---

IgHook.cc

Go to the documentation of this file.

//<<<<<< INCLUDES                                                       >>>>>>

#include "IgTools/IgHook/interface/IgHook.h"
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <cstdarg>
#include <cerrno>
#include <cassert>
#include <dlfcn.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/time.h>

#if __APPLE__
#include <mach/mach.h>
#endif

#if defined __i386__
# define TRAMPOLINE_JUMP        5       // jump to hook/old code
# define TRAMPOLINE_SAVED       10      // 5+margin for saved prologue
#elif defined __ppc__
# define TRAMPOLINE_JUMP        16      // jump to hook/old code
# define TRAMPOLINE_SAVED       4       // one prologue instruction to save
#else
# error sorry this platform is not supported
#endif

#define TRAMPOLINE_SIZE (TRAMPOLINE_JUMP+TRAMPOLINE_SAVED+TRAMPOLINE_JUMP)

#if !defined MAP_ANONYMOUS && defined MAP_ANON
# define MAP_ANONYMOUS MAP_ANON
#endif

#if !__linux
# define dlvsym(h,fn,v) dlsym(h,fn)
#endif

//<<<<<< PRIVATE DEFINES                                                >>>>>>
//<<<<<< PRIVATE CONSTANTS                                              >>>>>>
//<<<<<< PRIVATE TYPES                                                  >>>>>>
//<<<<<< PRIVATE VARIABLE DEFINITIONS                                   >>>>>>
//<<<<<< PUBLIC VARIABLE DEFINITIONS                                    >>>>>>
//<<<<<< CLASS STRUCTURE INITIALIZATION                                 >>>>>>
//<<<<<< PRIVATE FUNCTION DEFINITIONS                                   >>>>>>

static void
debug (const char *format, ...)
{
    static const char *debugging = getenv ("IGHOOK_DEBUGGING");
    if (debugging)
    {
        timeval tv;
        gettimeofday (&tv, 0);
        fprintf (stderr, "*** IgHook(%lu, %.3f): ",
                 (unsigned long) getpid(),
                 tv.tv_sec + 1e-6*tv.tv_usec);

        va_list args;
        va_start (args, format);
        vfprintf (stderr, format, args);
        va_end (args);
    }
}


static IgHook::Status
allocate (void *&ptr)
{
#if 0 && defined __i386__
    // IA32 branch can jump anywhere
    if (! (ptr = malloc (TRAMPOLINE_SIZE)))
    {
        debug ("malloc() failed, can't crete trampoline\n");
        return IgHook::ErrAllocateTrampoline;
    }
    return IgHook::Success;
#elif 1 || __ppc__
    // Allocate at end of memory so the address sign extends -- "ba"
    // can only take 24-bit immediate offset plus two zero bits
    // stripped off at the right end.  It can be either in the low 25
    // bits which can be crowded, or 26-bit address that sign extends
    // -- i.e. in high memory.  Thus the top six bits of the address
    // are required to be 1, i.e. 0xfe000000 .. 0xffffffff.

    // FIXME: a page per trampoline is a bit excessive...
    unsigned int pagesize = getpagesize ();
#if __APPLE__ && __ppc__
    // Ask for a page in a specific place.  Note that this uses Mach's
    // vm_allocate, not mmap(), as mmap() + MAP_FIXED will happily map
    // over an existing memory mapping, and there does not seem to be
    // a convenient (unix-only) API to query whether the memory region
    // is already taken.
    vm_address_t limit = 0xfeffffff;
    vm_address_t address = 0xfe000000;
    kern_return_t retcode;
    do retcode = vm_allocate (mach_task_self (), &address, pagesize, FALSE);
    while (retcode != KERN_SUCCESS && (address += pagesize) < limit);
    void *addr = (address < limit ? (void *) address : MAP_FAILED);
#else
    // Just ask for a page.  Let system position it, so we don't unmap
    // or remap over address space accidentally.
    void *addr = mmap (0, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC,
                       MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
#endif
    if (addr != MAP_FAILED)
    {
        unsigned int *page = (unsigned int *) addr;
        *page = pagesize;
        ptr = ++page;
        return IgHook::Success;
    }
    else
    {
        ptr = 0;
        return IgHook::ErrAllocateTrampoline;
    }
#endif
}

static void
release (void *ptr)
{
#if defined __i386__
    free (ptr);
#else
    unsigned int *page = (unsigned int *) ptr;
    --page;
    munmap (page, *page);
#endif
}

static IgHook::Status
protect (void *address, bool writable)
{
    assert (sizeof (address) <= sizeof (unsigned long));

    int pagesize = getpagesize ();
    address = (void *) (((unsigned long) address) & ~(pagesize-1));
#if __APPLE__
    // (https://lists.apple.com/archives/Darwin-kernel/2005/Feb/msg00045.html)
    // The dynamic loader (dyld) loads pages into unmodifiable system-wide
    // shared map.  The first time we touch a page we need to make a
    // writable process-local copy of the page; on subsequent uses we
    // can just go ahead and flip the page writable.  We can't give
    // executable permissions on the page however.
    mach_port_t self = mach_task_self ();
    vm_address_t vmaddr = (vm_address_t) address;
    vm_prot_t protection = VM_PROT_READ | VM_PROT_WRITE;
    kern_return_t retcode = vm_protect (self, vmaddr, pagesize, false, protection);;
    if (writable && retcode != KERN_SUCCESS)
    {
        protection = VM_PROT_READ | VM_PROT_COPY;
        retcode = vm_protect (self, vmaddr, pagesize, FALSE, protection);
    }
    if (retcode != KERN_SUCCESS)
    {
        debug ("vm_protect(%p, %d, %d): %d\n",
               address, pagesize, protection, retcode);
        return IgHook::ErrMemoryProtection;
    }
#else
    int protection = PROT_READ | PROT_EXEC | (writable ? PROT_WRITE : 0);
    if (mprotect (address, pagesize, protection))
    {
        debug ("mprotect(%p, %d, %d): %d\n",
               address, pagesize, protection, errno);
        return IgHook::ErrMemoryProtection;
    }
#endif

    return IgHook::Success;
}

static void
flush (void *address)
{
    msync (address, TRAMPOLINE_SIZE, MS_INVALIDATE);
}

static void *
skip (void *&ptr, int n)
{ ptr = (unsigned char *) ptr + n; return ptr; }


static IgHook::Status
lookup (const char *fn, const char *v, const char *lib, void *&sym)
{
    sym = 0;

    if (lib)
    {
        void *handle = dlopen (lib, RTLD_LAZY | RTLD_GLOBAL);
        if (! handle)
        {
            debug ("dlopen('%s'): %s\n", lib, dlerror ());
            return IgHook::ErrLibraryNotFound;
        }

        sym = v ? dlvsym (handle, fn, v) : dlsym (handle, fn);
        if (! sym)
        {
            debug ("dlsym('%s', '%s'): %s\n", lib, fn, dlerror ());
            return IgHook::ErrSymbolNotFoundInLibrary;
        }
    }
    else
    {
        void *program = dlopen (0, RTLD_LAZY | RTLD_GLOBAL);
        sym = v ? dlvsym (program, fn, v) : dlsym (program, fn);
        dlclose (program);
        if (! sym) sym = v ? dlvsym (program, fn, v) : dlsym (RTLD_NEXT, fn);
        if (! sym)
        {
            debug ("dlsym(self, '%s'): %s\n", fn, dlerror ());
            return IgHook::ErrSymbolNotFoundInSelf;
        }
    }

    return IgHook::Success;
}

static int
parse (const char *func, void *address)
{
    int n = 0;

#if defined __i386__
    unsigned char *insns = (unsigned char *) address;
    if (insns [0] == 0xe9)
    {
        debug ("%s (%p): hook trampoline already installed, ignoring\n",
               func, address);
        return -1;
    }

    while (n < 5)
    {
        if (insns [0] >= 0x50 && insns [0] <= 0x57) /* push %e*x */
            ++n, ++insns;

        else if (insns [0] == 0x89 && insns [1] == 0xe5) /* mov %esp, %ebp */
            n += 2, insns += 2;

        else if (insns [0] == 0x89 && insns [1] == 0xda) /* mov %ebx, %edx */
            n += 2, insns += 2;

        else if (insns [0] == 0x83 && insns [1] == 0xec) /* sub $0x*, %esp */
            n += 3, insns += 3;

        else if (insns [0] == 0x81 && insns [1] == 0xec) /* sub $0x*, %esp (32-bit) */
            n += 6, insns += 6;

        else if (insns [0] == 0x8b && insns [2] == 0x24) /* mov 0x4(%esp,1),%e*x */
            n += 4, insns += 4;

        else if (insns [0] == 0x8d && insns [1] == 0x55) /* lea $0x*(%ebp),%edx */
            n += 3, insns += 3;

        else if (insns [0] >= 0xb8 && insns [0] <= 0xbf) /* mov $0xNN,%e*x */
            n += 5, insns += 5;

        else if (insns [0] == 0xff && insns [1] == 0x25) /* jmp *addr */
            n += 6, insns += 6;

        else if (insns [0] == 0x65 && insns [1] == 0x83 && insns [2] == 0x3d)
            n += 8, insns += 8;                          /* cmpl $0x*,%gs:0x* */

        else
        {
            debug ("%s (%p) + 0x%x: unrecognised prologue (found 0x%x)\n",
                   func, address, insns - (unsigned char *) address, *insns);
            return -1;
        }
    }
#elif defined __ppc__
    // FIXME: check for various branch-relative etc. instructions
    assert (sizeof (unsigned int) == 4);
    unsigned int *insns = (unsigned int *) address;
    unsigned int instr = *insns;
    if ((instr & 0xfc1fffff) == 0x7c0903a6) // check it's not mfctr
    {
        debug ("%s (%p): mfctr can't be instrumented\n", func, address);
        return -1;
    }

    n = 4;
#endif

    return n;
}

static int
redirect (void *&from, void *to)
{
#if defined __i386__
    // NB: jump offsets are calculated from *after* the jump instruction
    unsigned char *start = (unsigned char *) from;
    unsigned char *insns = (unsigned char *) from;
    unsigned long diff = (unsigned long) to - ((unsigned long) from + 5);
    *insns++ = 0xe9;
    *insns++ = diff & 0xff;
    *insns++ = (diff >> 8) & 0xff;
    *insns++ = (diff >> 16) & 0xff;
    *insns++ = (diff >> 24) & 0xff;
    from = insns;
    return insns - start;

#elif defined __ppc__
    // The low six bits are "ba" instruction (opcode 18 = 0x12),
    // then immediate address with the low two bits stripped off,
    // and top two bits are "01" (no link, absolute).  This only
    // works if the address is appropriate.  The 24-bit immediate
    // address is sign extended to 32 bits, so either it must be
    // in the low 23-bit address space, or in the high area.
    unsigned int *start = (unsigned int *) from;
    unsigned int *insns = (unsigned int *) from;

    assert (sizeof (unsigned int) == 4);
    assert (! ((unsigned int) to & 0x3));
    // *insns++ = 0x40000012 | (((unsigned int) to >> 2) << 5); // ba to
    *insns++ = 0x48000002 | ((unsigned int) to & 0x3ffffff);
    from = insns;
    return (insns - start) * 4;
#endif
}

static int
prereentry (void *&from, void *to)
{
#if defined __ppc__
    // Set ctr using r0 as a temporary register.  The assumption here
    // is that this instruction sequence comes as immediate target of
    // a call in the re-entry part of the trampoline, meaning that we
    // are allowed to trash r0 (it's a volatile register so caller
    // must have saved it).  The instruction copied from the original
    // prologue comes after this one and must not trash ctr (parse()
    // ensures that) but may trash r0 after us.
    assert (sizeof (to) == sizeof (unsigned int));
    assert (sizeof (unsigned int) == 4);
    unsigned int *start = (unsigned int *) from;
    unsigned int *insns = (unsigned int *) from;
    *insns++ = 0x3c000000 | (((unsigned int) to & 0xffff0000) >> 16); // lis r0,addrhi
    *insns++ = 0x60000000 | (((unsigned int) to & 0x0000ffff) >> 0);  // ori r0,r0,addrlo
    *insns++ = 0x7c0903a6; // mtctr r0  
    from = insns;
    return (insns - start) * 4;
#else
    // nothing to do
    return 0;
#endif
}

static int
postreentry (void *&from, void *to)
{
#if defined __i386__
    // Real jump
    return redirect (from, to);
#elif defined __ppc__
    // ctr was set in prereentry(), jump into it
    assert (sizeof (unsigned int) == 4);
    unsigned int *start = (unsigned int *) from;
    unsigned int *insns = (unsigned int *) from;
    *insns++ = 0x4e800420; // bctr
    from = insns;
    return (insns - start) * 4;
#endif
}

static void
prepare (void *address, void *replacement, void **chain, void *old, int prologue)
{
    // First part: unconditional jump to replacement
    prereentry (address, replacement);
    postreentry (address, replacement);

    // Second part: old function prologue + jump to post-prolugue code
    if (chain) *chain = address;
    prereentry (address, ((unsigned char *) old) + prologue);
    memcpy (address, old, prologue);
    skip (address, prologue);
    skip (old, prologue);
    postreentry (address, old);
}

static void
patch (void *address, void *trampoline, int prologue)
{
    // FIXME: Not atomic, freeze all other threads!
    unsigned char *insns = (unsigned char *) address;
    for (int i = redirect (address, trampoline); i < prologue; ++i)
    {
#if defined __i386__
        insns [i] = 0x90; // nop
#else
        // can't happen!
        abort ();
#endif
    }
}

//<<<<<< PUBLIC FUNCTION DEFINITIONS                                    >>>>>>
//<<<<<< MEMBER FUNCTION DEFINITIONS                                    >>>>>>

IgHook::Status
IgHook::hook (const char *function,
              const char *version,
              const char *library,
              void *replacement,
              int options /* = 0 */,
              void **chain /* = 0 */,
              void **original /* = 0 */,
              void **trampoline)
{
    // For future compatibility -- call vs. jump, counting etc.
    if (options != 0)
        return ErrBadOptions;

    // Zero out variables
    if (chain) *chain = 0;
    if (original) *original = 0;
    if (trampoline) *trampoline = 0;

    // Lookup function
    Status s;
    void *sym = 0;
    if ((s = lookup (function, version, library, sym)) != Success)
        return s;

    if (original) *original = sym;

    // See if we understand it
    int prologue = parse (function, sym);
    if (prologue < 0)
        return ErrPrologueNotRecognised;
    else if (prologue > TRAMPOLINE_SAVED)
        return ErrPrologueTooLarge;

    // Prepare trampoline
    void *tramp = 0;
    if ((s = allocate (tramp)) != Success)
        return s;

    if (trampoline)
        *trampoline = tramp;

    if (version)
        debug ("%s/%s (%p): instrumenting %d bytes into %p\n",
               function, version, sym, prologue, tramp);
    else
        debug ("%s (%p): instrumenting %d bytes into %p\n",
               function, sym, prologue, tramp);

    prepare (tramp, replacement, chain, sym, prologue);

    // Attach trampoline
    if ((s = protect (sym, true)) != Success)
    {
        release (tramp);
        return s;
    }

    patch (sym, tramp, prologue);

    // Restore privileges and flush caches
    // No: protect (tramp, false); -- segvs on linux, full page might not been allocated?
    protect (sym, false);
    flush (tramp);
    flush (sym);

    return Success;
}

---