trinity and ioctls

trinity and ioctls

[Jann Horn]

[-- Attachment #1: Type: text/plain, Size: 2348 bytes --]

Hello,
I had a relatively quick look at trinity. It seems to me that it currently
only has support for a few ioctls, right?

I am thinking about how hard it would be to automatically determine ioctls
for arbitrary devices. I coded a little PoC:

http://git.thejh.net/?p=moctel.git;a=summary

Run "make", load the kernel module. Then determine the ioctl handler's name
for a given device or so like this:

$ sudo ./show_ioctl /dev/xconsole
pipe_ioctl
$ sudo ./show_ioctl /dev/kvm
kvm_dev_ioctl
$ sudo ./show_ioctl /dev/fuse

$ sudo ./show_ioctl /dev/btrfs-control 
btrfs_control_ioctl
$ sudo ./show_ioctl /root
ext4_ioctl

So far, it is fairly straightforward. Knowing the handler method's name, you
could then try to find the valid ioctls under the assumption that some generic
patterns are followed:

$ grep -R -n '^[^ ].*btrfs_control_ioctl' fs | grep '\.c:[0-9]*:\S'
fs/btrfs/super.c:1477:static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
$ tail -n +1477 fs/btrfs/super.c | grep -n '^}' | head -n 1
31:}
$ tail -n +1477 fs/btrfs/super.c | head -n 31 | grep 'case .*:' | sed 's|^.*case \(.*\):$|\1|g'
BTRFS_IOC_SCAN_DEV
BTRFS_IOC_DEVICES_READY
$ cat fs/btrfs/super.c > /tmp/a.c
$ echo 'int main(void){printf("%x %x\n", (unsigned)BTRFS_IOC_SCAN_DEV, (unsigned)BTRFS_IOC_DEVICES_READY);}' >> /tmp/a.c
$ gcc -nostdinc -I arch/x86/include -I arch/x86/include/asm -I arch/x86/include/generated -I include -D __KERNEL__ -D CONFIG_X86_X32_ABI -D CONFIG_AS_CFI=1 -D CONFIG_AS_CFI_SIGNAL_FRAME=1 -D CONFIG_AS_CFI_SECTIONS=1 -D CONFIG_AS_FXSAVEQ=1 -D CONFIG_AS_AVX=1 -D CC_HAVE_ASM_GOTO -D 'KBUILD_STR(s)=#s' -D KBUILD_BASENAME='KBUILD_STR(calibrate)' -D KBUILD_MODNAME='KBUILD_STR(calibrate)' -isystem /usr/lib/gcc/x86_64-linux-gnu/4.7/include -include include/linux/kconfig.h -I fs/btrfs/ /tmp/a.c -o /tmp/a -Wl,--unresolved-symbols=ignore-all
/tmp/a.c: In function ‘main’:
/tmp/a.c:1673:16: warning: incompatible implicit declaration of built-in function ‘printf’ [enabled by default]
$ /tmp/a
50009404 90009427

Obviously, this won't always work because it heavily relies on assumptions and
conventions, but maybe it would be possible to automatically extract valid
ioctls from the kernel source this way at least in some cases?

What do you think, is this a good idea?

Jann

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: trinity and ioctls

[Jann Horn]

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

On Sun, May 19, 2013 at 02:47:25PM +0200, Jann Horn wrote:
> I am thinking about how hard it would be to automatically determine ioctls
> for arbitrary devices. I coded a little PoC:
> 
> http://git.thejh.net/?p=moctel.git;a=summary
> 
> Run "make", load the kernel module. Then determine the ioctl handler's name
> for a given device or so like this:
> 
> $ sudo ./show_ioctl /dev/xconsole
> pipe_ioctl
> $ sudo ./show_ioctl /dev/kvm
> kvm_dev_ioctl
> $ sudo ./show_ioctl /dev/fuse
> 
> $ sudo ./show_ioctl /dev/btrfs-control 
> btrfs_control_ioctl
> $ sudo ./show_ioctl /root
> ext4_ioctl
> 
> So far, it is fairly straightforward. Knowing the handler method's name, you
> could then try to find the valid ioctls under the assumption that some generic
> patterns are followed:

I added some code. Listing the ioctl names for a given device:

$ ./get_ioctl_names.sh /home/jann/software/linux-3.6.7 method_list "$(sudo ./show_ioctl /dev/vhost-net)"
[...]
ioctls found: VHOST_NET_SET_BACKEND VHOST_GET_FEATURES VHOST_SET_FEATURES VHOST_RESET_OWNER

This requires you to have a file method_list containing all the methods in your
kernel source ordered by file. You can generate it like this:

$ ./gen_method_list /home/jann/software/linux-3.6.7 method_list

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]