* trinity and ioctls
@ 2013-05-19 12:47 Jann Horn
  2013-05-19 18:36 ` Jann Horn
  0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2013-05-19 12:47 UTC (permalink / raw)
  To: trinity
[-- Attachment #1: Type: text/plain, Size: 2348 bytes --]
Hello,
I had a relatively quick look at trinity. It seems to me that it currently
only has support for a few ioctls, right?
I am thinking about how hard it would be to automatically determine ioctls
for arbitrary devices. I coded a little PoC:
http://git.thejh.net/?p=moctel.git;a=summary
Run "make", load the kernel module. Then determine the ioctl handler's name
for a given device or so like this:
$ sudo ./show_ioctl /dev/xconsole
pipe_ioctl
$ sudo ./show_ioctl /dev/kvm
kvm_dev_ioctl
$ sudo ./show_ioctl /dev/fuse
$ sudo ./show_ioctl /dev/btrfs-control 
btrfs_control_ioctl
$ sudo ./show_ioctl /root
ext4_ioctl
So far, it is fairly straightforward. Knowing the handler method's name, you
could then try to find the valid ioctls under the assumption that some generic
patterns are followed:
$ grep -R -n '^[^ ].*btrfs_control_ioctl' fs | grep '\.c:[0-9]*:\S'
fs/btrfs/super.c:1477:static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
$ tail -n +1477 fs/btrfs/super.c | grep -n '^}' | head -n 1
31:}
$ tail -n +1477 fs/btrfs/super.c | head -n 31 | grep 'case .*:' | sed 's|^.*case \(.*\):$|\1|g'
BTRFS_IOC_SCAN_DEV
BTRFS_IOC_DEVICES_READY
$ cat fs/btrfs/super.c > /tmp/a.c
$ echo 'int main(void){printf("%x %x\n", (unsigned)BTRFS_IOC_SCAN_DEV, (unsigned)BTRFS_IOC_DEVICES_READY);}' >> /tmp/a.c
$ gcc -nostdinc -I arch/x86/include -I arch/x86/include/asm -I arch/x86/include/generated -I include -D __KERNEL__ -D CONFIG_X86_X32_ABI -D CONFIG_AS_CFI=1 -D CONFIG_AS_CFI_SIGNAL_FRAME=1 -D CONFIG_AS_CFI_SECTIONS=1 -D CONFIG_AS_FXSAVEQ=1 -D CONFIG_AS_AVX=1 -D CC_HAVE_ASM_GOTO -D 'KBUILD_STR(s)=#s' -D KBUILD_BASENAME='KBUILD_STR(calibrate)' -D KBUILD_MODNAME='KBUILD_STR(calibrate)' -isystem /usr/lib/gcc/x86_64-linux-gnu/4.7/include -include include/linux/kconfig.h -I fs/btrfs/ /tmp/a.c -o /tmp/a -Wl,--unresolved-symbols=ignore-all
/tmp/a.c: In function ‘main’:
/tmp/a.c:1673:16: warning: incompatible implicit declaration of built-in function ‘printf’ [enabled by default]
$ /tmp/a
50009404 90009427
Obviously, this won't always work because it heavily relies on assumptions and
conventions, but maybe it would be possible to automatically extract valid
ioctls from the kernel source this way at least in some cases?
What do you think, is this a good idea?
Jann
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: trinity and ioctls
  2013-05-19 12:47 trinity and ioctls Jann Horn
@ 2013-05-19 18:36 ` Jann Horn
  0 siblings, 0 replies; 2+ messages in thread
From: Jann Horn @ 2013-05-19 18:36 UTC (permalink / raw)
  To: trinity
[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]
On Sun, May 19, 2013 at 02:47:25PM +0200, Jann Horn wrote:
> I am thinking about how hard it would be to automatically determine ioctls
> for arbitrary devices. I coded a little PoC:
> 
> http://git.thejh.net/?p=moctel.git;a=summary
> 
> Run "make", load the kernel module. Then determine the ioctl handler's name
> for a given device or so like this:
> 
> $ sudo ./show_ioctl /dev/xconsole
> pipe_ioctl
> $ sudo ./show_ioctl /dev/kvm
> kvm_dev_ioctl
> $ sudo ./show_ioctl /dev/fuse
> 
> $ sudo ./show_ioctl /dev/btrfs-control 
> btrfs_control_ioctl
> $ sudo ./show_ioctl /root
> ext4_ioctl
> 
> So far, it is fairly straightforward. Knowing the handler method's name, you
> could then try to find the valid ioctls under the assumption that some generic
> patterns are followed:
I added some code. Listing the ioctl names for a given device:
$ ./get_ioctl_names.sh /home/jann/software/linux-3.6.7 method_list "$(sudo ./show_ioctl /dev/vhost-net)"
[...]
ioctls found: VHOST_NET_SET_BACKEND VHOST_GET_FEATURES VHOST_SET_FEATURES VHOST_RESET_OWNER
This requires you to have a file method_list containing all the methods in your
kernel source ordered by file. You can generate it like this:
$ ./gen_method_list /home/jann/software/linux-3.6.7 method_list
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-05-19 18:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-19 12:47 trinity and ioctls Jann Horn
2013-05-19 18:36 ` Jann Horn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).