2

I'm hijacking __NR_read (sys_read call) and each time I hijack the original syscall with my own syscall, it causes a crash in bash (in all open KDE "konsoles") (that is, as soon as I hijack sys_open).

I'm wondering if this is a bug in my code (probably) or it's happening because of something else.

My question is: if the crash is caused because of my code, what is causing it exactly and how (if possible) can I fix it? If the crash isn't caused by my code, what is causing it?

My code is here: https://github.com/alexandernst/procmon/tree/master/procmon_kmodule

syshijack.c is where I get the syscall table and hookfns.c is where I hijack the syscalls.

PS: I already asked this question before here Hijacking sys calls but it changed now, as the crash happens as soon as I hijack the syscall.

* EDIT *

I think the bug is comming from hook/unhook calls, so I created an issue https://github.com/alexandernst/procmon/issues/7 Anyways, I can't see what is causing the crash/freeze.

Community
  • 1
  • 1
alexandernst
  • 14,352
  • 22
  • 97
  • 197

1 Answers1

1

Hook engine works fine on my x86_64 without IA32 part and without your code in hooked_sys_read except r = real_sys_read(). Digging your code I've found that there might be a problem with IA32 hooking as:

#define HOOK(F, RF, FF) RF = sys_call_table[F]; sys_call_table[F] = FF;
#ifdef CONFIG_IA32_EMULATION
    #define HOOK_IA32(F, RF, FF) ia32_sys_call_table[F] = FF;
#endif

.. so HOOK_IA32 doesn't stores the RF value as it implemented in HOOK macro. Check it out.

As for the others... The path_from_fd seems ugly to me.

Good luck ;)

Ilya Matveychikov
  • 3,936
  • 2
  • 27
  • 42
  • Sorry for not answering before. I was at the office. Yes indeed, there was a bug in the HOOK IA32 macro. I just pushed a fix. Anyways, that wasn't the problem. The virtual machine I'm testing on keeps freezing whenever I call hook/unhook a few times. – alexandernst Jul 15 '13 at 17:05
  • Hey, do you know that `VirtualBox` (and may be other VM's) doesn't emulate `sidt` instruction properly? I've found that `sidt` returns wrong value in my case and used different symbol lookup method to get `sys_call_table` entry. It seems that you've the same problem... – Ilya Matveychikov Jul 15 '13 at 18:58
  • Oh. So perhaps my module is working just fine on real machines? I wasn't willing to test it on my real machine, but maybe I should. Let me give it a try – alexandernst Jul 15 '13 at 21:02
  • Nope, bad decision. It just froze my entire machine and I had to power it off... :( – alexandernst Jul 15 '13 at 21:07