search

trellix-enterprise / mysql-audit

AUDIT Plugin for MySQL. See wiki and readme for description. If you find the plugin useful, please star us on GitHub. We love stars and it's a great way to show your feedback.
Other
239 stars 57 forks source link

Reduce the minimum required hot patching size from 14 to 6 on x86_64 #141

Closed kubo closed 8 years ago

kubo commented 8 years ago

This patch reduces the minimum required hot patching size from 14 to 6 on x86_64 if the distance from a hot-patch target function to the trampoline memory is within 2GB. (The exact condition is: (trampoline_memory_address - (target_function_address + 6)) between INT32_MIN and INT32_MAX)

This patch also allocates trampoline memory under 2GB by using mmap() with MAP_32BIT when mysqld resides under 2GB.

This will rescue the following error in https://github.com/mcafee/mysql-audit/issues/72#issuecomment-33572747

140129 14:04:54 [Note] Audit Plugin: hot patching function: 0x7f0fc6f59aa0, trampolineFunction: 0x7f0fa44e5000 trampolinePage: 0x7f0fa44e5000
140129 14:04:54 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x7f0fc6f59aaa. Found relative addressing for instruction: [jnz 0x7f0fc6f59ab5]. Aborting.

Relative addressing was found at 10 bytes after the beginning of the function. It failed because 10 is smaller than the minimum hot patching size 14. But it will not fail if the size becomes 6. 0x7f0fa44e5000 - (0x7f0fc6f59aa0 + 6) = -581388966, which is between INT32_MIN and INT32_MAX.

aharonrobbins commented 8 years ago

Much thanks for the patch!

We will review.

Thanks,

Aharon

Aharon (Arnold) Robbins Senior Software Engineer Sensor - Database Security McAfee. Part of Intel Security. [cid:image003.png@01CF5AF2.16A4D380]

From: Kubo Takehiro [mailto:notifications@github.com] Sent: Sunday, June 12, 2016 08:12 To: mcafee/mysql-audit mysql-audit@noreply.github.com Subject: [mcafee/mysql-audit] Reduce the minimum required hot patching size from 14 to 6 on x86_64 (#141)

This patch reduces the minimum required hot patching size from 14 to 6 on x86_64 if the distance from a hot-patch target function to the trampoline memory is within 2GB.

This patch also allocates trampoline memory under 2GB by using mmap() with MAP_32BIT when mysqld resides under 2GB.

This will rescue the following error in #72 (comment)https://github.com/mcafee/mysql-audit/issues/72#issuecomment-33572747

140129 14:04:54 [Note] Audit Plugin: hot patching function: 0x7f0fc6f59aa0, trampolineFunction: 0x7f0fa44e5000 trampolinePage: 0x7f0fa44e5000

140129 14:04:54 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x7f0fc6f59aaa. Found relative addressing for instruction: [jnz 0x7f0fc6f59ab5]. Aborting.

Relative addressing was found at 10 bytes after the begging of the function. It failed because 10 is smaller than the minimum hot patching size 14. But it will not fail if the size becomes 6.

You can view, comment on, or merge this pull request online at:

https://github.com/mcafee/mysql-audit/pull/141

Commit Summary

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/mcafee/mysql-audit/pull/141, or mute the threadhttps://github.com/notifications/unsubscribe/AKT-vQhWIl7W6yFtfD_gH23VS08GJqxKks5qK5UOgaJpZM4IztR0.

aharonrobbins commented 8 years ago

We pulled #142 ; closing this one.