Changing syscall table

Changing syscall table

[Jonathan Nell]

I'm trying to wrap the
SG_IO ioctl call (i.e. trap it in the kernel) and have that dump the
data from (struct sg_io_hdr).dxferp.
Having issues with doing the kernel trap in the newer kernel versions
though (trying on 2.6.30). The syscall table is now read-only but for
some reason my set_memory_rw() call is failing... Any ideas how to do
this properly?

Here are the relevant bits of code:

unsigned long **find_sys_call_table(void)
{
  unsigned long **sctable;
  unsigned long ptr;

  sctable = NULL;
  for (ptr = (unsigned long)&unlock_kernel;
       ptr < (unsigned long)&loops_per_jiffy;
       ptr += sizeof(void *))
  {
     unsigned long *p;
     p = (unsigned long *)ptr;
     if (p[__NR_close] == (unsigned long) sys_close)
     {
        sctable = (unsigned long **)p;
        return &sctable[0];
     }
  }
  return NULL;
}

static int __init scsisniff_init_module(void)
{
       if ( (sys_call_table = find_sys_call_table()) ) {
           real_ioctl = (int(*)(unsigned int fd, unsigned int cmd,
unsigned long arg))sys_call_table[__NR_ioctl];

               if ( set_memory_rw( (unsigned
long)sys_call_table[__NR_ioctl], 1 ) )
                       printk( "set_memory_rw: succeeded\n" );
               else {
                       printk( "set_memory_rw: failed!\n" );
                     return -1;
               }

               sys_call_table[__NR_ioctl] = (unsigned long)my_ioctl;
       }
       else {
               return -1;
       }
     return 0;
}

This gives me a lovely OOPS:

[   71.143742] WARNING: at arch/x86/mm/pageattr.c:833
change_page_attr_set_clr+0x1a0/0x400()
[   71.143745] Modules linked in: scsi_sniff(+) i915 binfmt_misc drm
i2c_algo_bit bridge stp bnep lp snd_hda_codec_analog snd_hda_intel
snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm
snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event
snd_seq snd_timer snd_seq_device video snd psmouse tpm_infineon tpm
ppdev soundcore serio_raw pcspkr intel_agp tpm_bios output heci(C)
iTCO_wdt iTCO_vendor_support parport_pc parport snd_page_alloc floppy
usbhid usb_storage e1000e
[   71.143768] Pid: 3378, comm: insmod Tainted: G         C
2.6.30.4custom-1.0 #6
[   71.143769] Call Trace:
[   71.143773]  [<ffffffff802da6d5>] ? __vunmap+0xc5/0x110
[   71.143775]  [<ffffffff80235200>] ? change_page_attr_set_clr+0x1a0/0x400
[   71.143778]  [<ffffffff8024edf8>] warn_slowpath_common+0x78/0xd0
[   71.143780]  [<ffffffff8024ee5f>] warn_slowpath_null+0xf/0x20
[   71.143783]  [<ffffffff80235200>] change_page_attr_set_clr+0x1a0/0x400
[   71.143785]  [<ffffffffa0274050>] ? my_ioctl+0x0/0x120 [scsi_sniff]
[   71.143789]  [<ffffffff802a6dcd>] ? marker_update_probe_range+0x1dd/0x2d0
[   71.143791]  [<ffffffffa0277000>] ? scsisniff_init_module+0x0/0xf4
[scsi_sniff]
[   71.143793]  [<ffffffff80235b9a>] set_memory_rw+0x2a/0x30
[   71.143796]  [<ffffffff802ff000>] ? sys_fcntl+0x180/0x420
[   71.143798]  [<ffffffffa02770bb>] scsisniff_init_module+0xbb/0xf4
[scsi_sniff]
[   71.143801]  [<ffffffff8020a04c>] do_one_initcall+0x3c/0x180
[   71.143804]  [<ffffffff8026b7f3>] ? __blocking_notifier_call_chain+0x63/0x80
[   71.143807]  [<ffffffff8027dc0d>] sys_init_module+0xad/0x200
[   71.143810]  [<ffffffff80210fc2>] system_call_fastpath+0x16/0x1b
[   71.143812] ---[ end trace 5b3efe312296b587 ]---
[   71.143958] set_memory_rw: failed!

Re: Changing syscall table

[Zhenwen Xu]

On Tue, Sep 01, 2009 at 08:57:58PM +0300, Jonathan Nell wrote:
> I'm trying to wrap the
> SG_IO ioctl call (i.e. trap it in the kernel) and have that dump the
> data from (struct sg_io_hdr).dxferp.
> Having issues with doing the kernel trap in the newer kernel versions
> though (trying on 2.6.30). The syscall table is now read-only but for
> some reason my set_memory_rw() call is failing... Any ideas how to do
> this properly?
> 
> Here are the relevant bits of code:

try read this:
http://zhwen.org/xlog/2009/03/%e6%88%aa%e8%8e%b7linux%e7%b3%bb%e7%bb%9f%e8%b0%83%e7%94%a8.htm

here is the demo.
http://zhwen.org/coding/cat_syscall.c
> 
> unsigned long **find_sys_call_table(void)
> {
>   unsigned long **sctable;
>   unsigned long ptr;
> 
>   sctable = NULL;
>   for (ptr = (unsigned long)&unlock_kernel;
>        ptr < (unsigned long)&loops_per_jiffy;
>        ptr += sizeof(void *))
>   {
>      unsigned long *p;
>      p = (unsigned long *)ptr;
>      if (p[__NR_close] == (unsigned long) sys_close)
>      {
>         sctable = (unsigned long **)p;
>         return &sctable[0];
>      }
>   }
>   return NULL;
> }
> 
> static int __init scsisniff_init_module(void)
> {
>        if ( (sys_call_table = find_sys_call_table()) ) {
>            real_ioctl = (int(*)(unsigned int fd, unsigned int cmd,
> unsigned long arg))sys_call_table[__NR_ioctl];
> 
>                if ( set_memory_rw( (unsigned
> long)sys_call_table[__NR_ioctl], 1 ) )
>                        printk( "set_memory_rw: succeeded\n" );
>                else {
>                        printk( "set_memory_rw: failed!\n" );
>                      return -1;
>                }
> 
>                sys_call_table[__NR_ioctl] = (unsigned long)my_ioctl;
>        }
>        else {
>                return -1;
>        }
>      return 0;
> }
> 
> This gives me a lovely OOPS:
> 
> [   71.143742] WARNING: at arch/x86/mm/pageattr.c:833
> change_page_attr_set_clr+0x1a0/0x400()
> [   71.143745] Modules linked in: scsi_sniff(+) i915 binfmt_misc drm
> i2c_algo_bit bridge stp bnep lp snd_hda_codec_analog snd_hda_intel
> snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm
> snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event
> snd_seq snd_timer snd_seq_device video snd psmouse tpm_infineon tpm
> ppdev soundcore serio_raw pcspkr intel_agp tpm_bios output heci(C)
> iTCO_wdt iTCO_vendor_support parport_pc parport snd_page_alloc floppy
> usbhid usb_storage e1000e
> [   71.143768] Pid: 3378, comm: insmod Tainted: G         C
> 2.6.30.4custom-1.0 #6
> [   71.143769] Call Trace:
> [   71.143773]  [<ffffffff802da6d5>] ? __vunmap+0xc5/0x110
> [   71.143775]  [<ffffffff80235200>] ? change_page_attr_set_clr+0x1a0/0x400
> [   71.143778]  [<ffffffff8024edf8>] warn_slowpath_common+0x78/0xd0
> [   71.143780]  [<ffffffff8024ee5f>] warn_slowpath_null+0xf/0x20
> [   71.143783]  [<ffffffff80235200>] change_page_attr_set_clr+0x1a0/0x400
> [   71.143785]  [<ffffffffa0274050>] ? my_ioctl+0x0/0x120 [scsi_sniff]
> [   71.143789]  [<ffffffff802a6dcd>] ? marker_update_probe_range+0x1dd/0x2d0
> [   71.143791]  [<ffffffffa0277000>] ? scsisniff_init_module+0x0/0xf4
> [scsi_sniff]
> [   71.143793]  [<ffffffff80235b9a>] set_memory_rw+0x2a/0x30
> [   71.143796]  [<ffffffff802ff000>] ? sys_fcntl+0x180/0x420
> [   71.143798]  [<ffffffffa02770bb>] scsisniff_init_module+0xbb/0xf4
> [scsi_sniff]
> [   71.143801]  [<ffffffff8020a04c>] do_one_initcall+0x3c/0x180
> [   71.143804]  [<ffffffff8026b7f3>] ? __blocking_notifier_call_chain+0x63/0x80
> [   71.143807]  [<ffffffff8027dc0d>] sys_init_module+0xad/0x200
> [   71.143810]  [<ffffffff80210fc2>] system_call_fastpath+0x16/0x1b
> [   71.143812] ---[ end trace 5b3efe312296b587 ]---
> [   71.143958] set_memory_rw: failed!
> --
> To unsubscribe from this list: send the line "unsubscribe linux-c-programming" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
--------------------------------
http://zhwen.org - Open and Free

Re: Changing syscall table

[Nicholas Mc Guire]

On Thu, 03 Sep 2009, Zhenwen Xu wrote:

> On Tue, Sep 01, 2009 at 08:57:58PM +0300, Jonathan Nell wrote:
> > I'm trying to wrap the
> > SG_IO ioctl call (i.e. trap it in the kernel) and have that dump the
> > data from (struct sg_io_hdr).dxferp.
> > Having issues with doing the kernel trap in the newer kernel versions
> > though (trying on 2.6.30). The syscall table is now read-only but for
> > some reason my set_memory_rw() call is failing... Any ideas how to do
> > this properly?
> > 
> > Here are the relevant bits of code:
> 
> try read this:
> http://zhwen.org/xlog/2009/03/%e6%88%aa%e8%8e%b7linux%e7%b3%bb%e7%bb%9f%e8%b0%83%e7%94%a8.htm
> 
> here is the demo.
> http://zhwen.org/coding/cat_syscall.c

while this is quit a nice hack I think that meanwhile standard methods like
kprobes or utrace would do the trick without such intrusive code and allow
very flexible analysis of what is going on.

hofrat

Re: Changing syscall table

[Zhenwen Xu]

On Thu, Sep 03, 2009 at 08:27:42AM +0300, Jonathan Nell wrote:
> 2009/9/3 Zhenwen Xu <helight.xu@gmail.com>:
> > On Tue, Sep 01, 2009 at 08:57:58PM +0300, Jonathan Nell wrote:
> >> I'm trying to wrap the
> >> SG_IO ioctl call (i.e. trap it in the kernel) and have that dump the
> >> data from (struct sg_io_hdr).dxferp.
> >> Having issues with doing the kernel trap in the newer kernel versions
> >> though (trying on 2.6.30). The syscall table is now read-only but for
> >> some reason my set_memory_rw() call is failing... Any ideas how to do
> >> this properly?
> >>
> >> Here are the relevant bits of code:
> >
> > try read this:
> > http://zhwen.org/xlog/2009/03/%e6%88%aa%e8%8e%b7linux%e7%b3%bb%e7%bb%9f%e8%b0%83%e7%94%a8.htm
> >
> > here is the demo.
> > http://zhwen.org/coding/cat_syscall.c
> 
> Thanks for this. WIll try it today. How come you don't get a kernel
> paging error? Where are you making the syscall read/write?
I have tested this demo successfully for all syscall except fork.

this program is fail in fork! I haven't find the reason!

PS: forget to linux-c-programming@vger.kernel.org
-- 
--------------------------------
http://zhwen.org - Open and Free

-- 
--------------------------------
http://zhwen.org - Open and Free