Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intercept works with libc 2.29-4 but not with libc 2.30-1 #97

Open
mavy opened this issue Oct 9, 2019 · 4 comments
Open

Intercept works with libc 2.29-4 but not with libc 2.30-1 #97

mavy opened this issue Oct 9, 2019 · 4 comments
Assignees

Comments

@mavy
Copy link

mavy commented Oct 9, 2019

After upgrading libc to 2.30-1, I am seeing the next message :

not enough space for patching around syscal libsyscall_intercept error

The log has the next contents:

tempfile=$(mktemp) ; tempfile2=$(mktemp) ; grep "^/" $0 | cut -d " " -f 1,2 | sed "s/^/addr2line -p -f -e /" > $tempfile ; { echo ; . $tempfile ; echo ; } > $tempfile2 ; paste $tempfile2 $0 ; exit 0
unintercepted syscall at: /usr/lib/libc.so.6 0x2588b

Going to the previous version of glibc shows the correct behaviour:

tempfile=$(mktemp) ; tempfile2=$(mktemp) ; grep "^/" $0 | cut -d " " -f 1,2 | sed "s/^/addr2line -p -f -e /" > $tempfile ; { echo ; . $tempfile ; echo ; } > $tempfile2 ; paste $tempfile2 $0 ; exit 0
/usr/lib/libc.so.6 0xf24ca -- openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY | O_CLOEXEC) = ?
@GBuella
Copy link
Contributor

GBuella commented Oct 15, 2019

Hi @mavy , could you show us a disassembly of your libc around that specified address 0x25588b ?
E.g. the output of the command:
objdump -d /usr/lib/libc.so.6 | grep "\<258..:"

@GBuella GBuella self-assigned this Oct 15, 2019
@mavy
Copy link
Author

mavy commented Oct 15, 2019

Of course:

25803:       74 0a                   je     2580f <abort+0xa3>
  25805:       48 c7 04 c6 00 00 00    movq   $0x0,(%rsi,%rax,8)
  2580c:       00 
  2580d:       eb ea                   jmp    257f9 <abort+0x8d>
  2580f:       31 d2                   xor    %edx,%edx
  25811:       bf 01 00 00 00          mov    $0x1,%edi
  25816:       48 83 0c 24 20          orq    $0x20,(%rsp)
  2581b:       e8 c0 69 01 00          callq  3c1e0 <sigprocmask>
  25820:       8b 05 7a cf 19 00       mov    0x19cf7a(%rip),%eax        # 1c27a0 <stage>
  25826:       83 f8 01                cmp    $0x1,%eax
  25829:       0f 85 c0 00 00 00       jne    258ef <abort+0x183>
  2582f:       c7 05 67 cf 19 00 00    movl   $0x0,0x19cf67(%rip)        # 1c27a0 <stage>
  25836:       00 00 00 
  25839:       8b 05 55 cf 19 00       mov    0x19cf55(%rip),%eax        # 1c2794 <lock+0x4>
  2583f:       ff c8                   dec    %eax
  25841:       89 05 4d cf 19 00       mov    %eax,0x19cf4d(%rip)        # 1c2794 <lock+0x4>
  25847:       75 44                   jne    2588d <abort+0x121>
  25849:       48 c7 05 44 cf 19 00    movq   $0x0,0x19cf44(%rip)        # 1c2798 <lock+0x8>
  25850:       00 00 00 00 
  25854:       64 8b 14 25 18 00 00    mov    %fs:0x18,%edx
  2585b:       00 
  2585c:       85 d2                   test   %edx,%edx
  2585e:       75 08                   jne    25868 <abort+0xfc>
  25860:       ff 0d 2a cf 19 00       decl   0x19cf2a(%rip)        # 1c2790 <lock>
  25866:       eb 25                   jmp    2588d <abort+0x121>
  25868:       87 05 22 cf 19 00       xchg   %eax,0x19cf22(%rip)        # 1c2790 <lock>
  2586e:       ff c8                   dec    %eax
  25870:       7e 1b                   jle    2588d <abort+0x121>
  25872:       45 31 d2                xor    %r10d,%r10d
  25875:       ba 01 00 00 00          mov    $0x1,%edx
  2587a:       be 81 00 00 00          mov    $0x81,%esi
  2587f:       b8 ca 00 00 00          mov    $0xca,%eax
  25884:       48 8d 3d 05 cf 19 00    lea    0x19cf05(%rip),%rdi        # 1c2790 <lock>
  2588b:       0f 05                   syscall 
  2588d:       bf 06 00 00 00          mov    $0x6,%edi
  25892:       e8 49 65 01 00          callq  3bde0 <raise>
  25897:       64 48 8b 1c 25 10 00    mov    %fs:0x10,%rbx
  2589e:       00 00 
  258a0:       48 39 1d f1 ce 19 00    cmp    %rbx,0x19cef1(%rip)        # 1c2798 <lock+0x8>
  258a7:       74 3e                   je     258e7 <abort+0x17b>
  258a9:       64 8b 04 25 18 00 00    mov    %fs:0x18,%eax
  258b0:       00 
  258b1:       85 c0                   test   %eax,%eax
  258b3:       75 0e                   jne    258c3 <abort+0x157>
  258b5:       ba 01 00 00 00          mov    $0x1,%edx
  258ba:       0f b1 15 cf ce 19 00    cmpxchg %edx,0x19cecf(%rip)        # 1c2790 <lock>
  258c1:       eb 1d                   jmp    258e0 <abort+0x174>
  258c3:       31 c0                   xor    %eax,%eax
  258c5:       ba 01 00 00 00          mov    $0x1,%edx
  258ca:       f0 0f b1 15 be ce 19    lock cmpxchg %edx,0x19cebe(%rip)        # 1c2790 <lock>
  258d1:       00 
  258d2:       74 0c                   je     258e0 <abort+0x174>
  258d4:       48 8d 3d b5 ce 19 00    lea    0x19ceb5(%rip),%rdi        # 1c2790 <lock>
  258db:       e8 00 02 06 00          callq  85ae0 <__lll_lock_wait_private>
  258e0:       48 89 1d b1 ce 19 00    mov    %rbx,0x19ceb1(%rip)        # 1c2798 <lock+0x8>
  258e7:       ff 05 a7 ce 19 00       incl   0x19cea7(%rip)        # 1c2794 <lock+0x4>
  258ed:       eb 05                   jmp    258f4 <abort+0x188>
  258ef:       83 f8 02                cmp    $0x2,%eax
  258f2:       75 47                   jne    2593b <abort+0x1cf>
  258f4:       48 8d b4 24 80 00 00    lea    0x80(%rsp),%rsi
  258fb:       00 
  258fc:       31 c0                   xor    %eax,%eax
  258fe:       b9 26 00 00 00          mov    $0x26,%ecx

@GBuella
Copy link
Contributor

GBuella commented Oct 15, 2019

Thank you. Yes, there is a scenario in that code listing around the syscall instruction, for which syscall_intercept is not prepared yet. I'll see what can I do about it.

dverbeir added a commit to dverbeir/libconvert that referenced this issue Aug 25, 2020
We cannot move right-away to Ubuntu 20.04 because
* lib syscall_intercept doesn't work with more recent libc
  See issue pmem/syscall_intercept#97.
  Proposed change is not merged yet (though appears to work,
  so we could go to that specific commit)
* scapy operation seems to have issues where an ACK goes out
  automatically before our SYN+ACK response to the incoming SYN.

Also, there are other problems building scapy on 19.10.

Let's differ the move to 20.04 LTS to a later time.

Signed-off-by: David Verbeiren <[email protected]>
@1EDExg0ffyXfTEqdIUAYNZGnCeajIxMWd2vaQeP

I think I'm still running into this issue, has it been fixed? I'm using Ubuntu 22.10 using GNU libc 2.36 inside WSL v1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants