OSDN -- Develop and Download Open Source Software

Forums: Help (Thread #43214)
Return to Thread list RSS

Get Security_hook_heads address errors (2020-11-10 15:39 by hello_sir #86137)

Hello, everybody:
I recently met a problem, the details are as follows:

System information:
root@greatwall-os:~# uname -a
Linux greatwall-os 4.4.131-20200115.kylin.desktop-generic #kylin SMP Wed Jan 15 09:20:22 CST 2020 aarch64 aarch64 aarch64 GNU/Linux
root@greatwall-os:~#

Code segment:
/* Guess "struct security_hook_heads security_hook_heads;". */
cp = probe_find_variable(probe_security_bprm_committed_creds,
((unsigned long)
&probe_dummy_security_hook_heads) + offset,
" security_bprm_committed_creds\n");
if (!cp) {
printk(KERN_ERR
"Can't resolve security_bprm_committed_creds().\n");
return NULL;
}
printk(KERN_ERR
"Success security_bprm_committed_creds().\n");
/* This should be "struct security_hook_heads security_hook_heads;". */
shh = ((void *) (*(unsigned long *) cp)) - offset;
printk(KERN_ERR "security_hook_heads is 0x%lx\n",
(unsigned long) shh);

Output information:
Success security_bprm_committed_creds().
security_hook_heads is 0xffffffc00238f000

But the system shows as follows:
root@greatwall-os:~# cat /boot/System.map-4.4.131-20200115.kylin.desktop-generic |grep security_hook_heads
ffffffc00238f480 D security_hook_heads
root@greatwall-os:~#

I think may be probe_security_hook_heads_on_arm64 function calculation error.

Re: Get Security_hook_heads address errors (2020-11-10 19:04 by kumaneko #86140)

> I think may be probe_security_hook_heads_on_arm64 function calculation error.

Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o"
as with https://osdn.net/projects/akari/forums/24174/42967/#forum-message-85814 .
Reply to #86137

Re: Get Security_hook_heads address errors (2020-11-10 20:12 by hello_sir #86141)

Reply To Message #86140
> Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o"
> as with https://osdn.net/projects/akari/forums/24174/42967/#forum-message-85814 .

00000000000024b8 <security_bprm_committed_creds>:
24b8: a9bd7bfd stp x29, x30, [sp,#-48]!
24bc: 910003fd mov x29, sp
24c0: a90153f3 stp x19, x20, [sp,#16]
24c4: f90013f5 str x21, [sp,#32]
24c8: aa0003f5 mov x21, x0
24cc: aa1e03e0 mov x0, x30
24d0: 94000000 bl 0 <_mcount>
24d4: 90000000 adrp x0, 0 <security_sb_copy_data>
24d8: 91000000 add x0, x0, #0x0
24dc: 91048014 add x20, x0, #0x120
24e0: f9409013 ldr x19, [x0,#288]
24e4: eb14027f cmp x19, x20
24e8: 540000e0 b.eq 2504 <security_bprm_committed_creds+0x4c>
24ec: f9400e61 ldr x1, [x19,#24]
24f0: aa1503e0 mov x0, x21
24f4: d63f0020 blr x1
24f8: f9400273 ldr x19, [x19]
24fc: eb14027f cmp x19, x20
2500: 54ffff61 b.ne 24ec <security_bprm_committed_creds+0x34>
2504: a94153f3 ldp x19, x20, [sp,#16]
2508: f94013f5 ldr x21, [sp,#32]
250c: a8c37bfd ldp x29, x30, [sp],#48
2510: d65f03c0 ret
2514: d503201f nop


Reply to #86140

Re: Get Security_hook_heads address errors (2020-11-10 21:02 by kumaneko #86142)

OK. Your binary has the

adrp Xd, #imm21
add x0, x0, #0x0
add Xd, Xn, #uimm12

sequence. The "x0 = x0 + 0x0;" instruction caused "x20 = x0 + 0x480;" instruction to be ignored. Please try the diff shown below.

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) != 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*
Reply to #86141

Re: Get Security_hook_heads address errors (2020-11-10 21:25 by hello_sir #86143)

Reply To Message #86142

Error is still

Reply to #86142

Re: Get Security_hook_heads address errors (2020-11-10 22:44 by kumaneko #86144)

Oops. I meant "==" than "!=".

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*

Reply to #86143

Re: Get Security_hook_heads address errors (2020-11-10 22:47 by kumaneko #86145)

Sorry again. Off-by-one.

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1)== 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*
Reply to #86144

Re: Get Security_hook_heads address errors (2020-11-11 10:48 by hello_sir #86147)

Reply To Message #86145
Did not enter to perform.

Code segment:
if (*(ip + 1)== 0x91000000 &&
(*(ip + 2) & 0xFFC00000) == 0x91000000) {
ip++;
i++;
}
And
if (*ip == 0x91000000 &&
(*(ip + 1) & 0xFFC00000) != 0x91000000) {
ip++;
i++;
}
Reply to #86145

Re: Get Security_hook_heads address errors (2020-11-11 16:14 by kumaneko #86151)

> Did not enter to perform.

Excuse me, but I couldn't interpret your response.

Please revert

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) != 0x91000000) {
+ ip++;
+ i++;
+ }

and

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }

if you applied (because I found that these diff are wrong).

Please try

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1) == 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }

if you haven't applied.
Reply to #86147

Re: Get Security_hook_heads address errors (2020-11-11 17:19 by hello_sir #86152)

Oh my god, I recompile the security/security.o file.

0000000000002270 <security_bprm_committed_creds>:
2270: a9bd7bfd stp x29, x30, [sp,#-48]!
2274: 90000001 adrp x1, 0 <security_sb_copy_data>
2278: 910003fd mov x29, sp
227c: f90013f5 str x21, [sp,#32]
2280: aa0003f5 mov x21, x0
2284: 91000020 add x0, x1, #0x0
2288: a90153f3 stp x19, x20, [sp,#16]
228c: 91048014 add x20, x0, #0x120
2290: f9409013 ldr x19, [x0,#288]
2294: eb14027f cmp x19, x20
2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
229c: f9400e61 ldr x1, [x19,#24]
22a0: aa1503e0 mov x0, x21
22a4: d63f0020 blr x1
22a8: f9400273 ldr x19, [x19]
22ac: eb14027f cmp x19, x20
22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
22b4: a94153f3 ldp x19, x20, [sp,#16]
22b8: f94013f5 ldr x21, [sp,#32]
22bc: a8c37bfd ldp x29, x30, [sp],#48
22c0: d65f03c0 ret
22c4: d503201f nop
Reply to #86151

Re: Get Security_hook_heads address errors (2020-11-12 11:06 by hello_sir #86153)

Reply To Message #86152
> Oh my god, I recompile the security/security.o file.
>
> 0000000000002270 <security_bprm_committed_creds>:
> 2270: a9bd7bfd stp x29, x30, [sp,#-48]!
> 2274: 90000001 adrp x1, 0 <security_sb_copy_data>
> 2278: 910003fd mov x29, sp
> 227c: f90013f5 str x21, [sp,#32]
> 2280: aa0003f5 mov x21, x0
> 2284: 91000020 add x0, x1, #0x0
> 2288: a90153f3 stp x19, x20, [sp,#16]
> 228c: 91048014 add x20, x0, #0x120
> 2290: f9409013 ldr x19, [x0,#288]
> 2294: eb14027f cmp x19, x20
> 2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
> 229c: f9400e61 ldr x1, [x19,#24]
> 22a0: aa1503e0 mov x0, x21
> 22a4: d63f0020 blr x1
> 22a8: f9400273 ldr x19, [x19]
> 22ac: eb14027f cmp x19, x20
> 22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
> 22b4: a94153f3 ldp x19, x20, [sp,#16]
> 22b8: f94013f5 ldr x21, [sp,#32]
> 22bc: a8c37bfd ldp x29, x30, [sp],#48
> 22c0: d65f03c0 ret
> 22c4: d503201f nop

The following logic is useless;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1) == 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
Reply to #86152

Re: Get Security_hook_heads address errors (2020-11-16 06:06 by hello_sir #86168)

Is there any solution?

objdump -D security/security.o
> > 0000000000002270 <security_bprm_committed_creds>:
> > 2270: a9bd7bfd stp x29, x30, [sp,#-48]!
> > 2274: 90000001 adrp x1, 0 <security_sb_copy_data>
> > 2278: 910003fd mov x29, sp
> > 227c: f90013f5 str x21, [sp,#32]
> > 2280: aa0003f5 mov x21, x0
> > 2284: 91000020 add x0, x1, #0x0
> > 2288: a90153f3 stp x19, x20, [sp,#16]
> > 228c: 91048014 add x20, x0, #0x120
> > 2290: f9409013 ldr x19, [x0,#288]
> > 2294: eb14027f cmp x19, x20
> > 2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
> > 229c: f9400e61 ldr x1, [x19,#24]
> > 22a0: aa1503e0 mov x0, x21
> > 22a4: d63f0020 blr x1
> > 22a8: f9400273 ldr x19, [x19]
> > 22ac: eb14027f cmp x19, x20
> > 22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
> > 22b4: a94153f3 ldp x19, x20, [sp,#16]
> > 22b8: f94013f5 ldr x21, [sp,#32]
> > 22bc: a8c37bfd ldp x29, x30, [sp],#48
> > 22c0: d65f03c0 ret
> > 22c4: d503201f nop

Reply to #86153

Re: Get Security_hook_heads address errors (2020-11-16 20:22 by kumaneko #86175)

> Is there any solution?

No solution, for embedding complete ARM64 decoder will be too much. I might have to prepare an ARM64 environment for debugging.

I found a higher priority problem that /proc/kallsyms became no longer readable from kernel using kernel_read() in Linux 5.10.
This change affects all architectures. If there is no answer to this problem, we might need to give up automatic guessing of kernel functions.

> Oh my god, I recompile the security/security.o file.

Can you examine why you got different byte sequences by recompiling?
Use of same compiler version, same kernel source and same kernel config should result in same byte sequences.
Reply to #86168

Re: Get Security_hook_heads address errors (2020-11-25 19:45 by kumaneko #86215)

Since I found an answer to /proc/kallsyms problem, I can come back to your ARM64 problem.

Were you able to figure out why your byte sequence changed by recompilation?
Reply to #86175