论坛: 帮助论坛 (Thread #43214)

Get Security_hook_heads address errors (2020-11-10 15:39 by hello_sir #86137)

Hello, everybody:
I recently met a problem, the details are as follows:

System information:
root@greatwall-os:~# uname -a
Linux greatwall-os 4.4.131-20200115.kylin.desktop-generic #kylin SMP Wed Jan 15 09:20:22 CST 2020 aarch64 aarch64 aarch64 GNU/Linux
root@greatwall-os:~#

Code segment:
/* Guess "struct security_hook_heads security_hook_heads;". */
cp = probe_find_variable(probe_security_bprm_committed_creds,
((unsigned long)
&probe_dummy_security_hook_heads) + offset,
" security_bprm_committed_creds\n");
if (!cp) {
printk(KERN_ERR
"Can't resolve security_bprm_committed_creds().\n");
return NULL;
}
printk(KERN_ERR
"Success security_bprm_committed_creds().\n");
/* This should be "struct security_hook_heads security_hook_heads;". */
shh = ((void *) (*(unsigned long *) cp)) - offset;
printk(KERN_ERR "security_hook_heads is 0x%lx\n",
(unsigned long) shh);

Output information:
Success security_bprm_committed_creds().
security_hook_heads is 0xffffffc00238f000

But the system shows as follows:
root@greatwall-os:~# cat /boot/System.map-4.4.131-20200115.kylin.desktop-generic |grep security_hook_heads
ffffffc00238f480 D security_hook_heads
root@greatwall-os:~#

I think may be probe_security_hook_heads_on_arm64 function calculation error.

Re: Get Security_hook_heads address errors (2020-11-10 19:04 by kumaneko #86140)

> I think may be probe_security_hook_heads_on_arm64 function calculation error.

Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o"
as with https://osdn.net/projects/akari/forums/24174/42967/#forum-message-85814 .
回复到 #86137

Re: Get Security_hook_heads address errors (2020-11-10 20:12 by hello_sir #86141)

Reply To Message #86140
> Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o"
> as with https://osdn.net/projects/akari/forums/24174/42967/#forum-message-85814 .

00000000000024b8 <security_bprm_committed_creds>:
24b8: a9bd7bfd stp x29, x30, [sp,#-48]!
24bc: 910003fd mov x29, sp
24c0: a90153f3 stp x19, x20, [sp,#16]
24c4: f90013f5 str x21, [sp,#32]
24c8: aa0003f5 mov x21, x0
24cc: aa1e03e0 mov x0, x30
24d0: 94000000 bl 0 <_mcount>
24d4: 90000000 adrp x0, 0 <security_sb_copy_data>
24d8: 91000000 add x0, x0, #0x0
24dc: 91048014 add x20, x0, #0x120
24e0: f9409013 ldr x19, [x0,#288]
24e4: eb14027f cmp x19, x20
24e8: 540000e0 b.eq 2504 <security_bprm_committed_creds+0x4c>
24ec: f9400e61 ldr x1, [x19,#24]
24f0: aa1503e0 mov x0, x21
24f4: d63f0020 blr x1
24f8: f9400273 ldr x19, [x19]
24fc: eb14027f cmp x19, x20
2500: 54ffff61 b.ne 24ec <security_bprm_committed_creds+0x34>
2504: a94153f3 ldp x19, x20, [sp,#16]
2508: f94013f5 ldr x21, [sp,#32]
250c: a8c37bfd ldp x29, x30, [sp],#48
2510: d65f03c0 ret
2514: d503201f nop


回复到 #86140

Re: Get Security_hook_heads address errors (2020-11-10 21:02 by kumaneko #86142)

OK. Your binary has the

adrp Xd, #imm21
add x0, x0, #0x0
add Xd, Xn, #uimm12

sequence. The "x0 = x0 + 0x0;" instruction caused "x20 = x0 + 0x480;" instruction to be ignored. Please try the diff shown below.

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) != 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*
回复到 #86141

Re: Get Security_hook_heads address errors (2020-11-10 21:25 by hello_sir #86143)

Reply To Message #86142

Error is still

回复到 #86142

Re: Get Security_hook_heads address errors (2020-11-10 22:44 by kumaneko #86144)

Oops. I meant "==" than "!=".

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*

回复到 #86143

Re: Get Security_hook_heads address errors (2020-11-10 22:47 by kumaneko #86145)

Sorry again. Off-by-one.

--- akari/probe.c
+++ akari/probe.c
@@ -257,6 +257,14 @@
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1)== 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
offset = (*(ip + 1) >> 10) & 0xFFF;
tmp += offset;
/*
回复到 #86144

Re: Get Security_hook_heads address errors (2020-11-11 10:48 by hello_sir #86147)

Reply To Message #86145
Did not enter to perform.

Code segment:
if (*(ip + 1)== 0x91000000 &&
(*(ip + 2) & 0xFFC00000) == 0x91000000) {
ip++;
i++;
}
And
if (*ip == 0x91000000 &&
(*(ip + 1) & 0xFFC00000) != 0x91000000) {
ip++;
i++;
}
回复到 #86145

Re: Get Security_hook_heads address errors (2020-11-11 16:14 by kumaneko #86151)

> Did not enter to perform.

Excuse me, but I couldn't interpret your response.

Please revert

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) != 0x91000000) {
+ ip++;
+ i++;
+ }

and

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*ip == 0x91000000 &&
+ (*(ip + 1) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }

if you applied (because I found that these diff are wrong).

Please try

+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1) == 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }

if you haven't applied.
回复到 #86147

Re: Get Security_hook_heads address errors (2020-11-11 17:19 by hello_sir #86152)

Oh my god, I recompile the security/security.o file.

0000000000002270 <security_bprm_committed_creds>:
2270: a9bd7bfd stp x29, x30, [sp,#-48]!
2274: 90000001 adrp x1, 0 <security_sb_copy_data>
2278: 910003fd mov x29, sp
227c: f90013f5 str x21, [sp,#32]
2280: aa0003f5 mov x21, x0
2284: 91000020 add x0, x1, #0x0
2288: a90153f3 stp x19, x20, [sp,#16]
228c: 91048014 add x20, x0, #0x120
2290: f9409013 ldr x19, [x0,#288]
2294: eb14027f cmp x19, x20
2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
229c: f9400e61 ldr x1, [x19,#24]
22a0: aa1503e0 mov x0, x21
22a4: d63f0020 blr x1
22a8: f9400273 ldr x19, [x19]
22ac: eb14027f cmp x19, x20
22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
22b4: a94153f3 ldp x19, x20, [sp,#16]
22b8: f94013f5 ldr x21, [sp,#32]
22bc: a8c37bfd ldp x29, x30, [sp],#48
22c0: d65f03c0 ret
22c4: d503201f nop
回复到 #86151

Re: Get Security_hook_heads address errors (2020-11-12 11:06 by hello_sir #86153)

Reply To Message #86152
> Oh my god, I recompile the security/security.o file.
>
> 0000000000002270 <security_bprm_committed_creds>:
> 2270: a9bd7bfd stp x29, x30, [sp,#-48]!
> 2274: 90000001 adrp x1, 0 <security_sb_copy_data>
> 2278: 910003fd mov x29, sp
> 227c: f90013f5 str x21, [sp,#32]
> 2280: aa0003f5 mov x21, x0
> 2284: 91000020 add x0, x1, #0x0
> 2288: a90153f3 stp x19, x20, [sp,#16]
> 228c: 91048014 add x20, x0, #0x120
> 2290: f9409013 ldr x19, [x0,#288]
> 2294: eb14027f cmp x19, x20
> 2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
> 229c: f9400e61 ldr x1, [x19,#24]
> 22a0: aa1503e0 mov x0, x21
> 22a4: d63f0020 blr x1
> 22a8: f9400273 ldr x19, [x19]
> 22ac: eb14027f cmp x19, x20
> 22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
> 22b4: a94153f3 ldp x19, x20, [sp,#16]
> 22b8: f94013f5 ldr x21, [sp,#32]
> 22bc: a8c37bfd ldp x29, x30, [sp],#48
> 22c0: d65f03c0 ret
> 22c4: d503201f nop

The following logic is useless;
+ /*
+ * Skip "add x0, x0, #0x0" if next is "add Xd, Xn, #uimm12".
+ */
+ if (*(ip + 1) == 0x91000000 &&
+ (*(ip + 2) & 0xFFC00000) == 0x91000000) {
+ ip++;
+ i++;
+ }
回复到 #86152

Re: Get Security_hook_heads address errors (2020-11-16 06:06 by hello_sir #86168)

Is there any solution?

objdump -D security/security.o
> > 0000000000002270 <security_bprm_committed_creds>:
> > 2270: a9bd7bfd stp x29, x30, [sp,#-48]!
> > 2274: 90000001 adrp x1, 0 <security_sb_copy_data>
> > 2278: 910003fd mov x29, sp
> > 227c: f90013f5 str x21, [sp,#32]
> > 2280: aa0003f5 mov x21, x0
> > 2284: 91000020 add x0, x1, #0x0
> > 2288: a90153f3 stp x19, x20, [sp,#16]
> > 228c: 91048014 add x20, x0, #0x120
> > 2290: f9409013 ldr x19, [x0,#288]
> > 2294: eb14027f cmp x19, x20
> > 2298: 540000e0 b.eq 22b4 <security_bprm_committed_creds+0x44>
> > 229c: f9400e61 ldr x1, [x19,#24]
> > 22a0: aa1503e0 mov x0, x21
> > 22a4: d63f0020 blr x1
> > 22a8: f9400273 ldr x19, [x19]
> > 22ac: eb14027f cmp x19, x20
> > 22b0: 54ffff61 b.ne 229c <security_bprm_committed_creds+0x2c>
> > 22b4: a94153f3 ldp x19, x20, [sp,#16]
> > 22b8: f94013f5 ldr x21, [sp,#32]
> > 22bc: a8c37bfd ldp x29, x30, [sp],#48
> > 22c0: d65f03c0 ret
> > 22c4: d503201f nop

回复到 #86153

Re: Get Security_hook_heads address errors (2020-11-16 20:22 by kumaneko #86175)

> Is there any solution?

No solution, for embedding complete ARM64 decoder will be too much. I might have to prepare an ARM64 environment for debugging.

I found a higher priority problem that /proc/kallsyms became no longer readable from kernel using kernel_read() in Linux 5.10.
This change affects all architectures. If there is no answer to this problem, we might need to give up automatic guessing of kernel functions.

> Oh my god, I recompile the security/security.o file.

Can you examine why you got different byte sequences by recompiling?
Use of same compiler version, same kernel source and same kernel config should result in same byte sequences.
回复到 #86168

Re: Get Security_hook_heads address errors (2020-11-25 19:45 by kumaneko #86215)

Since I found an answer to /proc/kallsyms problem, I can come back to your ARM64 problem.

Were you able to figure out why your byte sequence changed by recompilation?
回复到 #86175