Zbr's days.

Zbr's days.

←January →
Sun Mon Tue Wed Thu Fri Sat

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31

←2007 →
Months

Jan Feb Mar

Apr May Jun

Jul Aug Sep

Oct Nov Dec

/(1597)

devel(898)

acrypto(35)

hifn(12)

arm(1)

captcha(9)

dst(96)

eventfs(3)

flat(59)

fs(165)

kevent(110)

aio(7)

math(14)

bezier(3)

codes(5)

hash(5)

networking(190)

dns(13)

nta(27)

unetstack(3)

zcs(7)

other(163)

sh(17)

sky(2)

threading(25)

life(311)

photo(1)

other(95)

About TODO Blog RSS Old blog Projects Gallery Notes

Wed, 24 Jan 2007

Execution different function after returning from signal handler.

It looks a bit like writing an exploit actually, but I managed to change signal execution path to call my own function after signal handler is completed instead of returning to previously running context. Currently that function is executed in previously running context, only %eip was changed.

Code is quite simple and generic enough:

	struct sigframe *frame = (void *)get_ebp + sizeof(void *);
	struct sigcontext *sc = &frame->sc;

Above is correct at least on x86 and x86_64 (except that register is %rbp), although above structures are cpu-specific. If %eip (or %rip) is changed in signal handler to pointer to the new function, it will be called instead of function, which is supposed to run in that context.

Here is a log:

main 1814: scheduling first, context size: 88, fpstte: 624.
call_me_func: ebp: 0xb7f19ff8, stack: 0xb7f1a008, diff: 16.
call_me_func: esp: 0xb7f19fb0, stack: 0xb7f1a008, diff: 88.
1169655167:       th: 0x8049c00, stack: 0xb7efa008, id: 1, esp: b7f19fb0, ebp: b7f19ff8.
alarm_sighandler: ebp: 0xb7f19b08, esp: 0xb7f19ad0, func: 0x804868a, frame: 0xb7f19b0c, call_me_func: 0x804856c.
alarm_sighandler: prev: esp: b7f19de8, ebp: b7f19fa8, eip: 3404db.
alarm_sighandler: eip set to 804865a.
sched_return: func: 0x804865a, ebp: b7f19de4, esp: b7f19dcc.
1169655168:       th: 0x8049c00, stack: 0xb7efa008, id: 2, esp: b7f19fb0, ebp: b7f19ff8.
1169655171:       th: 0x8049c00, stack: 0xb7efa008, id: 3, esp: b7f19fb0, ebp: b7f19ff8.
1169655174:       th: 0x8049c00, stack: 0xb7efa008, id: 4, esp: b7f19fb0, ebp: b7f19ff8.

As you can see, sched_return() is called instead of old function, which prints next string since sched_return() returns.

To implement correct userspace scheduling I only need to replace the whole struct sigframe function with context from different thread. So far this looks simple, how it will be in practice I will check tomorrow, and now I need some climbing.

P.S. in previous story about how signals work I made a mistake saying that new signal stack is allocated - no, the same process' stack is used, or alternative one if it is available and thus special flag is set.

/devel/threading :: Link / Comments (0)

Please solve this captcha to be allowed to post (need to reload in a minute): 8 - 30

Comments are closed for this story.