Friday, March 9, 2018

BSD Kernel Hacking - Part 2 (character pseudo-devices)

Continuing on from the last post, I now tackle character devices. It turns out that OpenBSD is quite a lot different than FreeBSD in the way that devices are registered. To begin, I need to set up a cdevsw entry for the new device. Rather than defining the struct directly in the implementation code, it is implemented via a macro which is called in the cdevsw struct definition in sys/arch/amd64/amd64/conf.c

As opposed to FreeBSD, the cdevsw structs are built out by a macro, this macro will take the number of devices being initialized, and the name of the module passed to it (e.g. "cdev_example_init(1, example)") and fill out struct cdevsw to point to the appropriate functions via name concatenation (e.g. the open function will be registered as exampleopen).

I begin by adding a cdev_example_init macro to sys/sys/conf.h, then call the macro within the cdevsw[] array in sys/arch/amd64/amd64/conf.c. Also, while I'm in here, I add a call to the cdev_decl() macro. This should take care of the cdevsw setup portion of the code.

From there, I add example.c under sys/dev/ and build out basic open, close, read, and write functions for it, and add it to files.conf. Much to my surprise, after fixing a few compile errors for missing headers, the kernel compiles and installs fine. Once the machine had booted into my new kernel, I ran a "doas mknod /dev/example c 98 0" to create a node for the device in /dev. In this case, 98 was the position in the cdevsw[] array where my call to cdev_exampl_init landed. In OpenBSD, the major node number is simply an index into the cdevsw array.

I had to switch from using copystr to uiomove in order to get I/O working properly, but once I did, the basic interface code worked fine.

Finally, I decided to work with the MAKEDEV script to ensure that my device would be present in a release, if I so chose to make one. The script required me to add a new case for "example)" with a call to the M function and a few parameters to set the device node name, Major/Minor numbers, permissions, and ownership. In order for etc/etc.amd64/MAKEDEV to be copied to /dev by sysmerge, I had to do a full build of the system. This is a bit time consuming, and there might be a better way, but it worked for my immediate purposes.

Index: etc/etc.amd64/MAKEDEV
===================================================================
RCS file: /cvs/src/etc/etc.amd64/MAKEDEV,v
retrieving revision 1.118
diff -u -p -u -p -r1.118 MAKEDEV
--- etc/etc.amd64/MAKEDEV 14 Nov 2017 20:22:04 -0000 1.118
+++ etc/etc.amd64/MAKEDEV 5 Mar 2018 19:32:55 -0000
@@ -251,6 +251,10 @@ switch*)
M switch$U c 97 $U 600
;;
+example)
+ M example c 98 0 660
+ ;;
+
pvbus*)
M pvbus$U c 95 $U 640
;;
@@ -575,7 +579,7 @@ all)
R lpa2 lpt0 lpt1 lpt2 tty00 tty01 tty02 tty03 tty04 tty05
R tty06 tty07 tty08 tty09 tty0a tty0b ttyc0 ttyc1 ttyc2 ttyc3
R ttyc4 ttyc5 ttyc6 ttyc7 apm pf pctr wd0 wd1 wd2 wd3 std st0
- R st1 fd
+ R st1 fd example
;;
wd*|sd*)
Index: sys/arch/amd64/amd64/conf.c
===================================================================
RCS file: /cvs/src/sys/arch/amd64/amd64/conf.c,v
retrieving revision 1.60
diff -u -p -u -p -r1.60 conf.c
--- sys/arch/amd64/amd64/conf.c 4 Sep 2016 10:51:23 -0000 1.60
+++ sys/arch/amd64/amd64/conf.c 5 Mar 2018 19:33:14 -0000
@@ -116,6 +116,7 @@ int nblkdev = nitems(bdevsw);
#define mmread mmrw
#define mmwrite mmrw
cdev_decl(mm);
+cdev_decl(example);
cdev_decl(wd);
#include "bio.h"
#include "pty.h"
@@ -297,6 +298,7 @@ struct cdevsw cdevsw[] =
cdev_pvbus_init(NPVBUS,pvbus), /* 95: pvbus(4) control interface */
cdev_ipmi_init(NIPMI,ipmi), /* 96: ipmi */
cdev_switch_init(NSWITCH,switch), /* 97: switch(4) control interface */
+ cdev_example_init(1,example) /* 98: example character device */
};
int nchrdev = nitems(cdevsw);
Index: sys/conf/files
===================================================================
RCS file: /cvs/src/sys/conf/files,v
retrieving revision 1.660
diff -u -p -u -p -r1.660 files
--- sys/conf/files 14 Feb 2018 23:51:49 -0000 1.660
+++ sys/conf/files 5 Mar 2018 19:33:14 -0000
@@ -430,6 +430,9 @@ file dev/ic/malo.c malo
device bwi: ether, ifnet, ifmedia, firmload, wlan
file dev/ic/bwi.c bwi
+# PHE Example Device
+file dev/example.c
+
# Attributes which machine-independent bus support can be attached to.
# These should be defined here, because some of these busses can have
# devices which provide these attributes, and we'd like to avoid hairy
Index: sys/dev/example.c
===================================================================
RCS file: sys/dev/example.c
diff -N sys/dev/example.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/dev/example.c 5 Mar 2018 19:33:14 -0000
@@ -0,0 +1,34 @@
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+#include <sys/vnode.h>
+#include <sys/systm.h>
+
+static char buf[512 + 1];
+
+int
+exampleopen(dev_t dev, int flag, int mode, struct proc *p)
+{
+ memset(&buf, '\0', 513);
+ return 0;
+}
+
+int
+exampleclose(dev_t dev, int flag, int mode, struct proc *p)
+{
+ return 0;
+}
+
+int
+exampleread(dev_t dev, struct uio *uio, int flags)
+{
+ uiomove(&buf, 513, uio);
+ return 0;
+}
+
+int
+examplewrite(dev_t dev, struct uio *uio, int flags)
+{
+ uiomove(&buf, 513, uio);
+ return 0;
+}
Index: sys/sys/conf.h
===================================================================
RCS file: /cvs/src/sys/sys/conf.h,v
retrieving revision 1.144
diff -u -p -u -p -r1.144 conf.h
--- sys/sys/conf.h 13 Jan 2018 13:03:42 -0000 1.144
+++ sys/sys/conf.h 5 Mar 2018 19:33:15 -0000
@@ -475,6 +475,12 @@ extern struct cdevsw cdevsw[];
(dev_type_stop((*))) enodev, 0, (dev_type_poll((*))) enodev, \
(dev_type_mmap((*))) enodev, 0 }
+/* open, close, read, write */
+#define cdev_example_init(c,n) { \
+ dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \
+ dev_init(c,n,write), (dev_type_ioctl((*))) enodev, \
+ (dev_type_stop((*))) enodev, 0, seltrue, (dev_type_mmap((*))) enodev }
+
#endif
/*
view raw example.diff hosted with ❤ by GitHub
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
int kernel_fd;
size_t len;
static char buf[512 + 1];
errno = 0;
kernel_fd = open(argv[1], O_RDWR);
if (kernel_fd == -1) {
perror("open");
exit(EXIT_FAILURE);
}
len = strlen(argv[2]);
write(kernel_fd, argv[2], len + 1);
printf("Wrote \"%s\" to %s\n", argv[2], argv[1]);
read(kernel_fd, buf, len + 1);
printf("Read \"%s\" from %s\n", buf, argv[1]);
return 0;
}
view raw interface.c hosted with ❤ by GitHub
Posted by at No comments:

Friday, March 2, 2018

BSD Kernel Hacking - Part 1 (Intro/Syscalls)

Lately I've been reading through Designing BSD Rootkits by Joseph Kong. The book was released back in 2007, and is a treasure trove of information about BSD kernel hacking.

Unfortunately, much has changed since it was released, and the book was written with FreeBSD in mind, while I am more of an OpenBSD fan. I am hoping to start another multipart series based on exercises in this book. First off I will be going through the code in this book as I read, and updating it to run on FreeBSD 11.1. After that, I intend to work on hacking this code into the OpenBSD kernel, which is a little more difficult, as OpenBSD does not support Loadable Kernel Modules anymore.

The first chapter begins with a simple module that will print "Hello World!" on load, and "Goodbye, Cruel World!" on unload. This little experiment works just find out of the box on FreeBSD 11.1. Since OpenBSD doesn't have a LKM system, and this module does nothing without being loaded, porting it over isn't worthwhile.

One lesson of note from this experiment, is that uprintf() is used for printing to userspace, while regular ole' printf() will print to the system console (viewable with dmesg).

The second example in the book expands on the first to create a new syscall. This is where things start to go sideways -- my first attempts using code from the book fail to compile:

root@freebsd-dev:~/syscall # make
Warning: Object directory not changed from original /root/syscall
cc -O2 -pipe  -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE -nostdinc   -I. -I/usr/src/sys -fno-common  -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -MD  -MF.depend.sc_example.o -MTsc_example.o -mcmodel=kernel -mno-red-zone -mno-mmx -mno-sse -msoft-float  -fno-asynchronous-unwind-tables -ffreestanding -fwrapv -fstack-protector -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -Wundef -Wno-pointer-sign -D__printf__=__freebsd_kprintf__  -Wmissing-include-dirs -fdiagnostics-show-option  -Wno-unknown-pragmas  -Wno-error-tautological-compare -Wno-error-empty-body  -Wno-error-parentheses-equality -Wno-error-unused-function  -Wno-error-pointer-sign -Wno-error-shift-negative-value -Wno-error-address-of-packed-member  -mno-aes -mno-avx  -std=iso9899:1999 -c sc_example.c -o sc_example.o
sc_example.c:48:1: error: use of undeclared identifier 'AUE_NULL'
SYSCALL_MODULE(sc_example, &offset, &sc_example_sysent, load, NULL);
^
/usr/src/sys/sys/sysent.h:204:43: note: expanded from macro 'SYSCALL_MODULE'
        evh, arg, offset, new_sysent, { 0, NULL, AUE_NULL }     \
                                                 ^
1 error generated.
*** Error code 1

 Stop.
make: stopped in /root/syscall

 This issue turned out to be caused by missing definitions in sys/sysproto.h. Once the missing header is included, the kernel module builds and loads fine, but the example interface code refuses to find the module. I modified the interface a bit to add error handling and check errno on the call to modfind() and found that it was returning an ENOENT. A bit of experimentation later, I discovered (via kldstat -v) that the actual name of sc_example was "sys/sc_example", not just "sc_example".

 Next, I make an attempt to install a syscall into OpenBSD. This is a little more tricky due to a lack of LKMs. First, I create a file with a syscall function in it at sys/kern/sys_example.c. This syscall function is following the same prototype as all other OpenBSD syscalls, which is similar, but slightly different than FreeBSD. The syscall function simply outputs "proto wuz here" to the system console. 

 From there, I found an unimplemented syscall number in sys/kern/syscalls.master (241), and updated the master list to include my sys_example syscall and called "make syscalls" in sys/kern, then added kern/sys_example.c to sys/conf/files to make sure it is included in the build.

 This operation led to chasing compiler errors around missing includes for a while, but after all of the required headers were included, I was able to do a standard kernel build following the directions in release(8). After reboot, I was able to call syscall 241 from Perl and have the kernel display my message in the system console:

 [peter@dev ~]$ perl -e "syscall(241);"
[peter@dev ~]$ dmesg | tail -1

proto wuz here

Here is the code from sys/kern/sys_example.c:

int
sys_example(struct proc *p, void *v, register_t *retval)
{
printf("proto wuz here\n");
return 0;
}
view raw sys_example.c hosted with ❤ by GitHub

My final challenge for this post is to make the function behave the same as the example in the BSD Rootkit book, by accepting a string as an argument to the syscall and printing that to the console. I had to update my entry in syscalls.master to include the new argument, and include sys/syscallargs.h as well as a few other various headers. From there, the operation is almost identical to FreeBSD, except that a macro is used to access the arguments from their structure:

int
sys_example(struct proc *p, void *v, register_t *retval)
{
struct sys_example_args *uap;
uap = (struct sys_example_args *)v;
printf("proto says: %s.\n", SCARG(uap,str));
return 0;
}
view raw sys_example.c hosted with ❤ by GitHub


And the output from calling the syscall:

 [peter@dev ~]$ perl -e '$str = "this is an OpenBSD syscall";' -e 'syscall(241, $str);'
[peter@dev ~]$ dmesg | tail -1

proto says: this is an OpenBSD syscall.

 I obviously have some learning to do regarding code management in CVS, as my changes broke a bunch of the change/copyright information inside the files that were modified. I'm not too worried about it for the time being, as I don't intend to submit these changes upstream.

I did a little more code cleanup, and here is the final result:

Index: conf/files
===================================================================
RCS file: /cvs/src/sys/conf/files,v
retrieving revision 1.660
diff -u -p -u -p -r1.660 files
--- conf/files 14 Feb 2018 23:51:49 -0000 1.660
+++ conf/files 2 Mar 2018 17:26:54 -0000
@@ -708,6 +708,7 @@ file kern/subr_witness.c witness
file kern/subr_xxx.c
file kern/sys_futex.c
file kern/sys_generic.c
+file kern/sys_ohai.c
file kern/sys_pipe.c
file kern/sys_process.c ptrace
file kern/sys_socket.c
Index: kern/init_sysent.c
===================================================================
RCS file: /cvs/src/sys/kern/init_sysent.c,v
retrieving revision 1.191
diff -u -p -u -p -r1.191 init_sysent.c
--- kern/init_sysent.c 12 Dec 2017 01:13:14 -0000 1.191
+++ kern/init_sysent.c 2 Mar 2018 17:26:54 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: init_sysent.c,v 1.191 2017/12/12 01:13:14 deraadt Exp $ */
+/* $OpenBSD$ */
/*
* System call switch table.
@@ -751,5 +751,7 @@ struct sysent sysent[] = {
sys___set_tcb }, /* 329 = __set_tcb */
{ 0, 0, SY_NOLOCK | 0,
sys___get_tcb }, /* 330 = __get_tcb */
+ { 1, s(struct sys_ohai_args), 0,
+ sys_ohai }, /* 331 = ohai */
};
Index: kern/sys_ohai.c
===================================================================
RCS file: kern/sys_ohai.c
diff -N kern/sys_ohai.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ kern/sys_ohai.c 2 Mar 2018 17:26:54 -0000
@@ -0,0 +1,18 @@
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/socket.h>
+#include <sys/mount.h>
+#include <sys/syscallargs.h>
+
+int
+sys_ohai(struct proc *p, void *v, register_t *retval)
+{
+ struct sys_ohai_args *uap;
+ uap = (struct sys_ohai_args *)v;
+
+ printf("The kernel says: ohai %s!\n", SCARG(uap, str));
+
+ return 0;
+}
Index: kern/syscalls.c
===================================================================
RCS file: /cvs/src/sys/kern/syscalls.c,v
retrieving revision 1.190
diff -u -p -u -p -r1.190 syscalls.c
--- kern/syscalls.c 12 Dec 2017 01:13:14 -0000 1.190
+++ kern/syscalls.c 2 Mar 2018 17:26:54 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscalls.c,v 1.190 2017/12/12 01:13:14 deraadt Exp $ */
+/* $OpenBSD$ */
/*
* System call names.
@@ -393,4 +393,5 @@ char *syscallnames[] = {
"#328 (obsolete __tfork51)", /* 328 = obsolete __tfork51 */
"__set_tcb", /* 329 = __set_tcb */
"__get_tcb", /* 330 = __get_tcb */
+ "ohai", /* 331 = ohai */
};
Index: kern/syscalls.master
===================================================================
RCS file: /cvs/src/sys/kern/syscalls.master,v
retrieving revision 1.180
diff -u -p -u -p -r1.180 syscalls.master
--- kern/syscalls.master 12 Dec 2017 01:12:34 -0000 1.180
+++ kern/syscalls.master 2 Mar 2018 17:26:54 -0000
@@ -565,3 +565,5 @@
328 OBSOL __tfork51
329 STD NOLOCK { void sys___set_tcb(void *tcb); }
330 STD NOLOCK { void *sys___get_tcb(void); }
+
+331 STD { int sys_ohai(char *str); }
Index: sys/syscall.h
===================================================================
RCS file: /cvs/src/sys/sys/syscall.h,v
retrieving revision 1.190
diff -u -p -u -p -r1.190 syscall.h
--- sys/syscall.h 12 Dec 2017 01:13:14 -0000 1.190
+++ sys/syscall.h 2 Mar 2018 17:26:54 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscall.h,v 1.190 2017/12/12 01:13:14 deraadt Exp $ */
+/* $OpenBSD$ */
/*
* System call numbers.
@@ -699,4 +699,7 @@
/* syscall: "__get_tcb" ret: "void *" args: */
#define SYS___get_tcb 330
-#define SYS_MAXSYSCALL 331
+/* syscall: "ohai" ret: "int" args: "char *" */
+#define SYS_ohai 331
+
+#define SYS_MAXSYSCALL 332
Index: sys/syscallargs.h
===================================================================
RCS file: /cvs/src/sys/sys/syscallargs.h,v
retrieving revision 1.193
diff -u -p -u -p -r1.193 syscallargs.h
--- sys/syscallargs.h 12 Dec 2017 01:13:14 -0000 1.193
+++ sys/syscallargs.h 2 Mar 2018 17:26:54 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: syscallargs.h,v 1.193 2017/12/12 01:13:14 deraadt Exp $ */
+/* $OpenBSD$ */
/*
* System call argument lists.
@@ -1096,6 +1096,10 @@ struct sys___set_tcb_args {
syscallarg(void *) tcb;
};
+struct sys_ohai_args {
+ syscallarg(char *) str;
+};
+
/*
* System call prototypes.
*/
@@ -1344,3 +1348,4 @@ int sys_symlinkat(struct proc *, void *,
int sys_unlinkat(struct proc *, void *, register_t *);
int sys___set_tcb(struct proc *, void *, register_t *);
int sys___get_tcb(struct proc *, void *, register_t *);
+int sys_ohai(struct proc *, void *, register_t *);
view raw sys_ohai.diff hosted with ❤ by GitHub
If anyone finds anything that I've done wrong here, please feel free to yell at me about it in the comments.


References:

Designing BSD Rootkits: An Introduction to Kernel Hacking
by Joseph Kong
http://a.co/eSG5wWX

FAQ 5 - Building the System From Source
https://www.openbsd.org/faq/faq5.html

release(9)
https://man.openbsd.org/release

syscall(9)
https://man.openbsd.org/man9/syscall.9
Posted by at No comments:
Labels: , ,
Location: Elk Plain, WA, USA
Subscribe to: Posts (Atom)