Add specialized code to handle relocation of LEA

Author: GBuella

src/disasm_wrapper.c

@@ -209,7 +209,7 @@ intercept_disasm_next_instruction(struct intercept_disasm_context *context,
 {
 	static const unsigned char endbr64[] = {0xf3, 0x0f, 0x1e, 0xfa};
 
-	struct intercept_disasm_result result = {0, };
+	struct intercept_disasm_result result = {.address = code, 0, };
 	const unsigned char *start = code;
 	size_t size = (size_t)(context->end - code + 1);
 	uint64_t address = (uint64_t)code;
@@ -227,8 +227,6 @@ intercept_disasm_next_instruction(struct intercept_disasm_context *context,
 
 	if (!cs_disasm_iter(context->handle, &start, &size,
 	    &address, context->insn)) {
-		result.is_set = false;
-		result.length = 0;
 		return result;
 	}
 
@@ -300,6 +298,22 @@ intercept_disasm_next_instruction(struct intercept_disasm_context *context,
 		check_op(&result, context->insn->detail->x86.operands + op_i,
 		    code);
 
+	result.is_lea_rip = (context->insn->id == X86_INS_LEA &&
+			result.has_ip_relative_opr);
+
+	if (result.is_lea_rip) {
+		/*
+		 * Extract the four bits from the encoding, which
+		 * specify the destination register.
+		 */
+
+		/* one bit from the REX prefix */
+		result.arg_register_bits = ((code[0] & 4) << 1);
+
+		/* three bits from the ModRM byte */
+		result.arg_register_bits |= ((code[2] >> 3) & 7);
+	}
+
 	result.is_set = true;
 
 	return result;

src/disasm_wrapper.h

@@ -49,6 +49,7 @@
 #include <stdint.h>
 
 struct intercept_disasm_result {
+	const unsigned char *address;
 
 	bool is_set;
 
@@ -66,6 +67,18 @@ struct intercept_disasm_result {
 	/* as of now this only refers to endbr64 */
 	bool is_endbr;
 
+	/*
+	 * Flag marking lea instructions setting a 64 bit register to a
+	 * RIP relative address. They can be relocated -- but by simple memcpy.
+	 */
+	bool is_lea_rip;
+
+	/*
+	 * The X86 encoding of 64 bit register being set in an instruction
+	 * marked above as is_lea_rip.
+	 */
+	unsigned char arg_register_bits;
+
 	/* call instruction */
 	bool is_call;
 

src/intercept.c

@@ -427,14 +427,39 @@ analyze_object(struct dl_phdr_info *info, size_t size, void *data)
 	patches->base_addr = (unsigned char *)info->dlpi_addr;
 	patches->path = path;
 	find_syscalls(patches);
-	allocate_trampoline_table(patches);
-	create_patch_wrappers(patches);
 
 	return 0;
 }
 
 const char *cmdline;
 
+static unsigned char asm_wrapper_space[0x100000];
+static unsigned char *next_asm_wrapper_space = asm_wrapper_space + PAGE_SIZE;
+
+static bool
+is_asm_wrapper_space_full(void)
+{
+	return next_asm_wrapper_space + asm_wrapper_tmpl_size + 256 >
+			asm_wrapper_space + sizeof(asm_wrapper_space);
+}
+
+/*
+ * mprotect_asm_wrappers
+ * The code generated into the data segment at the asm_wrapper_space
+ * array is not executable by default. This routine sets that memory region
+ * to be executable, must called before attempting to execute any patched
+ * syscall.
+ */
+void
+mprotect_asm_wrappers(void)
+{
+	mprotect_no_intercept(
+	    round_down_address(asm_wrapper_space + PAGE_SIZE),
+	    sizeof(asm_wrapper_space) - PAGE_SIZE,
+	    PROT_READ | PROT_EXEC,
+	    "mprotect_asm_wrappers PROT_READ | PROT_EXEC");
+}
+
 /*
  * intercept - This is where the highest level logic of hotpatching
  * is described. Upon startup, this routine looks for libc, and libpthread.
@@ -467,6 +492,12 @@ intercept(int argc, char **argv)
 	if (!libc_found)
 		xabort("libc not found");
 
+	for (unsigned i = 0; i < objs_count; ++i) {
+		if (objs[i].count > 0 && is_asm_wrapper_space_full())
+			xabort("not enough space in asm_wrapper_space");
+		allocate_trampoline_table(objs + i);
+		create_patch_wrappers(objs + i, &next_asm_wrapper_space);
+	}
 	mprotect_asm_wrappers();
 	for (unsigned i = 0; i < objs_count; ++i)
 		activate_patches(objs + i);

src/intercept.h

@@ -194,7 +194,7 @@ void allocate_trampoline_table(struct intercept_desc *desc);
 void find_syscalls(struct intercept_desc *desc);
 
 void init_patcher(void);
-void create_patch_wrappers(struct intercept_desc *desc);
+void create_patch_wrappers(struct intercept_desc *desc, unsigned char **dst);
 void mprotect_asm_wrappers(void);
 
 /*
@@ -217,4 +217,15 @@ void create_jump(unsigned char opcode, unsigned char *from, void *to);
 
 const char *cmdline;
 
+#define PAGE_SIZE ((size_t)0x1000)
+
+static inline unsigned char *
+round_down_address(unsigned char *address)
+{
+	return (unsigned char *)(((uintptr_t)address) & ~(PAGE_SIZE - 1));
+}
+
+/* The size of an asm wrapper instance */
+extern size_t asm_wrapper_tmpl_size;
+
 #endif

src/intercept_util.c

@@ -50,6 +50,15 @@
 #include <sched.h>
 #include <linux/limits.h>
 
+void
+mprotect_no_intercept(void *addr, size_t len, int prot,
+			const char *msg_on_error)
+{
+	long result = syscall_no_intercept(SYS_mprotect, addr, len, prot);
+
+	xabort_on_syserror(result, msg_on_error);
+}
+
 void *
 xmmap_anon(size_t size)
 {

src/intercept_util.h

@@ -47,6 +47,8 @@
  */
 long syscall_no_intercept(long syscall_number, ...);
 
+void mprotect_no_intercept(void *addr, size_t len, int prot,
+			const char *msg_on_error);
 /*
  * xmmap_anon - get new memory mapping
  *