About intercepting linux system call

About intercepting linux system call

[JinShan Xiong]

Hi all, 

i just want to intercept ia64 linux kernel's syscall entry. I remapped
the physical page contained syscall table to a new read/write page in
a vmalloc region(0xa0000...) since ia64 linux kernel has been linked
the syscall table into a .rodata section, Yes, I can modify the
syscall entry now, but the kernel crashed after the kernel entered
into my own new function.

I run my test code on a Hp-ia64 machine with redhat AS-2.1e installed,
and the kernel is 2.4.18-e.47smp.

I am not familiar with ia64 architecture, please help me, thanks. 

dauglas 

Here is my test code: 

/* vi: set ts=4 sw=4 expandtab: */ 

#include <linux/config.h> 
#include <linux/kernel.h> 
#include <linux/module.h> 
#include <linux/unistd.h> 
#include <linux/sched.h> 
#include <asm/pgtable.h> 
#include <linux/vmalloc.h> 
#include <linux/mm.h> 
#include <asm/uaccess.h> 

extern void *sys_call_table[]; 

//static long (*old_time)(struct timeval *, struct timezone *); 
static long (*old_time)(int); 


static asmlinkage long new_time(struct timeval *tv, struct timezone *tz) 
{ 
   if (tv) { 
       struct timeval ktv; 
       do_gettimeofday(&ktv); 
       if (copy_to_user(tv, &ktv, sizeof(ktv))) 
           return -EFAULT; 
   } 
   if (tz) { 
       extern struct timezone sys_tz; 
       if (copy_to_user(tz, &sys_tz, sizeof(sys_tz))) 
           return -EFAULT; 
   } 
   return 0;int init_module(void) 
{ 
   pte_t *pte; 
   pmd_t *pmd; 
   pgd_t *pgd; 
   unsigned long addr, phys_addr; 
   unsigned long new_addr; 
   int ret; 
   struct page *page; 

   addr = (unsigned long)(&sys_call_table[1025- 1024 ]); 
   printk("Time entry's address: %llx, *addr = %llx!\n", 
       addr, *(unsigned long*)addr); 

   page = virt_to_page(addr); 
   printk("page = %p\n", page); 
   SetPageReserved(page); 

   phys_addr = __pa(addr); 

   new_addr = vmalloc(PAGE_SIZE); 
   vfree(new_addr); 

   phys_addr = phys_addr & ~(PAGE_SIZE - 1); 
   ret = remap_page_range((unsigned long)new_addr, phys_addr,
PAGE_SIZE, PAGE_KERNEL);
   if(ret) { 
       printk("remap page return with error = %d\n", ret); 
       return ret; 
   } 


   pgd = pgd_offset_k(new_addr);   printk("pgd = %p\n", pgd); 
   pmd = pmd_offset(pgd, new_addr); 
   if(pmd_none(*pmd)) { 
       printk("address: %llx has no pmd!\n", new_addr); 
       return -1; 
   } 

   pte = pte_offset(pmd, new_addr); 
   if(pte_none(*pte)) { 
       /* Why? */ 
       printk("No pte!\n"); 
       set_pte(pte, mk_pte_phys(phys_addr, PAGE_KERNEL)); 
       if(pte_none(*pte)) { 
           printk("Can't set pte!\n"); 
           return -1; 
       } 
   } 


   if(pte_write(*pte)) { 
       printk("sys_call_table is writable!\n"); 
   } else { 
       printk("sys_call_table is read-only!\n"); 
   } 

   { 
       unsigned long x; 

       x = new_addr + (addr & (PAGE_SIZE - 1)); 

       old_time = *(unsigned long *)addr; 

  printk("pgd = %p\n", pgd); 
   pmd = pmd_offset(pgd, new_addr); 
   if(pmd_none(*pmd)) { 
       printk("address: %llx has no pmd!\n", new_addr); 
       return -1; 
   } 

   pte = pte_offset(pmd, new_addr); 
   if(pte_none(*pte)) { 
       /* Why? */ 
       printk("No pte!\n"); 
       set_pte(pte, mk_pte_phys(phys_addr, PAGE_KERNEL)); 
       if(pte_none(*pte)) { 
           printk("Can't set pte!\n"); 
           return -1; 
       } 
   } 


   if(pte_write(*pte)) { 
       printk("sys_call_table is writable!\n"); 
   } else { 
       printk("sys_call_table is read-only!\n"); 
   } 

   { 
       unsigned long x; 

       x = new_addr + (addr & (PAGE_SIZE - 1)); 

       old_time = *(unsigned long *)addr; 

       *(unsigned long *)x = (unsigned long)new_time; //+ 0x4000000000000000; 
       printk("x = %llx\n", x); 
   } 

   printk("*addr = %llx\n", *(unsigned long *)addr); 


   pte_clear(pte); 

   return 0; 
} 

void cleanup_module() 
{ 
   printk("Byebye!\n"); 
} 

Here is kernel crash msg: 

Time entry's address: e000000004883a80, *addr = e0000000044913e0! 
page = a0007fff8e47ee00 
pgd = e00000000493c000 
No pte! 
sys_call_table is writable! 
x = a00000000032ba80 
*addr = e000000000319d70 
insmod[1279]: IA-64 Illegal operation fault 0 
--> __insmod_ro_S.rodata_L296 [ro] 0x7da <-- 

Pid: 1279, comm:               insmod 
psr : 0000141008026018 ifs : 8000000000000008 ip  :
[<e000000000319d72>]    Tainted: P
unat: 0000000000000000 pfs : 0000000000000008 rsc : 0000000000000003 
rnat: e0000003fc454658 bsps: 0010000000000661 pr  : 0000000000000199 
ldrs: 0000000000000000 ccv : 00000000000001ad fpsr: 0009804c0270033f 
b0  : e00000000440df00 b6  : e000000004402f60 b7  : 0000000000000000 
f6  : 1003e000000000877c629 f7  : 1003efb93e672fa98528d 
f8  : 1003e0000000000000180 f9  : 10003c000000000000000 
r1  : e000000004cf5760 r2  : 0000000000000000 r3  : 00000000000000ff 
r8  : e0000001104a7f00 r9  : 20000000002a4fc0 r10 : ffffffffffffffff 
r11 : 60000fffffff4ab0 r12 : e0000001104a7e60 r13 : e0000001104a0000 
r14 : e000000000000000 r15 : e00000000440df00 r16 : e0000001104a7e70 
r17 : e0000001104a7e78 r18 : 00001413085a6010 r19 : 20000000001a7610 
r20 : 0000000000000002 r21 : 20000000000588a0 r22 : 400000000002fe88 
r23 : 0000000000000010 r24 : 20000000002a7900 r25 : 20000000002a78f8 
r26 : 60000000000243d8 r27 : 20000000002a44c0 r28 : 200000000014d160 
r29 : 0000000000000000 r30 : 0000000000000001 r31 : 0000000000000000 

Call Trace: [<e000000004414910>] sp=0xe0000001104a79c0 bsp=0xe0000001104a1108 
decoded to show_stack [kernel] 0x50 
[<e000000004415140>] sp=0xe0000001104a7b80 bsp=0xe0000001104a10b0 
decoded to show_regs [kernel] 0x7c0 
[<e00000000442fd90>] sp=0xe0000001104a7ba0 bsp=0xe0000001104a1088 
decoded to die [kernel] 0x190 
[<e00000000442fe60>] sp=0xe0000001104a7ba0 bsp=0xe0000001104a1060 
decoded to die_if_kernel [kernel] 0x40 
[<e000000004430af0>] sp=0xe0000001104a7ba0 bsp=0xe0000001104a1048 
decoded to ia64_illegal_op_fault [kernel] 0x50 
[<e000000004403ed0>] sp=0xe0000001104a7cc0 bsp=0xe0000001104a1048 
decoded to dispatch_illegal_op_fault [kernel] 0x2b0 
<0>Kernel panic: not continuing

Re: About intercepting linux system call

[Randy.Dunlap]

David Mosberger wrote:
> Hi JinShan,
> 
> 
>>>>>>On Thu, 27 Jan 2005 12:54:40 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:
> 
> 
>   JinShan> Hi all, i just want to intercept ia64 linux kernel's
>   JinShan> syscall entry. I remapped the physical page contained
>   JinShan> syscall table to a new read/write page in a vmalloc
>   JinShan> region(0xa0000...) since ia64 linux kernel has been linked
>   JinShan> the syscall table into a .rodata section, Yes, I can modify
>   JinShan> the syscall entry now, but the kernel crashed after the
>   JinShan> kernel entered into my own new function.
> 
>   JinShan> I run my test code on a Hp-ia64 machine with redhat AS-2.1e
>   JinShan> installed, and the kernel is 2.4.18-e.47smp.
> 
>   JinShan> I am not familiar with ia64 architecture, please help me,
>   JinShan> thanks.
> 
> Hi JinShan,
> 
> There is no need to copy the syscall table to a writable area.  On
> ia64, the kernel memory is writable (for the kernel) by default.  I
> think the problem in your code is due to the gp register not being
> setup properly before calling into the module.  Each module gets its
> own global-offset-table (GOT) so the gp needs to be loaded up before
> calling any of the module's C function.  However, the kernel assumes
> that all system calls are implemented in the kernel proper, so it
> bypasses the gp-loading that would normally happen when calling
> through a function-pointer.
> 
> This can be fixed with a little stub which takes care of saving the
> old gp-value, loading the modules gp, calling the real function and,
> upon return, restoring the original gp-value.
> 
> I think something like this might work:
> 
> 	.proc new_time_stub
> new_time_stub:
> 	.prologue
> 	.regstk 2, 3, 2, 0
> 	.save ar.pfs, loc1
> 	alloc loc1 = ar.pfs, 2, 3, 2, 0
> 	movl r2 = @gprel(zero);;
> 	.save rp, loc0
> 	mov loc0 = rp
> 	mov loc2 = gp
> 	sub gp = r0, r2
> 	mov out0 = in0
> 	mov out1 = in1
> 	br.call.sptk.many rp = new_time
> 1:	mov rp = loc0
> 	mov ar.pfs = loc1
> 	mov gp = loc2
> 	br.ret.sptk.many rp
> 	.endp
> 
> Here, "zero" needs to be a symbol that the linker resolves to 0.  You
> can define "zero" either via a linker script or by passing the linker
> the option "--defsym zero=0".  It may not be the most elegant way to
> get the GP value, but it ought to work both on 2.4 and 2.6 (which use
> different module loaders).
> 
> Having said that, two caveats:
> 
>  - In 2.6, sys_call_table is no longer exported, so your code can't
>    work (and that's intentional, see below).
> 
>  - Kernel developers generally frown on modules that try to intercept
>    syscalls.  For one thing, it's potentially racy in an SMP
>    environment and for another, it's questionable whether it's even
>    legal to do so, at least if the module is proprietary (not offering
>    a legal opinion here, just raising a potential red flag).

There are also stacking and unstacking issues when multiple such
syscall interceptors get involved.  I.e., there's no clean way
defined to do this.

> On a related topic, you may find it easier to develop such code with
> the Ski simulator [1].  It's very easy to setup and would let you
> single-step through the code in question, so you can see exactly
> what's going on.
> 
> 	--david
> 
> [1] http://www.hpl.hp.com/research/linux/ski/


-- 
~Randy

Re: About intercepting linux system call

[David Mosberger]

Hi JinShan,

>>>>> On Thu, 27 Jan 2005 12:54:40 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:

  JinShan> Hi all, i just want to intercept ia64 linux kernel's
  JinShan> syscall entry. I remapped the physical page contained
  JinShan> syscall table to a new read/write page in a vmalloc
  JinShan> region(0xa0000...) since ia64 linux kernel has been linked
  JinShan> the syscall table into a .rodata section, Yes, I can modify
  JinShan> the syscall entry now, but the kernel crashed after the
  JinShan> kernel entered into my own new function.

  JinShan> I run my test code on a Hp-ia64 machine with redhat AS-2.1e
  JinShan> installed, and the kernel is 2.4.18-e.47smp.

  JinShan> I am not familiar with ia64 architecture, please help me,
  JinShan> thanks.

Hi JinShan,

There is no need to copy the syscall table to a writable area.  On
ia64, the kernel memory is writable (for the kernel) by default.  I
think the problem in your code is due to the gp register not being
setup properly before calling into the module.  Each module gets its
own global-offset-table (GOT) so the gp needs to be loaded up before
calling any of the module's C function.  However, the kernel assumes
that all system calls are implemented in the kernel proper, so it
bypasses the gp-loading that would normally happen when calling
through a function-pointer.

This can be fixed with a little stub which takes care of saving the
old gp-value, loading the modules gp, calling the real function and,
upon return, restoring the original gp-value.

I think something like this might work:

	.proc new_time_stub
new_time_stub:
	.prologue
	.regstk 2, 3, 2, 0
	.save ar.pfs, loc1
	alloc loc1 = ar.pfs, 2, 3, 2, 0
	movl r2 = @gprel(zero);;
	.save rp, loc0
	mov loc0 = rp
	mov loc2 = gp
	sub gp = r0, r2
	mov out0 = in0
	mov out1 = in1
	br.call.sptk.many rp = new_time
1:	mov rp = loc0
	mov ar.pfs = loc1
	mov gp = loc2
	br.ret.sptk.many rp
	.endp

Here, "zero" needs to be a symbol that the linker resolves to 0.  You
can define "zero" either via a linker script or by passing the linker
the option "--defsym zero=0".  It may not be the most elegant way to
get the GP value, but it ought to work both on 2.4 and 2.6 (which use
different module loaders).

Having said that, two caveats:

 - In 2.6, sys_call_table is no longer exported, so your code can't
   work (and that's intentional, see below).

 - Kernel developers generally frown on modules that try to intercept
   syscalls.  For one thing, it's potentially racy in an SMP
   environment and for another, it's questionable whether it's even
   legal to do so, at least if the module is proprietary (not offering
   a legal opinion here, just raising a potential red flag).

On a related topic, you may find it easier to develop such code with
the Ski simulator [1].  It's very easy to setup and would let you
single-step through the code in question, so you can see exactly
what's going on.

	--david

[1] http://www.hpl.hp.com/research/linux/ski/

Re: About intercepting linux system call

[JinShan Xiong]

Hi,

Seems to near our target;-).  But the kernel crashed too while I
installed the following module.

I am downloading ski, thank you, David.

JinShan

Here is my test file:/* vi: set ts=4 sw=4 expandtab: */

#include <linux/config.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/unistd.h>
#include <linux/sched.h>
#include <asm/pgtable.h>
#include <linux/vmalloc.h>
#include <linux/mm.h>
#include <asm/uaccess.h>

extern unsigned long sys_call_table[];

static long (*old_time)(struct timeval *, struct timezone *);
extern void new_time_stub(void);
//extern unsigned long new_time_stub;

asm (
"        .proc new_time_stub\n"
"new_time_stub:"
"       .prologue\n"
"       .regstk 2, 3, 2, 0\n"
"       .save ar.pfs, loc1\n"
"       alloc loc1 = ar.pfs, 2, 3, 2, 0\n"
"       movl r2 = @gprel(zero);;\n"
"       .save rp, loc0\n"
"       mov loc0 = rp\n"
"       mov loc2 = gp\n"
"       sub gp = r0, r2\n"
"       mov out0 = in0\n"
"       mov out1 = in1\n"
"       br.call.sptk.many rp = new_time\n"
"1:      mov rp = loc0\n"
"       mov ar.pfs = loc1\n"
"       mov gp = loc2\n"
"       br.ret.sptk.many rp\n"
"       .endp\n"
);

long new_time(struct timeval *tv, struct timezone *tz)
{
    if (tv) {
        struct timeval ktv;
        do_gettimeofday(&ktv);
        if (copy_to_user(tv, &ktv, sizeof(ktv)))
            return -EFAULT;
    }
    if (tz) {
        extern struct timezone sys_tz;
        if (copy_to_user(tz, &sys_tz, sizeof(sys_tz)))
            return -EFAULT;
    }
    return 0;
}

int init_module(void)
{
    printk("new_time_stub is %llx\n", new_time_stub);
    old_time = sys_call_table[__NR_gettimeofday - 1024];
    sys_call_table[__NR_gettimeofday - 1024] = new_time_stub;
    return 0;
}

void cleanup_module()
{
    /* should restore syscall here! */
    sys_call_table[__NR_gettimeofday - 1024] = old_time;
    printk("Byebye!\n");
}

and makefile:
all:
    gcc -D__KERNEL__ -DMODULE -I/lib/modules/`uname -r`/build/include -c ro.c
    ld -r -o mod.o ro.o --defsym zero=0

kernel dump msg:
- - - - - - - - - - - - Live Console - - - - - - - - - - - -
new_time_stub is a000000000318f70
klogd[784]: IA-64 Illegal operation fault 0
--> .opd [mod] 0x21 <--

Pid: 784, comm:                klogd
psr : 0000121008026018 ifs : 8000000000000002 ip  :
[<a000000000318f71>]    Tainted: P
unat: 0000000000000000 pfs : 0000000000000002 rsc : 0000000000000003
rnat: 0000000000000000 bsps: 0000000000000000 pr  : 80000000ff600199
ldrs: 0000000000000000 ccv : 00000000000001ad fpsr: 0009804c0270033f
b0  : e00000000440df00 b6  : e000000004402f60 b7  : e00000000440d990
f6  : 1003ecccccccccccccccd f7  : 1003e0000000000000004
f8  : 1003e0000000000000064 f9  : 1003ea3d70a3d70a3d70b
r1  : e000000004cf5760 r2  : 0000000000000000 r3  : 00000000000000ff
r8  : e0000040fc4a7f00 r9  : 20000000002a4fc0 r10 : 0000000000000000
r11 : 6000000000009d50 r12 : e0000040fc4a7e60 r13 : e0000040fc4a0000
r14 : e000000000000000 r15 : e00000000440df00 r16 : e0000040fc4a7e70
r17 : e0000040fc4a7e78 r18 : 00001413085a6010 r19 : 200000000018f4d0
r20 : 0000000000000002 r21 : 0000000000255b0a r22 : 00000000005b0a3e
r23 : 60000fffffffaf20 r24 : 0a0a0a0a0a2f5100 r25 : 0a0a0a0a0a0a0a0a
r26 : 0000000000000048 r27 : 0000000000000000 r28 : 0000000000000018
r29 : 0000000000000028 r30 : 0000000000000008 r31 : 0000000000000000

Call Trace: [<e000000004414910>] sp=0xe0000040fc4a79c0 bsp=0xe0000040fc4a12c0
decoded to show_stack [kernel] 0x50
[<e000000004415140>] sp=0xe0000040fc4a7b80 bsp=0xe0000040fc4a1268
decoded to show_regs [kernel] 0x7c0
[<e00000000442fd90>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1240
decoded to die [kernel] 0x190
[<e00000000442fe60>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1218
decoded to die_if_kernel [kernel] 0x40
[<e000000004430af0>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1200
decoded to ia64_illegal_op_fault [kernel] 0x50
[<e000000004403ed0>] sp=0xe0000040fc4a7cc0 bsp=0xe0000040fc4a1200
decoded to dispatch_illegal_op_fault [kernel] 0x2b0
 <0>Kernel panic: not continuing
bash[1192]: IA-64 Illegal operation fault 0
....



On Wed, 26 Jan 2005 21:32:49 -0800, David Mosberger
<davidm@napali.hpl.hp.com> wrote:
> Hi JinShan,
> 
> >>>>> On Thu, 27 Jan 2005 12:54:40 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:
> 
>   JinShan> Hi all, i just want to intercept ia64 linux kernel's
>   JinShan> syscall entry. I remapped the physical page contained
>   JinShan> syscall table to a new read/write page in a vmalloc
>   JinShan> region(0xa0000...) since ia64 linux kernel has been linked
>   JinShan> the syscall table into a .rodata section, Yes, I can modify
>   JinShan> the syscall entry now, but the kernel crashed after the
>   JinShan> kernel entered into my own new function.
> 
>   JinShan> I run my test code on a Hp-ia64 machine with redhat AS-2.1e
>   JinShan> installed, and the kernel is 2.4.18-e.47smp.
> 
>   JinShan> I am not familiar with ia64 architecture, please help me,
>   JinShan> thanks.
> 
> Hi JinShan,
> 
> There is no need to copy the syscall table to a writable area.  On
> ia64, the kernel memory is writable (for the kernel) by default.  I
> think the problem in your code is due to the gp register not being
> setup properly before calling into the module.  Each module gets its
> own global-offset-table (GOT) so the gp needs to be loaded up before
> calling any of the module's C function.  However, the kernel assumes
> that all system calls are implemented in the kernel proper, so it
> bypasses the gp-loading that would normally happen when calling
> through a function-pointer.
> 
> This can be fixed with a little stub which takes care of saving the
> old gp-value, loading the modules gp, calling the real function and,
> upon return, restoring the original gp-value.
> 
> I think something like this might work:
> 
>         .proc new_time_stub
> new_time_stub:
>         .prologue
>         .regstk 2, 3, 2, 0
>         .save ar.pfs, loc1
>         alloc loc1 = ar.pfs, 2, 3, 2, 0
>         movl r2 = @gprel(zero);;
>         .save rp, loc0
>         mov loc0 = rp
>         mov loc2 = gp
>         sub gp = r0, r2
>         mov out0 = in0
>         mov out1 = in1
>         br.call.sptk.many rp = new_time
> 1:      mov rp = loc0
>         mov ar.pfs = loc1
>         mov gp = loc2
>         br.ret.sptk.many rp
>         .endp
> 
> Here, "zero" needs to be a symbol that the linker resolves to 0.  You
> can define "zero" either via a linker script or by passing the linker
> the option "--defsym zero=0".  It may not be the most elegant way to
> get the GP value, but it ought to work both on 2.4 and 2.6 (which use
> different module loaders).
> 
> Having said that, two caveats:
> 
>  - In 2.6, sys_call_table is no longer exported, so your code can't
>    work (and that's intentional, see below).

I always put the sys_call_table address as a module parameter into
kernel in version above 2.4.20, hehe. Ugly?

> 
>  - Kernel developers generally frown on modules that try to intercept
>    syscalls.  For one thing, it's potentially racy in an SMP
>    environment and for another, it's questionable whether it's even
>    legal to do so, at least if the module is proprietary (not offering
>    a legal opinion here, just raising a potential red flag).

Nod. I am very happy to export our kernel module source code under GPL license.

> 
> On a related topic, you may find it easier to develop such code with
> the Ski simulator [1].  It's very easy to setup and would let you
> single-step through the code in question, so you can see exactly
> what's going on.
> 
>         --david
> 
> [1] http://www.hpl.hp.com/research/linux/ski/
>

Re: About intercepting linux system call

[JinShan Xiong]

I think I was not used the stub code correctly.

JinShan


On Thu, 27 Jan 2005 15:17:30 +0800, JinShan Xiong
<jinshan.xiong@gmail.com> wrote:
> Hi,
> 
> Seems to near our target;-).  But the kernel crashed too while I
> installed the following module.
> 
> I am downloading ski, thank you, David.
> 
> JinShan
> 
> Here is my test file:/* vi: set ts=4 sw=4 expandtab: */
> 
> #include <linux/config.h>
> #include <linux/kernel.h>
> #include <linux/module.h>
> #include <linux/unistd.h>
> #include <linux/sched.h>
> #include <asm/pgtable.h>
> #include <linux/vmalloc.h>
> #include <linux/mm.h>
> #include <asm/uaccess.h>
> 
> extern unsigned long sys_call_table[];
> 
> static long (*old_time)(struct timeval *, struct timezone *);
> extern void new_time_stub(void);
> //extern unsigned long new_time_stub;
> 
> asm (
> "        .proc new_time_stub\n"
> "new_time_stub:"
> "       .prologue\n"
> "       .regstk 2, 3, 2, 0\n"
> "       .save ar.pfs, loc1\n"
> "       alloc loc1 = ar.pfs, 2, 3, 2, 0\n"
> "       movl r2 = @gprel(zero);;\n"
> "       .save rp, loc0\n"
> "       mov loc0 = rp\n"
> "       mov loc2 = gp\n"
> "       sub gp = r0, r2\n"
> "       mov out0 = in0\n"
> "       mov out1 = in1\n"
> "       br.call.sptk.many rp = new_time\n"
> "1:      mov rp = loc0\n"
> "       mov ar.pfs = loc1\n"
> "       mov gp = loc2\n"
> "       br.ret.sptk.many rp\n"
> "       .endp\n"
> );
> 
> long new_time(struct timeval *tv, struct timezone *tz)
> {
>     if (tv) {
>         struct timeval ktv;
>         do_gettimeofday(&ktv);
>         if (copy_to_user(tv, &ktv, sizeof(ktv)))
>             return -EFAULT;
>     }
>     if (tz) {
>         extern struct timezone sys_tz;
>         if (copy_to_user(tz, &sys_tz, sizeof(sys_tz)))
>             return -EFAULT;
>     }
>     return 0;
> }
> 
> int init_module(void)
> {
>     printk("new_time_stub is %llx\n", new_time_stub);
>     old_time = sys_call_table[__NR_gettimeofday - 1024];
>     sys_call_table[__NR_gettimeofday - 1024] = new_time_stub;
>     return 0;
> }
> 
> void cleanup_module()
> {
>     /* should restore syscall here! */
>     sys_call_table[__NR_gettimeofday - 1024] = old_time;
>     printk("Byebye!\n");
> }
> 
> and makefile:
> all:
>     gcc -D__KERNEL__ -DMODULE -I/lib/modules/`uname -r`/build/include -c ro.c
>     ld -r -o mod.o ro.o --defsym zero=0
> 
> kernel dump msg:
> - - - - - - - - - - - - Live Console - - - - - - - - - - - -
> new_time_stub is a000000000318f70
> klogd[784]: IA-64 Illegal operation fault 0
> --> .opd [mod] 0x21 <--
> 
> Pid: 784, comm:                klogd
> psr : 0000121008026018 ifs : 8000000000000002 ip  :
> [<a000000000318f71>]    Tainted: P
> unat: 0000000000000000 pfs : 0000000000000002 rsc : 0000000000000003
> rnat: 0000000000000000 bsps: 0000000000000000 pr  : 80000000ff600199
> ldrs: 0000000000000000 ccv : 00000000000001ad fpsr: 0009804c0270033f
> b0  : e00000000440df00 b6  : e000000004402f60 b7  : e00000000440d990
> f6  : 1003ecccccccccccccccd f7  : 1003e0000000000000004
> f8  : 1003e0000000000000064 f9  : 1003ea3d70a3d70a3d70b
> r1  : e000000004cf5760 r2  : 0000000000000000 r3  : 00000000000000ff
> r8  : e0000040fc4a7f00 r9  : 20000000002a4fc0 r10 : 0000000000000000
> r11 : 6000000000009d50 r12 : e0000040fc4a7e60 r13 : e0000040fc4a0000
> r14 : e000000000000000 r15 : e00000000440df00 r16 : e0000040fc4a7e70
> r17 : e0000040fc4a7e78 r18 : 00001413085a6010 r19 : 200000000018f4d0
> r20 : 0000000000000002 r21 : 0000000000255b0a r22 : 00000000005b0a3e
> r23 : 60000fffffffaf20 r24 : 0a0a0a0a0a2f5100 r25 : 0a0a0a0a0a0a0a0a
> r26 : 0000000000000048 r27 : 0000000000000000 r28 : 0000000000000018
> r29 : 0000000000000028 r30 : 0000000000000008 r31 : 0000000000000000
> 
> Call Trace: [<e000000004414910>] sp=0xe0000040fc4a79c0 bsp=0xe0000040fc4a12c0
> decoded to show_stack [kernel] 0x50
> [<e000000004415140>] sp=0xe0000040fc4a7b80 bsp=0xe0000040fc4a1268
> decoded to show_regs [kernel] 0x7c0
> [<e00000000442fd90>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1240
> decoded to die [kernel] 0x190
> [<e00000000442fe60>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1218
> decoded to die_if_kernel [kernel] 0x40
> [<e000000004430af0>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1200
> decoded to ia64_illegal_op_fault [kernel] 0x50
> [<e000000004403ed0>] sp=0xe0000040fc4a7cc0 bsp=0xe0000040fc4a1200
> decoded to dispatch_illegal_op_fault [kernel] 0x2b0
>  <0>Kernel panic: not continuing
> bash[1192]: IA-64 Illegal operation fault 0
> ....
> 
> 
> On Wed, 26 Jan 2005 21:32:49 -0800, David Mosberger
> <davidm@napali.hpl.hp.com> wrote:
> > Hi JinShan,
> >
> > >>>>> On Thu, 27 Jan 2005 12:54:40 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:
> >
> >   JinShan> Hi all, i just want to intercept ia64 linux kernel's
> >   JinShan> syscall entry. I remapped the physical page contained
> >   JinShan> syscall table to a new read/write page in a vmalloc
> >   JinShan> region(0xa0000...) since ia64 linux kernel has been linked
> >   JinShan> the syscall table into a .rodata section, Yes, I can modify
> >   JinShan> the syscall entry now, but the kernel crashed after the
> >   JinShan> kernel entered into my own new function.
> >
> >   JinShan> I run my test code on a Hp-ia64 machine with redhat AS-2.1e
> >   JinShan> installed, and the kernel is 2.4.18-e.47smp.
> >
> >   JinShan> I am not familiar with ia64 architecture, please help me,
> >   JinShan> thanks.
> >
> > Hi JinShan,
> >
> > There is no need to copy the syscall table to a writable area.  On
> > ia64, the kernel memory is writable (for the kernel) by default.  I
> > think the problem in your code is due to the gp register not being
> > setup properly before calling into the module.  Each module gets its
> > own global-offset-table (GOT) so the gp needs to be loaded up before
> > calling any of the module's C function.  However, the kernel assumes
> > that all system calls are implemented in the kernel proper, so it
> > bypasses the gp-loading that would normally happen when calling
> > through a function-pointer.
> >
> > This can be fixed with a little stub which takes care of saving the
> > old gp-value, loading the modules gp, calling the real function and,
> > upon return, restoring the original gp-value.
> >
> > I think something like this might work:
> >
> >         .proc new_time_stub
> > new_time_stub:
> >         .prologue
> >         .regstk 2, 3, 2, 0
> >         .save ar.pfs, loc1
> >         alloc loc1 = ar.pfs, 2, 3, 2, 0
> >         movl r2 = @gprel(zero);;
> >         .save rp, loc0
> >         mov loc0 = rp
> >         mov loc2 = gp
> >         sub gp = r0, r2
> >         mov out0 = in0
> >         mov out1 = in1
> >         br.call.sptk.many rp = new_time
> > 1:      mov rp = loc0
> >         mov ar.pfs = loc1
> >         mov gp = loc2
> >         br.ret.sptk.many rp
> >         .endp
> >
> > Here, "zero" needs to be a symbol that the linker resolves to 0.  You
> > can define "zero" either via a linker script or by passing the linker
> > the option "--defsym zero=0".  It may not be the most elegant way to
> > get the GP value, but it ought to work both on 2.4 and 2.6 (which use
> > different module loaders).
> >
> > Having said that, two caveats:
> >
> >  - In 2.6, sys_call_table is no longer exported, so your code can't
> >    work (and that's intentional, see below).
> 
> I always put the sys_call_table address as a module parameter into
> kernel in version above 2.4.20, hehe. Ugly?
> 
> >
> >  - Kernel developers generally frown on modules that try to intercept
> >    syscalls.  For one thing, it's potentially racy in an SMP
> >    environment and for another, it's questionable whether it's even
> >    legal to do so, at least if the module is proprietary (not offering
> >    a legal opinion here, just raising a potential red flag).
> 
> Nod. I am very happy to export our kernel module source code under GPL license.
> 
> >
> > On a related topic, you may find it easier to develop such code with
> > the Ski simulator [1].  It's very easy to setup and would let you
> > single-step through the code in question, so you can see exactly
> > what's going on.
> >
> >         --david
> >
> > [1] http://www.hpl.hp.com/research/linux/ski/
> >
>

Re: About intercepting linux system call

[JinShan Xiong]

Hi David,

I don't know how to use the stub code, I have tried to copy it to
overload sys_gettimeofday(), like this,

 memcpy(sys_call_table[__NR_gettimeofday - 1024], new_time_stub, 32),

it crashed the kenrel also. 

Please help me!

Thanks,

JinShan


On Thu, 27 Jan 2005 20:29:49 +0800, JinShan Xiong
<jinshan.xiong@gmail.com> wrote:
> I think I was not used the stub code correctly.
> 
> JinShan
> 
> 
> On Thu, 27 Jan 2005 15:17:30 +0800, JinShan Xiong
> <jinshan.xiong@gmail.com> wrote:
> > Hi,
> >
> > Seems to near our target;-).  But the kernel crashed too while I
> > installed the following module.
> >
> > I am downloading ski, thank you, David.
> >
> > JinShan
> >
> > Here is my test file:/* vi: set ts=4 sw=4 expandtab: */
> >
> > #include <linux/config.h>
> > #include <linux/kernel.h>
> > #include <linux/module.h>
> > #include <linux/unistd.h>
> > #include <linux/sched.h>
> > #include <asm/pgtable.h>
> > #include <linux/vmalloc.h>
> > #include <linux/mm.h>
> > #include <asm/uaccess.h>
> >
> > extern unsigned long sys_call_table[];
> >
> > static long (*old_time)(struct timeval *, struct timezone *);
> > extern void new_time_stub(void);
> > //extern unsigned long new_time_stub;
> >
> > asm (
> > "        .proc new_time_stub\n"
> > "new_time_stub:"
> > "       .prologue\n"
> > "       .regstk 2, 3, 2, 0\n"
> > "       .save ar.pfs, loc1\n"
> > "       alloc loc1 = ar.pfs, 2, 3, 2, 0\n"
> > "       movl r2 = @gprel(zero);;\n"
> > "       .save rp, loc0\n"
> > "       mov loc0 = rp\n"
> > "       mov loc2 = gp\n"
> > "       sub gp = r0, r2\n"
> > "       mov out0 = in0\n"
> > "       mov out1 = in1\n"
> > "       br.call.sptk.many rp = new_time\n"
> > "1:      mov rp = loc0\n"
> > "       mov ar.pfs = loc1\n"
> > "       mov gp = loc2\n"
> > "       br.ret.sptk.many rp\n"
> > "       .endp\n"
> > );
> >
> > long new_time(struct timeval *tv, struct timezone *tz)
> > {
> >     if (tv) {
> >         struct timeval ktv;
> >         do_gettimeofday(&ktv);
> >         if (copy_to_user(tv, &ktv, sizeof(ktv)))
> >             return -EFAULT;
> >     }
> >     if (tz) {
> >         extern struct timezone sys_tz;
> >         if (copy_to_user(tz, &sys_tz, sizeof(sys_tz)))
> >             return -EFAULT;
> >     }
> >     return 0;
> > }
> >
> > int init_module(void)
> > {
> >     printk("new_time_stub is %llx\n", new_time_stub);
> >     old_time = sys_call_table[__NR_gettimeofday - 1024];
> >     sys_call_table[__NR_gettimeofday - 1024] = new_time_stub;
> >     return 0;
> > }
> >
> > void cleanup_module()
> > {
> >     /* should restore syscall here! */
> >     sys_call_table[__NR_gettimeofday - 1024] = old_time;
> >     printk("Byebye!\n");
> > }
> >
> > and makefile:
> > all:
> >     gcc -D__KERNEL__ -DMODULE -I/lib/modules/`uname -r`/build/include -c ro.c
> >     ld -r -o mod.o ro.o --defsym zero=0
> >
> > kernel dump msg:
> > - - - - - - - - - - - - Live Console - - - - - - - - - - - -
> > new_time_stub is a000000000318f70
> > klogd[784]: IA-64 Illegal operation fault 0
> > --> .opd [mod] 0x21 <--
> >
> > Pid: 784, comm:                klogd
> > psr : 0000121008026018 ifs : 8000000000000002 ip  :
> > [<a000000000318f71>]    Tainted: P
> > unat: 0000000000000000 pfs : 0000000000000002 rsc : 0000000000000003
> > rnat: 0000000000000000 bsps: 0000000000000000 pr  : 80000000ff600199
> > ldrs: 0000000000000000 ccv : 00000000000001ad fpsr: 0009804c0270033f
> > b0  : e00000000440df00 b6  : e000000004402f60 b7  : e00000000440d990
> > f6  : 1003ecccccccccccccccd f7  : 1003e0000000000000004
> > f8  : 1003e0000000000000064 f9  : 1003ea3d70a3d70a3d70b
> > r1  : e000000004cf5760 r2  : 0000000000000000 r3  : 00000000000000ff
> > r8  : e0000040fc4a7f00 r9  : 20000000002a4fc0 r10 : 0000000000000000
> > r11 : 6000000000009d50 r12 : e0000040fc4a7e60 r13 : e0000040fc4a0000
> > r14 : e000000000000000 r15 : e00000000440df00 r16 : e0000040fc4a7e70
> > r17 : e0000040fc4a7e78 r18 : 00001413085a6010 r19 : 200000000018f4d0
> > r20 : 0000000000000002 r21 : 0000000000255b0a r22 : 00000000005b0a3e
> > r23 : 60000fffffffaf20 r24 : 0a0a0a0a0a2f5100 r25 : 0a0a0a0a0a0a0a0a
> > r26 : 0000000000000048 r27 : 0000000000000000 r28 : 0000000000000018
> > r29 : 0000000000000028 r30 : 0000000000000008 r31 : 0000000000000000
> >
> > Call Trace: [<e000000004414910>] sp=0xe0000040fc4a79c0 bsp=0xe0000040fc4a12c0
> > decoded to show_stack [kernel] 0x50
> > [<e000000004415140>] sp=0xe0000040fc4a7b80 bsp=0xe0000040fc4a1268
> > decoded to show_regs [kernel] 0x7c0
> > [<e00000000442fd90>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1240
> > decoded to die [kernel] 0x190
> > [<e00000000442fe60>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1218
> > decoded to die_if_kernel [kernel] 0x40
> > [<e000000004430af0>] sp=0xe0000040fc4a7ba0 bsp=0xe0000040fc4a1200
> > decoded to ia64_illegal_op_fault [kernel] 0x50
> > [<e000000004403ed0>] sp=0xe0000040fc4a7cc0 bsp=0xe0000040fc4a1200
> > decoded to dispatch_illegal_op_fault [kernel] 0x2b0
> >  <0>Kernel panic: not continuing
> > bash[1192]: IA-64 Illegal operation fault 0
> > ....
> >
> >
> > On Wed, 26 Jan 2005 21:32:49 -0800, David Mosberger
> > <davidm@napali.hpl.hp.com> wrote:
> > > Hi JinShan,
> > >
> > > >>>>> On Thu, 27 Jan 2005 12:54:40 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:
> > >
> > >   JinShan> Hi all, i just want to intercept ia64 linux kernel's
> > >   JinShan> syscall entry. I remapped the physical page contained
> > >   JinShan> syscall table to a new read/write page in a vmalloc
> > >   JinShan> region(0xa0000...) since ia64 linux kernel has been linked
> > >   JinShan> the syscall table into a .rodata section, Yes, I can modify
> > >   JinShan> the syscall entry now, but the kernel crashed after the
> > >   JinShan> kernel entered into my own new function.
> > >
> > >   JinShan> I run my test code on a Hp-ia64 machine with redhat AS-2.1e
> > >   JinShan> installed, and the kernel is 2.4.18-e.47smp.
> > >
> > >   JinShan> I am not familiar with ia64 architecture, please help me,
> > >   JinShan> thanks.
> > >
> > > Hi JinShan,
> > >
> > > There is no need to copy the syscall table to a writable area.  On
> > > ia64, the kernel memory is writable (for the kernel) by default.  I
> > > think the problem in your code is due to the gp register not being
> > > setup properly before calling into the module.  Each module gets its
> > > own global-offset-table (GOT) so the gp needs to be loaded up before
> > > calling any of the module's C function.  However, the kernel assumes
> > > that all system calls are implemented in the kernel proper, so it
> > > bypasses the gp-loading that would normally happen when calling
> > > through a function-pointer.
> > >
> > > This can be fixed with a little stub which takes care of saving the
> > > old gp-value, loading the modules gp, calling the real function and,
> > > upon return, restoring the original gp-value.
> > >
> > > I think something like this might work:
> > >
> > >         .proc new_time_stub
> > > new_time_stub:
> > >         .prologue
> > >         .regstk 2, 3, 2, 0
> > >         .save ar.pfs, loc1
> > >         alloc loc1 = ar.pfs, 2, 3, 2, 0
> > >         movl r2 = @gprel(zero);;
> > >         .save rp, loc0
> > >         mov loc0 = rp
> > >         mov loc2 = gp
> > >         sub gp = r0, r2
> > >         mov out0 = in0
> > >         mov out1 = in1
> > >         br.call.sptk.many rp = new_time
> > > 1:      mov rp = loc0
> > >         mov ar.pfs = loc1
> > >         mov gp = loc2
> > >         br.ret.sptk.many rp
> > >         .endp
> > >
> > > Here, "zero" needs to be a symbol that the linker resolves to 0.  You
> > > can define "zero" either via a linker script or by passing the linker
> > > the option "--defsym zero=0".  It may not be the most elegant way to
> > > get the GP value, but it ought to work both on 2.4 and 2.6 (which use
> > > different module loaders).
> > >
> > > Having said that, two caveats:
> > >
> > >  - In 2.6, sys_call_table is no longer exported, so your code can't
> > >    work (and that's intentional, see below).
> >
> > I always put the sys_call_table address as a module parameter into
> > kernel in version above 2.4.20, hehe. Ugly?
> >
> > >
> > >  - Kernel developers generally frown on modules that try to intercept
> > >    syscalls.  For one thing, it's potentially racy in an SMP
> > >    environment and for another, it's questionable whether it's even
> > >    legal to do so, at least if the module is proprietary (not offering
> > >    a legal opinion here, just raising a potential red flag).
> >
> > Nod. I am very happy to export our kernel module source code under GPL license.
> >
> > >
> > > On a related topic, you may find it easier to develop such code with
> > > the Ski simulator [1].  It's very easy to setup and would let you
> > > single-step through the code in question, so you can see exactly
> > > what's going on.
> > >
> > >         --david
> > >
> > > [1] http://www.hpl.hp.com/research/linux/ski/
> > >
> >
>

Re: About intercepting linux system call

[David Mosberger]

>>>>> On Fri, 28 Jan 2005 10:04:33 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:

  JinShan> Hi David, I don't know how to use the stub code, I have
  JinShan> tried to copy it to overload sys_gettimeofday(), like this,

  JinShan>  memcpy(sys_call_table[__NR_gettimeofday - 1024],
  JinShan> new_time_stub, 32),

  JinShan> it crashed the kenrel also.

  JinShan> Please help me!

sys_call_table[__NR_gettimeofday - 1024] would have to be set to the
entry-point of new_time_stub.  If you declare new_time_stub as a
function, you'd have to do this like so:

	extern void new_time_stub (whatever...);
	struct fptr { void *ip, void *gp };

	sys_call_table[__NR_gettimeofday - 1024] 		((struct fptr *) &new_time_stub)->ip;

  --david

Re: About intercepting linux system call

[JinShan Xiong]

Hi David,

Thanks for your help. I can intercept the time function now.

But the kernel crashed when I tried to de-install the module. I
declared the old_time as:

static unsigned long old_time;

and in init_module:

old_time = sys_call_table[__NR_gettimeofday - 1024];
....

and then in cleanup_module:

sys_call_table[__NR_gettimeofday - 1024] = old_time.

Why can't it work?

And I tried to declare the old_time as a function pointer and restore
the syscall entry like:

sys_call_table[__NR_gettimeofday - 1024] = ((struct fptr *)&old_time)->ip;

it can't work too.

Regards,
JinShan


On Thu, 27 Jan 2005 18:10:36 -0800, David Mosberger
<davidm@napali.hpl.hp.com> wrote:
> >>>>> On Fri, 28 Jan 2005 10:04:33 +0800, JinShan Xiong <jinshan.xiong@gmail.com> said:
> 
>   JinShan> Hi David, I don't know how to use the stub code, I have
>   JinShan> tried to copy it to overload sys_gettimeofday(), like this,
> 
>   JinShan>  memcpy(sys_call_table[__NR_gettimeofday - 1024],
>   JinShan> new_time_stub, 32),
> 
>   JinShan> it crashed the kenrel also.
> 
>   JinShan> Please help me!
> 
> sys_call_table[__NR_gettimeofday - 1024] would have to be set to the
> entry-point of new_time_stub.  If you declare new_time_stub as a
> function, you'd have to do this like so:
> 
>         extern void new_time_stub (whatever...);
>         struct fptr { void *ip, void *gp };
> 
>         sys_call_table[__NR_gettimeofday - 1024] >                 ((struct fptr *) &new_time_stub)->ip;
> 
>   --david
> 
>