Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inline asm interrupt, for errorbased syscall analysis #3107

Closed
PrivateShorty opened this issue Apr 16, 2018 · 3 comments
Closed

Inline asm interrupt, for errorbased syscall analysis #3107

PrivateShorty opened this issue Apr 16, 2018 · 3 comments
Labels
duplicate

Comments

@PrivateShorty
Copy link

PrivateShorty commented Apr 16, 2018
edited
Loading

Hi WSL Team,
thanks a lot for the cool features wsl brings to Windows.

I am assessing syscall behaviour of wsl for my bachelor thesis.
As I dont know whats going on down in the wsl kernel this might be a bug, security feature, translation error, simply work as intended or even my fault. Since I can't tell I thought I share that with you.

Microsoft Windows [Version 10.0.16299.309]

I wrote a small C program, which takes a syscallid as argument, moves it to eax and performes an interrupt. This is realized through inline asm:

asm ( "movl %[sysid], %%eax\n\t"
           "int $0x80"
           : [sysid] "+r" (syscallid)
    );

Execution on Linux:
Exits always with 0 and errno set like the following.

$ strace ./asm 39

execve("./asm", ["./asm", "39"], [/* 62 vars */]) = 0
brk(NULL)                               = 0x142d000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=130352, ...}) = 0
mmap(NULL, 130352, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa798e9f000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa798e9e000
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa7988d0000
mprotect(0x7fa798a90000, 2097152, PROT_NONE) = 0
mmap(0x7fa798c90000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7fa798c90000
mmap(0x7fa798c96000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa798c96000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa798e9d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa798e9c000
arch_prctl(ARCH_SET_FS, 0x7fa798e9d700) = 0
mprotect(0x7fa798c90000, 16384, PROT_READ) = 0
mprotect(0x600000, 4096, PROT_READ)     = 0
mprotect(0x7fa798ebf000, 4096, PROT_READ) = 0
munmap(0x7fa798e9f000, 130352)          = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
brk(NULL)                               = 0x142d000
brk(0x144e000)                          = 0x144e000
write(1, "syscallid=27\n", 13syscallid=27
)          = 13
getpid()                                = -1 EFAULT (Bad address)
exit_group(0)                           = ?
+++ exited with 0 +++

Execution on WSL:
Exits always with 1 after write(1, syscallid... or on the interrupt.

$ strace ./asm 39

execve("./asm", ["./asm", "39"], [/* 16 vars */]) = 0
brk(NULL)                               = 0x179e000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=24461, ...}) = 0
mmap(NULL, 24461, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdbbfdab000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdbbfda0000
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdbbf630000
mprotect(0x7fdbbf7f0000, 2097152, PROT_NONE) = 0
mmap(0x7fdbbf9f0000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7fdbbf9f0000
mmap(0x7fdbbf9f6000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdbbf9f6000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdbbfd90000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdbbfd80000
arch_prctl(ARCH_SET_FS, 0x7fdbbfd90700) = 0
mprotect(0x7fdbbf9f0000, 16384, PROT_READ) = 0
mprotect(0x600000, 4096, PROT_READ)     = 0
mprotect(0x7fdbbfc25000, 4096, PROT_READ) = 0
munmap(0x7fdbbfdab000, 24461)           = 0
fstat(1, {st_mode=S_IFCHR|0660, st_rdev=makedev(4, 2), ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(NULL)                               = 0x179e000
brk(0x17bf000)                          = 0x17bf000
write(1, "syscallid=27\n", 13syscallid=27
)          = 13
+++ exited with 1 +++

As far as I was able to interpret the lxcore_kernel.elt trough vi there was a message like asmLxpSigInfoFromException Unhandled exception code 0x10000001 but I haven't inspected it further yet.
@poizan42
Copy link

int 0x80 is not a valid syscall on 64-bit linux, only syscall is supported.

@0xbadfca11
Copy link

Real x86-64 Linux may or may not handle int 0x80 even in 64-bit process. That depends CONFIG_IA32_EMULATION of kernel config.
WSL is not.

@therealkenc
Copy link
Collaborator

Technically dupe #2468.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@poizan42 @therealkenc @0xbadfca11 @PrivateShorty