Forums: Forum d’aide (Thread #42967)

Run failed fro probe_security_hook_heads_on_arm64 Return NULL (2020-09-15 02:25 by hello_sir #85813)

Hello,

System information:4.19.90-9.ky10.aarch64
target:aarch64-linux-gnu
gcc version : 7.3

Error occurred in probe_security_hook_heads(),The output error message: "Can't resolve security_bprm_committed_creds()."

A function call is as follows:

struct security_hook_heads * probe_security_hook_heads(void)
{
const unsigned int offset = offsetof(struct security_hook_heads,
bprm_committed_creds);
printk(KERN_ERR "offset=%u, sizeof(struct hlist_head)=%u\n", offset, sizeof(struct hlist_head));
void *cp;
struct security_hook_heads *shh;
struct security_hook_list *entry;
void *cap = probe_find_symbol(" cap_bprm_set_creds\n");

/* Get location of cap_bprm_set_creds(). */
cap = check_function_address(cap, "cap_bprm_set_creds");
if (!cap)
return NULL;
/* Guess "struct security_hook_heads security_hook_heads;". */
cp = probe_find_variable(probe_security_bprm_committed_creds,
((unsigned long)
&probe_dummy_security_hook_heads) + offset,
" security_bprm_committed_creds\n");
if (!cp) {
printk(KERN_ERR
"Can't resolve security_bprm_committed_creds().\n");
return NULL;
}
/* This should be "struct security_hook_heads security_hook_heads;". */
shh = ((void *) (*(unsigned long *) cp)) - offset;
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
hlist_for_each_entry(entry, &shh->bprm_set_creds, list)
if (entry->hook.bprm_set_creds == cap)
return shh;
#else
list_for_each_entry(entry, &shh->bprm_set_creds, list)
if (entry->hook.bprm_set_creds == cap)
return shh;
#endif
printk(KERN_ERR "Guessed security_hook_heads is 0x%lx\n",
(unsigned long) shh);
return NULL;
}

Eager to get answers as soon as possible.

Re: Run failed fro probe_security_hook_heads_on_arm64 Return NULL (2020-09-15 13:06 by kumaneko #85814)

Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o" .

In my cross compiler environment (I don't have aarch64 environment to try), the disassembly was:

----------
0000000000001450 <security_bprm_committed_creds>:
1450: a9be7bfd stp x29, x30, [sp, #-32]!
1454: 90000001 adrp x1, 0 <security_sb_copy_data>
1458: 910003fd mov x29, sp
145c: a90153f3 stp x19, x20, [sp, #16]
1460: f9400033 ldr x19, [x1]
1464: b4000113 cbz x19, 1484 <security_bprm_committed_creds+0x34>
1468: aa0003f4 mov x20, x0
146c: d503201f nop
1470: f9400e61 ldr x1, [x19, #24]
1474: aa1403e0 mov x0, x20
1478: d63f0020 blr x1
147c: f9400273 ldr x19, [x19]
1480: b5ffff93 cbnz x19, 1470 <security_bprm_committed_creds+0x20>
1484: a94153f3 ldp x19, x20, [sp, #16]
1488: a8c27bfd ldp x29, x30, [sp], #32
148c: d65f03c0 ret
----------

Currently, probe_security_hook_heads_on_arm64() scans for

adrp Xd, #imm21
add Xd, Xn, #uimm12

sequence, but the disassembly shown above misses the "add Xd, Xn, #uimm12" line.
If that line is missing in your disassembly, please try the diff shown below.

--- akari/probe.c
+++ akari/probe.c
@@ -245,11 +245,9 @@ static void * __init probe_security_hook
/*
* Find
* adrp Xd, #imm21
- * add Xd, Xn, #uimm12
* sequence.
*/
- if ((*ip & 0x9F000000) != 0x90000000 ||
- (*(ip + 1) & 0xFFC00000) != 0x91000000)
+ if ((*ip & 0x9F000000) != 0x90000000)
continue;
tmp = ((unsigned long) ip) & ~0xFFFUL;
offset = (unsigned long) (((((*ip >> 5) & 0x007FFFF) << 2) |
@@ -257,14 +255,12 @@ static void * __init probe_security_hook
if (offset & 0x100000000UL)
offset |= 0xFFFFFFFF00000000UL;
tmp += offset;
- offset = (*(ip + 1) >> 10) & 0xFFF;
- tmp += offset;
/*
* Find
* ldr Xt, Xn, #uimm12
* sequence.
*/
- for (ip += 2; i < 32 - 2; ip++, i++) {
+ for (ip += 1; i < 32 - 1; ip++, i++) {
if ((*ip & 0xFFC00000) != 0xF9400000)
continue;
offset = ((*ip >> 10) & 0xFFF) << 3;
Répondre à #85813

Re: Run failed fro probe_security_hook_heads_on_arm64 Return NULL (2020-09-15 19:00 by hello_sir #85816)

Reply To Message #85814
> Please paste here the disassembly of security_bprm_committed_creds() function obtained by "objdump -D security/security.o" .
>
> In my cross compiler environment (I don't have aarch64 environment to try), the disassembly was:
>
> ----------
> 0000000000001450 <security_bprm_committed_creds>:
> 1450: a9be7bfd stp x29, x30, [sp, #-32]!
> 1454: 90000001 adrp x1, 0 <security_sb_copy_data>
> 1458: 910003fd mov x29, sp
> 145c: a90153f3 stp x19, x20, [sp, #16]
> 1460: f9400033 ldr x19, [x1]
> 1464: b4000113 cbz x19, 1484 <security_bprm_committed_creds+0x34>
> 1468: aa0003f4 mov x20, x0
> 146c: d503201f nop
> 1470: f9400e61 ldr x1, [x19, #24]
> 1474: aa1403e0 mov x0, x20
> 1478: d63f0020 blr x1
> 147c: f9400273 ldr x19, [x19]
> 1480: b5ffff93 cbnz x19, 1470 <security_bprm_committed_creds+0x20>
> 1484: a94153f3 ldp x19, x20, [sp, #16]
> 1488: a8c27bfd ldp x29, x30, [sp], #32
> 148c: d65f03c0 ret
> ----------
>
> Currently, probe_security_hook_heads_on_arm64() scans for
>
> adrp Xd, #imm21
> add Xd, Xn, #uimm12
>
> sequence, but the disassembly shown above misses the "add Xd, Xn, #uimm12" line.
> If that line is missing in your disassembly, please try the diff shown below.
>
> --- akari/probe.c
> +++ akari/probe.c
> @@ -245,11 +245,9 @@ static void * __init probe_security_hook
> /*
> * Find
> * adrp Xd, #imm21
> - * add Xd, Xn, #uimm12
> * sequence.
> */
> - if ((*ip & 0x9F000000) != 0x90000000 ||
> - (*(ip + 1) & 0xFFC00000) != 0x91000000)
> + if ((*ip & 0x9F000000) != 0x90000000)
> continue;
> tmp = ((unsigned long) ip) & ~0xFFFUL;
> offset = (unsigned long) (((((*ip >> 5) & 0x007FFFF) << 2) |
> @@ -257,14 +255,12 @@ static void * __init probe_security_hook
> if (offset & 0x100000000UL)
> offset |= 0xFFFFFFFF00000000UL;
> tmp += offset;
> - offset = (*(ip + 1) >> 10) & 0xFFF;
> - tmp += offset;
> /*
> * Find
> * ldr Xt, Xn, #uimm12
> * sequence.
> */
> - for (ip += 2; i < 32 - 2; ip++, i++) {
> + for (ip += 1; i < 32 - 1; ip++, i++) {
> if ((*ip & 0xFFC00000) != 0xF9400000)
> continue;
> offset = ((*ip >> 10) & 0xFFF) << 3;


The following information:
00000000000020e0 <security_bprm_committed_creds>:
20e0: a9be7bfd stp x29, x30, [sp,#-32]!
20e4: 90000001 adrp x1, 0 <security_sb_copy_data>
20e8: 910003fd mov x29, sp
20ec: a90153f3 stp x19, x20, [sp,#16]
20f0: f9400033 ldr x19, [x1]
20f4: b40000f3 cbz x19, 2110 <security_bprm_committed_creds+0x30>
20f8: aa0003f4 mov x20, x0
20fc: f9400e61 ldr x1, [x19,#24]
2100: aa1403e0 mov x0, x20
2104: d63f0020 blr x1
2108: f9400273 ldr x19, [x19]
210c: b5ffff93 cbnz x19, 20fc <security_bprm_committed_creds+0x1c>
2110: a94153f3 ldp x19, x20, [sp,#16]
2114: a8c27bfd ldp x29, x30, [sp],#32
2118: d65f03c0 ret
211c: d503201f nop
Répondre à #85814

Re: Run failed fro probe_security_hook_heads_on_arm64 Return NULL (2020-09-15 19:17 by kumaneko #85817)

OK. Your binary does not have the "add Xd, Xn, #uimm12" line. Please try the diff.
Répondre à #85816

Re: Run failed fro probe_security_hook_heads_on_arm64 Return NULL (2020-09-18 07:27 by kumaneko #85831)

Did the diff help? I'd like to hear from you before making changes in the repository.
Meilleure réponse Répondre à #85817