: %08lx edi: %08lx ebp: %08lx esp: %08lx\n",
regs->si, regs->di, regs->bp, regs->sp);
printk(KERN_INFO "Process %s (pid: %d, threadinfo=%p task=%p)",
current->comm, current->pid, current_thread_info(), current);
return 0;
}
When I run link file1 file2 on the terminal, dmesg gives the following output:
[15105.691463] eax: ffffffffffffffff ebx: 7fff3e2e71c8 ecx: 7fff3e2e6e50 edx: 00000003
[15105.691467] esi: 7fff3e2e9478 edi: 7fff3e2e9472 ebp: 00000003 esp: ffff880022b0ff80
[15105.691472] Process link (pid: 9448, threadinfo=ffff880022b0e000 task=ffff880018b72e00)Pid: 9448, comm: link Tainted: P C O 3.2.0-53-generic #81-Ubuntu
The first two arguments go to registers edi and esi, therefore in this case, edi must contain address of file1 and esi must contain address of file2.
I want to modify these register values, say change the value in esi to point to file3 (therefore the char __user *newname is now pointing to file3), before I return from the pre_handler. Given such a modification, now sys_link should work with file1 and file3 as its arguments.
Is this possible? If so, how?