Make functions in the Linux vdso file interposable

[robgjansen]

Some functions that are called frequently are placed in Linux's vdso file for efficiency reasons. This vdso file gets statically embedded at the top of program binary's at compile time, making it possibly difficult to interpose.

On my machine, I was able to inspect the vdso like:

$  readelf -s /lib/modules/5.10.8-100.fc32.x86_64/vdso/vdso64.so

Symbol table '.dynsym' contains 12 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 0000000000000990   432 FUNC    WEAK   DEFAULT   11 clock_gettime@@LINUX_2.6
     2: 0000000000000820   316 FUNC    GLOBAL DEFAULT   11 __vdso_gettimeofday@@LINUX_2.6
     3: 0000000000000b40    96 FUNC    WEAK   DEFAULT   11 clock_getres@@LINUX_2.6
     4: 0000000000000b40    96 FUNC    GLOBAL DEFAULT   11 __vdso_clock_getres@@LINUX_2.6
     5: 0000000000000820   316 FUNC    WEAK   DEFAULT   11 gettimeofday@@LINUX_2.6
     6: 0000000000000960    41 FUNC    GLOBAL DEFAULT   11 __vdso_time@@LINUX_2.6
     7: 0000000000000960    41 FUNC    WEAK   DEFAULT   11 time@@LINUX_2.6
     8: 0000000000000990   432 FUNC    GLOBAL DEFAULT   11 __vdso_clock_gettime@@LINUX_2.6
     9: 0000000000000000     0 OBJECT  GLOBAL DEFAULT  ABS LINUX_2.6
    10: 0000000000000ba0    37 FUNC    GLOBAL DEFAULT   11 __vdso_getcpu@@LINUX_2.6
    11: 0000000000000ba0    37 FUNC    WEAK   DEFAULT   11 getcpu@@LINUX_2.6

which shows several time related functions as well as getcpu.

We could overwrite this code dynamically to make sure the syscall version gets called when running in shadow. Here is some code we could use to do it:

• https://github.com/dettrace/dettrace/blob/master/src/vdso.cpp

[sporksmith]

@stevenengler came across this issue via example

client:
  network_node_id: 0
  processes:
  - path: /usr/bin/python3
    args: -c 'from datetime import datetime; import ctypes; libc = ctypes.CDLL("libc.so.6"); ts = libc.time(None); print(datetime.utcfromtimestamp(ts).strftime("%Y-%m-%d %H:%M:%S"))'

It appears that ctypes.CDLL isn't affected by LD_PRELOAD. I wonder if explicitly loading libc this way is a frequent use-case in python...

[sporksmith]

From @rwails :

Hm. I wonder if we can edit AT_SYSINFO_EHDR as the managed process is booting: https://stackoverflow.com/a/52402306

The auxiliary vector of any process can (subject to file permissions) be obtained via /proc/[pid]/auxv; see proc(5) for more information.

[sporksmith]

I wonder if we can edit AT_SYSINFO_EHDR as the managed process is booting:

I think that could work in ptrace mode, where we could overwrite the header in between the execve syscall and the dynamic loader and libc's early initialization. In preload mode though we don't get control until a bit later.

I put together a working proof of concept that overwrites the __vdso_gettimeofday function with a trampoline that calls our own function:

#define _GNU_SOURCE

#include <errno.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/auxv.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/time.h>

// Overwrite code at `current` with a jump to `dst`.
void make_trampoline(void *current, void *dst) {
  // movabs $...,%r10
  *((char*)current++) = 0x49;
  *((char*)current++) = 0xba;

  *(void**)current = dst;
  current += sizeof(void*);

  // jmpq *%r10
  *((char*)current++) = 0x41;
  *((char*)current++) = 0xff;
  *((char*)current++) = 0xe2;
}

// Function that will do the real work. In shadow this will fetch the simulated time
// and convert it to the struct timeval.
int my_gettimeofday(struct timeval *tv, struct timezone *tz) {
  tv->tv_sec = 1;
  tv->tv_usec = 2;
  return 0;
}

// Helpers to parse the VDSO section and get the addresses of symbols within it.
// To test this example I linked against
// [sample code from the Linux kernel](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/vDSO/parse_vdso.c?id=v3.8).
// We'll need to find or write an alternative with a compatible license. 
extern void vdso_init_from_sysinfo_ehdr(uintptr_t base);
extern void *vdso_sym(const char *version, const char *name);

int main(int argc, char **argv) {
  // Get the address of the VDSO section
  void* sysinfo_hdr = (void*)getauxval(AT_SYSINFO_EHDR);
  printf("%p\n",sysinfo_hdr);

  // Parse the VDSO section
  vdso_init_from_sysinfo_ehdr((uintptr_t)sysinfo_hdr);

  // Get the address of `vdso_gettimeofday` within the vdso section.
  int (*vdso_gettimeofday)(struct timeval *tv, struct timezone *tz) = vdso_sym("LINUX_2.6", "__vdso_gettimeofday");
  printf("%p\n", vdso_gettimeofday);

  // Call it normally.
  struct timeval tv = {0};
  int rv = vdso_gettimeofday(&tv, NULL);
  printf("rv:%d s:%ld usec:%ld\n", rv, tv.tv_sec, tv.tv_usec);

  // Make the VDSO writable. I tried just doing 4k at first, but it failed if I didn't do the whole section.
  // We probably need to check /proc/x/maps to get the section size.
  if (mprotect(sysinfo_hdr, 8192, PROT_READ|PROT_WRITE|PROT_EXEC)) {
    perror("mprotect");
    abort();
  }

  make_trampoline(vdso_gettimeofday, &my_gettimeofday);

  // Calling the vdso function now returns the result of `my_gettimeofday`.
  rv = vdso_gettimeofday(&tv, NULL);
  printf("rv:%d s:%ld usec:%ld\n", rv, tv.tv_sec, tv.tv_usec);

  // So does calling `gettimeofday`. (It's actually just a symbol alias for `__vdso_gettimeofday`)
  rv = gettimeofday(&tv, NULL);
  printf("rv:%d s:%ld usec:%ld\n", rv, tv.tv_sec, tv.tv_usec);
  return 0;
}

Output:

$ gcc -g  parse_vdso.c use_vdso.c
$ ./a.out 
0x7ffdfa52c000
0x7ffdfa52c690
rv:0 s:1646355759 usec:169497
rv:0 s:1 usec:2
rv:0 s:1 usec:2