Zhibin Li's GSoC status report - #2 of 12

Dmitry V. Levin ldv at altlinux.org
Sat Jun 22 13:15:45 UTC 2019 

On Sat, Jun 22, 2019 at 07:00:55PM +0800, Zhibin Li wrote:
> On Fri, Jun 21, 2019 at 7:13 PM Dmitry V. Levin <ldv at altlinux.org> wrote:
> 
> > On Wed, Jun 19, 2019 at 09:31:25AM +0800, Zhibin Li wrote:
> > > Just FYI I write a demo[1] of priv qualifier for -e inject.
> > > It can be used like:
> > > # strace -eioctl -e inject=ioctl:retval=42:priv=i915 ./a.out
> > > Basically it works as I expect but this is a experimental patch.
> > > The way it makes things work may be ugly so any commnets/suggestions are
> > > welcomed :).
> > >
> > > [1]
> > >
> > https://github.com/haoyouab/strace/commit/9c915fe7ed66f08b41b5d9c72e3d03b09c8ca9a3
> >
> > Well, this is not even an injection into the tracee, it's an overwriting
> > of strace internal tcp->_priv_data with arbitrary data.
> >
> > Yes, it's actually an overwriting.
> 
> > Yes, it's notoriously difficult to implement a positive testing of ioctl
> > decoders.  In this case you need to convince strace to enable i915-specific
> > decoder.
> 
> If you could subvert e.g. readlink("/sys/class/drm/null/device/driver", ...)
> > to return something that ends with /i915, this would be enough for
> > drm_is_driver(tcp, "i915") to return true.
> >
> Currently in drm.c[1] the execution sequence is:
> getfdpath(...);
> readlink(...);
> The key point to enable i915-specifc decoder is to obtain a valid device
> path
> from the fd by calling getfdpath. In this case it's /dev/dri/card0. Only
> after that
> readlink() will try to read the driver name which links to that device,
> which is
> readlink("/sys/class/drm/card0/device/driver", ...). So if we use fd = -1
> like we
> usually do, getfdpath will fail and the decoder will return before readlink
> is
> executed. Should we consider subverting getfdpath instead?
> 
> [1] https://github.com/haoyouab/strace/blob/stuff/drm.c#L33
> 
> My question here is that in order to convince strace when we run tests, a
> string that explicitly specifies the device name (e.g. "i915", "nouveau")
> has to be used along with an option and passed to strace, right? Because
> there are many other device specific ioctls like amdgpu, nouveau. When the
> tests are running, strace has to know which device specific decoder to
> enable.

We are not bound to use fd == -1, we can use any descriptor in our reach,
e.g. we can open /dev/null and use it instead.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190622/16ab8c7a/attachment.bin>

More information about the Strace-devel mailing list