i#38: Attach injection on Linux #5019
Conversation
|
Looks like code style violations are causing the test failures |
There was a problem hiding this comment.
Thank you for the PR. If you could go through the #3328 review comments it looks like most of them still apply here.
M3m3M4n
changed the title
|
I need some help to finish this PR on windows since I mainly work on linux |
|
Few test are failing on vs2017 but I'm not quite sure why |
The logs show a lot of timeouts: something is making them hang. Unfortunately the log does not give enough info. Either tmate would have to be used https://dynamorio.org/page_test_suite.html#autotoc_md261 or a local repro or maybe we can spot something in the patch. |
|
The diff displayed here is massive: 27 files changed! Looks like changes that are already in the repo: something was off about the merge that makes the PR diff display show those as part of this change? Plus the auto-merge check above says there are conflicts in core/ir/aarch64/codec.txt. If you could try to re-merge to get the diff to show just the new changes we can do another review round. |
For linux, we use ptrace() to inject dynamorio to running process. For windows, we get target process handle using DebugActiveProcess() and inject with original dr_inject_process_inject().
Merge head
|
I accidentally squashed a master merge into a commit. Everything look nice after rebasing. |
|
Also, can I request some clarification? Testing ptrace inject with a toy program that does fork() then wait(). I found out that dynamorio cannot inject until after wait() has completed. This is the same with all blocking syscall I've tested with like accept...
I thought the PTRACE_ATTACH prior would send SIGSTOP and force any running blocking syscall to return EINTR back to userland? But seems like the blocking syscall continues to run and single stepping only returns after the syscall has completed. So to stop dynamorio from attaching I could just do something like wait and never let it return? |
I don't know w/o further investigation -- maybe @summershrimp has some input here |
Something strange things happens if you modified PC(IP) register when the target process stuck at blocking syscall , the ip will go 4 bytes more than we expected. So I do a singlestep to make sure the process is not at a blocking syscall . |
|
Actually it's better to singlestep till the PC is at any text segment. If PC is at vdso, we still can't inject DR code. dynamorio/core/unix/injector.c Line 1122 in 527d44c |
|
I think we should put note about ptrace_inject-ing to process in middle of blocking syscall somewhere since dynamorio might have to wait indefinitely for the call to complete. And we can't force syscall to return by sending signal either. |
Sure, to start with: but I would expect a way around this since a debugger is able to attach in such a situation right? |
I did take a quick look into GDB source. Turn out while under ptrace, SIGSTOP only stop only 1 thread of the group. GDB handles this by sending SIGSTOP to all thread by tkill. However blocking syscalls still block after continuing. But... While stopping at the thread that issue wait() syscall, the PC always points to the instruction right after syscall instruction. Interestingly, if I put a breakpoint at that instruction address then continue, the syscall failed (or interrupted) then return while GDB reports the program receives SIGINT? This does not happen if I continue or single stepping without the breakpoint. Not quite sure what happens here because single stepping also generate a temporary breakpoint there AFAIK. Maybe because some how GDB send SIGINT to the test program and ptrace captured it but not forward to tracee? Need more investigation but we can use this behavior to inject after syscall return. |
- Remove support for attaching on Windows for now.
|
Bug: |
only allow ptrace attach to skip syscall with x86 as lack of testing in arm/aarch64
|
@derekbruening I think I am done with this PR for now
Attaching code for ARM/AARCH64 linux can be implemented in a similar way, I might open another PR later when I have time. |
@summershrimp -- but if the process PC is at the start of a blocking syscall (maybe b/c it's an auto-restart syscall we interrupted), won't a singlestep block and essentially hang our attach?
If you could elaborate here: why does the current PC matter? I would expect we should be able to set the PC to our shellcode to inject our library and then have our library start execution wherever.
But we're attaching to a running process who presumably is long past the entry point and will never return there? |
Fix typo; add period at end of sentence.
Fix spelling
|
run arm tests |
|
add to whitelist |
|
run arm tests |
|
@AssadHashmi -- does the "add to whitelist" not work for a PR from a forked repository? |
|
@M3m3M4n -- we forgot to update the release notes list of new features in api/docs/release.dox. That can be added as part of the PR that adds a regression test. |
Hmm...it should do. I've increased your privilege level in the relevant ACL config. |
Improve upon pull request #3328: