注入的mprotect系统调用跟踪进程因EFAULT而失败(Injected mprotect system call into traced process fails with EFAULT)

我正在向跟踪过程注入一个mprotect调用：

static int inject_mprotect(pid_t child, void *addr, size_t len, int prot) { // Machine code: // int $0x80 (system call) // int3 (trap) char code[] = {0xcd,0x80,0xcc,0}; char orig_code[3]; struct user_regs_struct regs; struct user_regs_struct orig_regs; // Take a copy of current state __check_ptrace(PTRACE_GETREGS, child, NULL, &orig_regs); getdata(child, INSTRUCTION_POINTER(regs), orig_code, 3); // Inject the code, update registers putdata(child, INSTRUCTION_POINTER(regs), code, 3); __check_ptrace(PTRACE_GETREGS, child, NULL, &regs); XAX_REGISTER(regs) = MPROTECT_SYSCALL; MPROTECT_ARG_START(regs) = (unsigned long)addr; MPROTECT_ARG_LEN(regs) = len; MPROTECT_ARG_PROT(regs) = prot; __check_ptrace(PTRACE_SETREGS, child, NULL, &regs); // Snip

但是，调用失败，返回-14（ EFAULT ）。我查看了mprotect源（内核3.13），看不出为什么我的系统调用会返回这个。

如果我跟踪我的注入调用并打印寄存器，我会看到以下内容：

SIGTRAP: eip: 0x34646ef8d4, syscall 10, rc = -38 PARENT 10 MPROTECT(start: 0x00007f45b9611000, len: 4096, prot: 0) EIP: 0x00000034646ef8d4 AX: 0xffffffffffffffda BX: 0x0000000000000005 CX: 0xffffffffffffffff DX: 0x0000000000000000 DI: 0x00007f45b9611000 BP: 0x00007fffcb93bc20 SI: 0x0000000000001000 R8: 0x0000000000000000 R9: 0x0000000000000000 R10: 0x0000000000000000 SIGTRAP: eip: 0x34646ef8d4, syscall 10, rc = -14 Bad address (trap after system call exit)

为了验证系统调用格式，我向子mprotect添加了一个mprotect调用，并抛出了它的参数和寄存器：

SIGTRAP: eip: 0x34646ef927, syscall 10, rc = -38 CHILD 10 MPROTECT(start: 0x00007f45b9611000, len: 4096, prot: 0) EIP: 0x00000034646ef927 AX: 0xffffffffffffffda BX: 0x0000000000000005 CX: 0xffffffffffffffff DX: 0x0000000000000000 DI: 0x00007f45b9611000 BP: 0x00007fffcb93bc20 SI: 0x0000000000001000 R8: 0x000000000000004e R9: 0x746f72706d206c6c R10: 0x00007fffcb93b9a0 SIGTRAP (child return): eip: 0x34646ef927, syscall 10, rc = 0

来自孩子的电话成功。因此，假设我使用相同的参数进行相同的系统调用（10），为什么注入的调用在子调用成功的同时失败了EFAULT ？

调用之间的唯一区别是regs.r8 ， regs.r9和regs.r10一些垃圾，但是根据X86_64上的系统调用表，我不相信这些寄存器的内容会影响系统调用。

I'm injecting an mprotect call into a traced process:

However the call fails, returning -14 (EFAULT). I've looked through the mprotect source (kernel 3.13) and can't see why my system call would return this.

If I trace my injected call and print out the registers I see the following:

To validate the system call format I added an mprotect call to the child and dumped out its arguments and registers:

The call from the child succeeds. So given that I'm making the same system call (10) with the same arguments, why does the injected call fail with EFAULT while a call from the child is successful?

The only difference between the calls is some junk in regs.r8, regs.r9 and regs.r10, however based this table of system calls on X86_64 I don't believe the contents of those registers would affect the system call.

最满意答案

问题与这个问题有关：i386和x86_64对系统调用使用不同的调用约定。您的示例代码使用int 0x80 ，即i386变体，但syscall_number = 10 ，即mprotect的64位系统调用号。在32位环境中，系统调用10根据此列表对应unlink ，该列表可以返回EFAULT （ Bad address ）。

在64位平台上，以一致的方式使用32位或64位变体可以解决问题。

The problem is related to this question: i386 and x86_64 use different calling conventions for system calls. Your example code uses int 0x80, the i386 variant, but syscall_number = 10, the 64-bit syscall number for mprotect. In 32-bit environments, syscall 10 coresponds to unlink, according to this list, which can return EFAULT (Bad address).

On 64-bit platforms, using either the 32-bit or 64-bit variant in a consistent manner solves the problem.

更多推荐