search

riboseinc / retrace

retrace is a versatile security vulnerability / bug discovery tool through monitoring and modifying the behavior of compiled binaries on Linux, OpenBSD/FreeBSD/NetBSD (shared object) and macOS (dynamic library).
Other
60 stars 19 forks source link

Missed fcntl #173

Closed catap closed 7 years ago

catap commented 7 years ago

Hey,

I think retrace has missed one of very useful (and very complicated to implementation) syscall — fcntl.

catap commented 7 years ago

Based implementation here: https://github.com/riboseinc/retrace/commit/63e25e0528fb3f09e6e132bcc75a5638d7990a37

Missed: OS specifed stuff :)

ronaldtse commented 7 years ago

Indeed @catap and great start! I think we need to fix the formatting to adhere to the repo's rules though (checkpatch.pl).

@riataman , @drystone what do you think? Maybe you're interested in growing this to a full implementation.

catap commented 7 years ago

@ronaldtse it is a proof of concept and I doesn't like this design because it depends of supported commands and if we don't support one of command, the syscall doesn't work :(

ronaldtse commented 7 years ago

Got it. I'm sure @riataman , @drystone or @jjr840430 would have a good solution!

drystone commented 7 years ago

I think you could get away with void * maybe_parameter = va_arg(ap void *) for the default case just to pass the parameter (or not) through. You've already logged it as unsupported, so essentially you're making sure unsupported calls are still honoured.


default:
    void * maybe_parameter = va_arg(ap void *);
    r = real_fnctl(filedes, cmd, maybe_parameter);
catap commented 7 years ago

@drystone good idea! Thanks!

catap commented 7 years ago

Created https://github.com/riboseinc/retrace/pull/176.

Meanwhile it is a real-world example of using retrace.

I can trace valgrind on my macOS only by retrace for solve this bug, because dtruss doesn't inherits limits :)

ronaldtse commented 7 years ago

That's awesome @catap ! Thank you for being user 0 👍

catap commented 7 years ago

@ronaldtse but I'm blocking by #169 / #104 :(

@riataman or @drystone have you got any progress?

drystone commented 7 years ago

@catap no, I haven't had a look. I'm surprised because my understanding of fork is that a child inherits the entire memory map of the parent as is. I know there is a problem with some of the execs because some copy the environment and some don't - so I suppose what you might be seeing is fork-exec pattern. I can look into this but it won't be until this time tomorrow.

catap commented 7 years ago

@drystone no rush :) I can wait

pablo-mendoza commented 7 years ago

I took a good while a bit ago and fork does inherit LD_PRELOAD, but the exec stuff wasn't.

pablo-mendoza commented 7 years ago

We have fcntl now.