|
From: Filipe C. <fi...@gm...> - 2009-04-02 09:25:32
Attachments:
test-csops.c
valgrind-F_ADDSIGS-csops.patch
|
Hi, First of all... valgrind can now run iTunes :-) Patch: http://web.ist.utl.pt/~filipe.cabecinhas/patches/valgrind-F_ADDSIGS-csops.patch There were two missing system calls where valgrind bombed out: fcntl(F_ADDSIGS) - add detached signatures csops(...) - code signing operations (syscall number 169) The fcntl is there to add a signature that, instead of being in the executable file, resides in a separate file. the csops() syscall performs various operations on a process: - query the process' status - mark the process as invalid, set HARD or KILL flag - get the executable's pathname - get the code directory hash Attached is a small test program for the various operations (that used to bomb out with valgrind). It receives a PID as argument (if it's called with no arguments it just analyses itself) and performs the query operations (STATUS, PIDPATH and CDHASH). Superuser permissions are necessary. To try out the various flags start, for example, an md5 program (you can check that it's signed using "codesign -vvvv `which md5`"), and query the flags (it should have flag 0x1, meaning that it's valid). Mark the processa as KILL if invalid and then mark it as invalid to see it get killed by the system. iTunes would add the signatures and, when the KILL flag was set using csops(), kill itself. I implemented csops() to do a no-op when passed a MARK* operation. I didn't keep track of the marks but I guess we could do that. I don't know if it's possible to redirect the F_ADDSIGS parameter that says which code is signed so we could keep the program valid (if that original code isn't touched by valgrind), but that would be nice (and stealthy :-) ). Regards, F Example: I run md5 in a terminal and it sits idle waiting for input. In another terminal: [filcab@farnsworth ~/Desktop] $ sudo ./a 10874 errno: 0, res: 0, status: 1 (0x1) errno: 0, res: 0, path: /sbin/md5 errno: 0, res: 0, hash: 690e1b75356209a6b171860339387a836ea45df3 ### I change a.c to mark the process as KILL before the query ops [filcab@farnsworth ~/Desktop] $ make a && sudo ./a 10874 cc a.c -o a errno: 0, res: 0 errno: 0, res: 0, status: 513 (0x201) errno: 0, res: 0, path: /sbin/md5 errno: 0, res: 0, hash: 690e1b75356209a6b171860339387a836ea45df3 ### I change a.c to mark the process as invalid before the query ops ### errno 3 == No such process [filcab@farnsworth ~/Desktop] $ make a && sudo ./a 10874 cc a.c -o a errno: 0, res: 0 errno: 3, res: 4294967295, status: 0 (0) errno: 3, res: 4294967295, path: errno: 3, res: 4294967295, hash: 0000000000000000000000000000000000000000 [filcab@farnsworth ~/Desktop] $ |
|
From: Nicholas N. <n.n...@gm...> - 2009-04-02 12:16:38
|
On Thu, Apr 2, 2009 at 4:25 AM, Filipe Cabecinhas <fi...@gm...> wrote: > Hi, > > First of all... valgrind can now run iTunes :-) > Patch: > http://web.ist.utl.pt/~filipe.cabecinhas/patches/valgrind-F_ADDSIGS-csops.patch That's great, thanks. I'll look at it and commit when I get back from vacation, should be about 2 weeks from now. Nick |
|
From: Filipe C. <fi...@gm...> - 2009-04-02 13:46:00
Attachments:
valgrind-F_ADDSIGS-csops.patch
|
Sorry, forgot to svn update. Now it applies cleanly :-) (But this mail can be useless because when you come back the source may have already changed again) Regards, F Nicholas Nethercote wrote: > On Thu, Apr 2, 2009 at 4:25 AM, Filipe Cabecinhas <fi...@gm...> wrote: >> Hi, >> >> First of all... valgrind can now run iTunes :-) >> Patch: >> http://web.ist.utl.pt/~filipe.cabecinhas/patches/valgrind-F_ADDSIGS-csops.patch > > That's great, thanks. I'll look at it and commit when I get back from > vacation, should be about 2 weeks from now. > > Nick |
|
From: Greg P. <gp...@ap...> - 2009-04-02 17:30:51
|
On Apr 2, 2009, at 6:45 AM, Filipe Cabecinhas wrote: > +// These constants aren't in a standard header... > +// I got them from the latest kernel sources: > +// xnu-1228.3.13 - Mac OS X 10.5.6 - Darwin 9.6 > +#define VKI_CS_OPS_STATUS 0 /* return status */ > +#define VKI_CS_OPS_MARKINVALID 1 /* invalidate process */ > +#define VKI_CS_OPS_MARKHARD 2 /* set HARD flag */ > +#define VKI_CS_OPS_MARKKILL 3 /* set KILL flag > (sticky) */ > +#define VKI_CS_OPS_PIDPATH 4 /* get executable's > pathname */ > +#define VKI_CS_OPS_CDHASH 5 /* get code directory > hash */ You should include the kernel file you found them in: // xnu-1228.3.13/bsd/sys/codesign.h -- Greg Parker gp...@ap... Runtime Wrangler |
|
From: Filipe C. <fi...@gm...> - 2009-04-02 17:59:30
|
Done and uploaded. Thanks :-) F Greg Parker wrote: > On Apr 2, 2009, at 6:45 AM, Filipe Cabecinhas wrote: >> +// These constants aren't in a standard header... >> +// I got them from the latest kernel sources: >> +// xnu-1228.3.13 - Mac OS X 10.5.6 - Darwin 9.6 >> +#define VKI_CS_OPS_STATUS 0 /* return status */ >> +#define VKI_CS_OPS_MARKINVALID 1 /* invalidate process */ >> +#define VKI_CS_OPS_MARKHARD 2 /* set HARD flag */ >> +#define VKI_CS_OPS_MARKKILL 3 /* set KILL flag (sticky) */ >> +#define VKI_CS_OPS_PIDPATH 4 /* get executable's >> pathname */ >> +#define VKI_CS_OPS_CDHASH 5 /* get code directory >> hash */ > > You should include the kernel file you found them in: > // xnu-1228.3.13/bsd/sys/codesign.h > > |
|
From: Nicholas N. <n.n...@gm...> - 2009-04-16 01:49:36
|
On Fri, Apr 3, 2009 at 3:59 AM, Filipe Cabecinhas <fi...@gm...> wrote: > Done and uploaded. I just tried it against the DARWIN branch (r9563) and got this: m_syswrap/syswrap-darwin.c: In function ‘vgSysWrap_darwin_sys_fcntl_before’: m_syswrap/syswrap-darwin.c:1109: error: invalid initializer m_syswrap/syswrap-darwin.c:1110: error: invalid type argument of ‘->’ m_syswrap/syswrap-darwin.c:1110: error: invalid type argument of ‘->’ m_syswrap/syswrap-darwin.c:1112: error: invalid type argument of ‘->’ m_syswrap/syswrap-darwin.c:1112: error: invalid type argument of ‘->’ m_syswrap/syswrap-darwin.c:1115: error: invalid type argument of ‘->’ m_syswrap/syswrap-darwin.c:1116:67: error: macro "PRE_MEM_READ" requires 3 arguments, but only 2 given m_syswrap/syswrap-darwin.c:1116: error: ‘PRE_MEM_READ’ undeclared (first use in this function) m_syswrap/syswrap-darwin.c:1116: error: (Each undeclared identifier is reported only once m_syswrap/syswrap-darwin.c:1116: error: for each function it appears in.) Nick |
|
From: Filipe C. <fi...@gm...> - 2009-04-16 08:55:16
Attachments:
valgrind-F_ADDSIGS-csops.patch
|
Hi, Sorry, I got the sources mixed up. Here is a clean patch against the latest revision of the branch. Regards, F Nicholas Nethercote wrote: > On Fri, Apr 3, 2009 at 3:59 AM, Filipe Cabecinhas <fi...@gm...> wrote: >> Done and uploaded. > > I just tried it against the DARWIN branch (r9563) and got this: > > m_syswrap/syswrap-darwin.c: In function ‘vgSysWrap_darwin_sys_fcntl_before’: > m_syswrap/syswrap-darwin.c:1109: error: invalid initializer > m_syswrap/syswrap-darwin.c:1110: error: invalid type argument of ‘->’ > m_syswrap/syswrap-darwin.c:1110: error: invalid type argument of ‘->’ > m_syswrap/syswrap-darwin.c:1112: error: invalid type argument of ‘->’ > m_syswrap/syswrap-darwin.c:1112: error: invalid type argument of ‘->’ > m_syswrap/syswrap-darwin.c:1115: error: invalid type argument of ‘->’ > m_syswrap/syswrap-darwin.c:1116:67: error: macro "PRE_MEM_READ" > requires 3 arguments, but only 2 given > m_syswrap/syswrap-darwin.c:1116: error: ‘PRE_MEM_READ’ undeclared > (first use in this function) > m_syswrap/syswrap-darwin.c:1116: error: (Each undeclared identifier is > reported only once > m_syswrap/syswrap-darwin.c:1116: error: for each function it appears in.) > > > Nick |
|
From: Nicholas N. <n.n...@gm...> - 2009-04-17 03:38:14
|
On Thu, Apr 16, 2009 at 6:55 PM, Filipe Cabecinhas <fi...@gm...> wrote: > Hi, > > Sorry, I got the sources mixed up. Here is a clean patch against the latest > revision of the branch. Committed, thanks. Nick |