vsyscall_trace: Add a test mode using a faked vsyscall base address

Author: geofft

.travis.yml

@@ -25,6 +25,7 @@ matrix:
 script:
   - make -C docker/vsyscall_emu
   - docker build --rm -t quay.io/pypa/manylinux1_$PLATFORM:$TRAVIS_COMMIT -f docker/Dockerfile-$PLATFORM docker/
+  - docker/vsyscall_emu/test.sh quay.io/pypa/manylinux1_$PLATFORM:$TRAVIS_COMMIT
 
 
 deploy:

docker/vsyscall_emu/.gitignore

@@ -1 +1,2 @@
 vsyscall_trace
+vsyscall_trace_test

docker/vsyscall_emu/Makefile

@@ -1,13 +1,20 @@
+PLATFORM ?= $(shell uname -m)
+
 ifeq ($(PLATFORM),x86_64)
-  all: vsyscall_trace
+  TARGETS = vsyscall_trace vsyscall_trace_test
 else
-  all:
+  TARGETS =
 endif
 
+all: $(TARGETS)
+
 vsyscall_trace: vsyscall_trace.c
 	$(CC) -o $@ $< -ldl
 
+vsyscall_trace_test: vsyscall_trace.c
+	$(CC) -o $@ $< -ldl -DVSYSCALL_BASE=0xfffffffffe600000 -DDEBUG
+
 clean:
-	$(RM) -f vsyscall_trace
+	$(RM) $(TARGETS)
 
 .PHONY: clean

docker/vsyscall_emu/maps

@@ -0,0 +1 @@
+fffffffffe600000-fffffffffe601000 --xp 00000000 00:00 0                  [vsyscall]

docker/vsyscall_emu/test.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Test vsyscall_trace, either on a docker image if a name is provided or
+# directly on the host otherwise.
+
+set -e
+
+# Get build utilities
+cd "$(dirname "${BASH_SOURCE[0]}")"
+source ../build_scripts/build_utils.sh
+
+set -x
+
+# Run the kernel vsyscall test command with a fake vsyscall page
+# address, so that we're guaranteed that the host kernel will segfault
+# on the attempted vsyscalls.
+curl -sSLO https://github.com/torvalds/linux/raw/v4.15/tools/testing/selftests/x86/test_vsyscall.c
+check_sha256sum test_vsyscall.c ff55a0c8ae2fc03a248a7fa1c47ba00bfe73abcef09606b6708e01f246a4f2b5
+sed -i -e 's/0xffffffffff6/0xfffffffffe6/' -e 's|/proc/self/maps|/proc/self/cwd/maps|' test_vsyscall.c
+cc -ggdb3 -o test_vsyscall test_vsyscall.c -ldl
+
+if [ -n "$1" ]; then
+    docker run -v "$PWD":/vsyscall_emu --rm --entrypoint /vsyscall_emu/vsyscall_trace_test --security-opt=seccomp:unconfined --workdir /vsyscall_emu "$1" ./test_vsyscall
+else
+    ./vsyscall_trace_test ./test_vsyscall
+fi
+
+rm -f test_vsyscall test_vsyscall.c

docker/vsyscall_emu/vsyscall_trace.c

@@ -41,11 +41,16 @@
 
 /* These are ABI constants: see arch/x86/include/uapi/asm/vsyscall.h
  * in the kernel source (probably installed on your system as
- * <asm/vsyscall.h>). They start at VSYSCALL_ADDR, and
- * increase by 1024 for each call. */
-const unsigned long VSYS_gettimeofday = 0xffffffffff600000,
-                    VSYS_time = 0xffffffffff600400,
-                    VSYS_getcpu = 0xffffffffff600800;
+ * <asm/vsyscall.h> - we don't directly use this header so that this
+ * program continues to compile when it is removed). They start at
+ * VSYSCALL_ADDR, and increase by 1024 for each call. */
+
+#ifndef VSYSCALL_BASE
+#define VSYSCALL_BASE 0xffffffffff600000
+#endif
+const unsigned long VSYS_gettimeofday = VSYSCALL_BASE + 0,
+                    VSYS_time = VSYSCALL_BASE + 0x400,
+                    VSYS_getcpu = VSYSCALL_BASE + 0x800;
 
 /* The vDSO is an area of memory that looks like a normal relocatable
  * dynamic library, magically placed in your address space by the
@@ -91,13 +96,15 @@ unsigned long vdso_address(pid_t pid) {
 int handle_vsyscall(pid_t pid) {
 	struct user_regs_struct regs;
 	ptrace(PTRACE_GETREGS, pid, 0, &regs);
-	if ((regs.rip & 0xfffffffffffff0ff) == 0xffffffffff600000) {
+	debug_printf("got a segfault at %p\n", regs.rip);
+	if ((regs.rip & 0xfffffffffffff0ff) == VSYSCALL_BASE) {
 		debug_printf("handling vsyscall for %d\n", pid);
 		unsigned long vdso = vdso_address(pid);
 		if (vdso_address == 0) {
 			debug_printf("couldn't find vdso\n");
 			return 0;
 		}
+		debug_printf("vdso address is %p\n", vdso);
 
 		if (regs.rip == VSYS_gettimeofday) {
 			regs.rip = vdso | VDSO_gettimeofday;
@@ -109,6 +116,7 @@ int handle_vsyscall(pid_t pid) {
 			debug_printf("invalid vsyscall %x\n", regs.rip);
 			return 0;
 		}
+		debug_printf("fixing up rip to %p\n", regs.rip);
 		ptrace(PTRACE_SETREGS, pid, 0, &regs);
 		return 1;
 	}