Zhibin Li's GSoC status report - #2 of 12
Dmitry V. Levin
ldv at altlinux.org
Sat Jun 22 13:15:45 UTC 2019
On Sat, Jun 22, 2019 at 07:00:55PM +0800, Zhibin Li wrote:
> On Fri, Jun 21, 2019 at 7:13 PM Dmitry V. Levin <ldv at altlinux.org> wrote:
> > On Wed, Jun 19, 2019 at 09:31:25AM +0800, Zhibin Li wrote:
> > > Just FYI I write a demo of priv qualifier for -e inject.
> > > It can be used like:
> > > # strace -eioctl -e inject=ioctl:retval=42:priv=i915 ./a.out
> > > Basically it works as I expect but this is a experimental patch.
> > > The way it makes things work may be ugly so any commnets/suggestions are
> > > welcomed :).
> > >
> > > 
> > >
> > https://github.com/haoyouab/strace/commit/9c915fe7ed66f08b41b5d9c72e3d03b09c8ca9a3
> > Well, this is not even an injection into the tracee, it's an overwriting
> > of strace internal tcp->_priv_data with arbitrary data.
> > Yes, it's actually an overwriting.
> > Yes, it's notoriously difficult to implement a positive testing of ioctl
> > decoders. In this case you need to convince strace to enable i915-specific
> > decoder.
> If you could subvert e.g. readlink("/sys/class/drm/null/device/driver", ...)
> > to return something that ends with /i915, this would be enough for
> > drm_is_driver(tcp, "i915") to return true.
> Currently in drm.c the execution sequence is:
> The key point to enable i915-specifc decoder is to obtain a valid device
> from the fd by calling getfdpath. In this case it's /dev/dri/card0. Only
> after that
> readlink() will try to read the driver name which links to that device,
> which is
> readlink("/sys/class/drm/card0/device/driver", ...). So if we use fd = -1
> like we
> usually do, getfdpath will fail and the decoder will return before readlink
> executed. Should we consider subverting getfdpath instead?
>  https://github.com/haoyouab/strace/blob/stuff/drm.c#L33
> My question here is that in order to convince strace when we run tests, a
> string that explicitly specifies the device name (e.g. "i915", "nouveau")
> has to be used along with an option and passed to strace, right? Because
> there are many other device specific ioctls like amdgpu, nouveau. When the
> tests are running, strace has to know which device specific decoder to
We are not bound to use fd == -1, we can use any descriptor in our reach,
e.g. we can open /dev/null and use it instead.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: not available
More information about the Strace-devel