[Qemu-devel] [PATCH 0/5] linux-user: fake some /proc/self entries

[Qemu-devel] [PATCH 0/5] linux-user: fake some /proc/self entries

[Alexander Graf]

When running linux-user programs in QEMU, the guest program can examine
itself by checking /proc/self/ files. And some libraries really do use
this!

Unfortunately, when checking /proc/self/ today, the guest program sees
the QEMU files, exposing wrong information to the guest program.

This patch set fakes auxv, maps and stat to make gtk, pthread and boehm
gc happy.

Alex

Alexander Graf (5):
  linux-user: save auxv length
  linux-user: add open() hijack infrastructure
  linux-user: fake /proc/self/maps
  linux-user: fake /proc/self/stat
  linux-user: fake /proc/self/auxv

 linux-user/elfload.c |   15 ++-----
 linux-user/qemu.h    |    1 +
 linux-user/syscall.c |  123 ++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 125 insertions(+), 14 deletions(-)

[Qemu-devel] [PATCH 1/5] linux-user: save auxv length

[Alexander Graf]

We create our own AUXV segment on stack and save a pointer to it.
However we don't save the length of it, so any code that wants to
do anything useful with it later on has to walk it again.

Instead, let's remember the length of our AUXV segment. This
simplifies later uses by a lot.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/elfload.c |   15 ++++-----------
 linux-user/qemu.h    |    1 +
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index a413976..3a8eee4 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -1246,6 +1246,7 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
                                    struct image_info *interp_info)
 {
     abi_ulong sp;
+    abi_ulong sp_auxv;
     int size;
     int i;
     abi_ulong u_rand_bytes;
@@ -1317,6 +1318,7 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
         sp -= n; put_user_ual(id, sp);          \
     } while(0)
 
+    sp_auxv = sp;
     NEW_AUX_ENT (AT_NULL, 0);
 
     /* There must be exactly DLINFO_ITEMS entries here.  */
@@ -1347,6 +1349,7 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 #undef NEW_AUX_ENT
 
     info->saved_auxv = sp;
+    info->auxv_len = sp_auxv - sp;
 
     sp = loader_build_argptr(envc, argc, sp, p, 0);
     return sp;
@@ -2330,9 +2333,8 @@ static void fill_auxv_note(struct memelfnote *note, const TaskState *ts)
 {
     elf_addr_t auxv = (elf_addr_t)ts->info->saved_auxv;
     elf_addr_t orig_auxv = auxv;
-    abi_ulong val;
     void *ptr;
-    int i, len;
+    int len = ts->info->auxv_len;
 
     /*
      * Auxiliary vector is stored in target process stack.  It contains
@@ -2340,15 +2342,6 @@ static void fill_auxv_note(struct memelfnote *note, const TaskState *ts)
      * strictly necessary but we do it here for sake of completeness.
      */
 
-    /* find out lenght of the vector, AT_NULL is terminator */
-    i = len = 0;
-    do {
-        get_user_ual(val, auxv);
-        i += 2;
-        auxv += 2 * sizeof (elf_addr_t);
-    } while (val != AT_NULL);
-    len = i * sizeof (elf_addr_t);
-
     /* read in whole auxv vector and copy it to memelfnote */
     ptr = lock_user(VERIFY_READ, orig_auxv, len, 0);
     if (ptr != NULL) {
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 55ad9d8..ef08d39 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -48,6 +48,7 @@ struct image_info {
         abi_ulong       code_offset;
         abi_ulong       data_offset;
         abi_ulong       saved_auxv;
+        abi_ulong       auxv_len;
         abi_ulong       arg_start;
         abi_ulong       arg_end;
 	int		personality;
-- 
1.6.0.2

[Qemu-devel] [PATCH 2/5] linux-user: add open() hijack infrastructure

[Alexander Graf]

There are a number of files in /proc that expose host information
to the guest program. This patch adds infrastructure to override
the open() syscall for guest programs to enable us to on the fly
generate guest sensible files.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/syscall.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 9f5da36..38953ba 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4600,6 +4600,52 @@ int get_osversion(void)
     return osversion;
 }
 
+static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
+{
+    struct fake_open {
+        const char *filename;
+        int (*fill)(void *cpu_env, int fd);
+    };
+    const struct fake_open *fake_open;
+    static const struct fake_open fakes[] = {
+        { NULL, NULL }
+    };
+
+    for (fake_open = fakes; fake_open->filename; fake_open++) {
+        if (!strncmp(pathname, fake_open->filename,
+                     strlen(fake_open->filename))) {
+            break;
+        }
+    }
+
+    if (fake_open->filename) {
+        const char *tmpdir;
+        char filename[PATH_MAX];
+        int fd, r;
+
+        /* create temporary file to map stat to */
+        tmpdir = getenv("TMPDIR");
+        if (!tmpdir)
+            tmpdir = "/tmp";
+        snprintf(filename, sizeof(filename), "%s/qemu-open.XXXXXX", tmpdir);
+        fd = mkstemp(filename);
+        if (fd < 0) {
+            return fd;
+        }
+        unlink(filename);
+
+        if ((r = fake_open->fill(cpu_env, fd))) {
+            close(fd);
+            return r;
+        }
+        lseek(fd, 0, SEEK_SET);
+
+        return fd;
+    }
+
+    return get_errno(open(path(pathname), flags, mode));
+}
+
 /* do_syscall() should always have a single exit point at the end so
    that actions, such as logging of syscall results, can be performed.
    All errnos that do_syscall() returns must be -TARGET_<errcode>. */
@@ -4685,9 +4731,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
     case TARGET_NR_open:
         if (!(p = lock_user_string(arg1)))
             goto efault;
-        ret = get_errno(open(path(p),
-                             target_to_host_bitmask(arg2, fcntl_flags_tbl),
-                             arg3));
+        ret = get_errno(do_open(cpu_env, p,
+                                target_to_host_bitmask(arg2, fcntl_flags_tbl),
+                                arg3));
         unlock_user(p, arg1, 0);
         break;
 #if defined(TARGET_NR_openat) && defined(__NR_openat)
-- 
1.6.0.2

[Qemu-devel] [PATCH 3/5] linux-user: fake /proc/self/maps

[Alexander Graf]

glibc's pthread_attr_getstack tries to find the stack range from
/proc/self/maps. Unfortunately, /proc is usually the host's /proc
which means linux-user guests see qemu's stack there.

Fake the file with a constructed maps entry that exposes the guest's
stack range.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/syscall.c |   15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 38953ba..a51b457 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4600,6 +4600,20 @@ int get_osversion(void)
     return osversion;
 }
 
+
+static int open_self_maps(void *cpu_env, int fd)
+{
+    TaskState *ts = ((CPUState *)cpu_env)->opaque;
+
+    dprintf(fd, "%08llx-%08llx rw-p %08llx 00:00 0          [stack]\n",
+                (unsigned long long)ts->info->stack_limit,
+                (unsigned long long)(ts->stack_base + (TARGET_PAGE_SIZE - 1))
+                                     & TARGET_PAGE_MASK,
+                (unsigned long long)ts->stack_base);
+
+    return 0;
+}
+
 static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
 {
     struct fake_open {
@@ -4608,6 +4622,7 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
     };
     const struct fake_open *fake_open;
     static const struct fake_open fakes[] = {
+        { "/proc/self/maps", open_self_maps },
         { NULL, NULL }
     };
 
-- 
1.6.0.2

[Qemu-devel] [PATCH 4/5] linux-user: fake /proc/self/stat

[Alexander Graf]

The boehm gc finds the program's stack starting pointer by
checking /proc/self/stat. Unfortunately, so far it reads
qemu's stack pointer which clearly is wrong.

So let's instead fake the file so the guest program sees the
right address.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/syscall.c |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index a51b457..aaecf53 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4614,6 +4614,31 @@ static int open_self_maps(void *cpu_env, int fd)
     return 0;
 }
 
+static int open_self_stat(void *cpu_env, int fd)
+{
+    TaskState *ts = ((CPUState *)cpu_env)->opaque;
+    abi_ulong start_stack = ts->info->start_stack;
+    int i;
+
+    for (i = 0; i < 44; i++) {
+      char buf[128];
+      int len;
+      uint64_t val = 0;
+
+      if (i == 27) {
+          /* stack bottom */
+          val = start_stack;
+      }
+      snprintf(buf, sizeof(buf), "%"PRId64 "%c", val, i == 43 ? '\n' : ' ');
+      len = strlen(buf);
+      if (write(fd, buf, len) != len) {
+          return -1;
+      }
+    }
+
+    return 0;
+}
+
 static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
 {
     struct fake_open {
@@ -4623,6 +4648,7 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
     const struct fake_open *fake_open;
     static const struct fake_open fakes[] = {
         { "/proc/self/maps", open_self_maps },
+        { "/proc/self/stat", open_self_stat },
         { NULL, NULL }
     };
 
-- 
1.6.0.2

[Qemu-devel] [PATCH 5/5] linux-user: fake /proc/self/auxv

[Alexander Graf]

Gtk tries to read /proc/self/auxv to find its auxv table instead of
taking it from its own program memory space.

However, when running with linux-user, we see the host's auxv which
clearly exposes wrong information. so let's instead expose the guest
memory backed auxv tables via /proc/self/auxv as well.

Signed-off-by: Alexander Graf <agraf@suse.de>
---
 linux-user/syscall.c |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index aaecf53..6061ef8 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4639,6 +4639,35 @@ static int open_self_stat(void *cpu_env, int fd)
     return 0;
 }
 
+static int open_self_auxv(void *cpu_env, int fd)
+{
+    TaskState *ts = ((CPUState *)cpu_env)->opaque;
+    abi_ulong auxv = ts->info->saved_auxv;
+    abi_ulong len = ts->info->auxv_len;
+    char *ptr;
+
+    /*
+     * Auxiliary vector is stored in target process stack.
+     * read in whole auxv vector and copy it to file
+     */
+    ptr = lock_user(VERIFY_READ, auxv, len, 0);
+    if (ptr != NULL) {
+        while (len > 0) {
+            ssize_t r;
+            r = write(fd, ptr, len);
+            if (r <= 0) {
+                break;
+            }
+            len -= r;
+            ptr += r;
+        }
+        lseek(fd, 0, SEEK_SET);
+        unlock_user(ptr, auxv, len);
+    }
+
+    return 0;
+}
+
 static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
 {
     struct fake_open {
@@ -4649,6 +4678,7 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
     static const struct fake_open fakes[] = {
         { "/proc/self/maps", open_self_maps },
         { "/proc/self/stat", open_self_stat },
+        { "/proc/self/auxv", open_self_auxv },
         { NULL, NULL }
     };
 
-- 
1.6.0.2

Re: [Qemu-devel] [PATCH 2/5] linux-user: add open() hijack infrastructure

[David Gilbert]

On 2 November 2011 19:23, Alexander Graf <agraf@suse.de> wrote:
> There are a number of files in /proc that expose host information
> to the guest program. This patch adds infrastructure to override
> the open() syscall for guest programs to enable us to on the fly
> generate guest sensible files.
>
> Signed-off-by: Alexander Graf <agraf@suse.de>
> ---
>  linux-user/syscall.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++--
>  1 files changed, 49 insertions(+), 3 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 9f5da36..38953ba 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -4600,6 +4600,52 @@ int get_osversion(void)
>     return osversion;
>  }
>
> +static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)

Once you open the pandoras-box that is emulating /proc, I think you'll probably
need to hook it in more places and be more general; although you may
well get away
with it for this particular case.

Isn't it better to put the filename interception code somewhere more general
so that it can also be misused by other calls - e.g. stat().

I guess you're also going to need to be able to do /proc/pid/* instead
of /proc/self;
something is bound to use that.

Dave

Re: [Qemu-devel] [PATCH 0/5] linux-user: fake some /proc/self entries

[Riku Voipio]

On Wed, Nov 02, 2011 at 08:23:21PM +0100, Alexander Graf wrote:
> When running linux-user programs in QEMU, the guest program can examine
> itself by checking /proc/self/ files. And some libraries really do use
> this!
> 
> Unfortunately, when checking /proc/self/ today, the guest program sees
> the QEMU files, exposing wrong information to the guest program.
 
> This patch set fakes auxv, maps and stat to make gtk, pthread and boehm
> gc happy.

This is awesome stuff, but unfortunately just a day after 1.0 hard freeze :(
David pointed out that more files in proc could be done, but this is a good start.

Riku
 
> Alex
> 
> Alexander Graf (5):
>   linux-user: save auxv length
>   linux-user: add open() hijack infrastructure
>   linux-user: fake /proc/self/maps
>   linux-user: fake /proc/self/stat
>   linux-user: fake /proc/self/auxv
> 
>  linux-user/elfload.c |   15 ++-----
>  linux-user/qemu.h    |    1 +
>  linux-user/syscall.c |  123 ++++++++++++++++++++++++++++++++++++++++++++++++-
>  3 files changed, 125 insertions(+), 14 deletions(-)
> 

Re: [Qemu-devel] [PATCH 2/5] linux-user: add open() hijack infrastructure

[Alexander Graf]

On 03.11.2011, at 02:34, David Gilbert <david.gilbert@linaro.org> wrote:

> On 2 November 2011 19:23, Alexander Graf <agraf@suse.de> wrote:
>> There are a number of files in /proc that expose host information
>> to the guest program. This patch adds infrastructure to override
>> the open() syscall for guest programs to enable us to on the fly
>> generate guest sensible files.
>> 
>> Signed-off-by: Alexander Graf <agraf@suse.de>
>> ---
>>  linux-user/syscall.c |   52 +++++++++++++++++++++++++++++++++++++++++++++++--
>>  1 files changed, 49 insertions(+), 3 deletions(-)
>> 
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 9f5da36..38953ba 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -4600,6 +4600,52 @@ int get_osversion(void)
>>     return osversion;
>>  }
>> 
>> +static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
> 
> Once you open the pandoras-box that is emulating /proc, I think you'll probably
> need to hook it in more places and be more general; although you may
> well get away
> with it for this particular case.
> 
> Isn't it better to put the filename interception code somewhere more general
> so that it can also be misused by other calls - e.g. stat().

We can move it when we get there :).

> 
> I guess you're also going to need to be able to do /proc/pid/* instead
> of /proc/self;
> something is bound to use that.

I was hoping to get away with a bit less involving. Sure, we could actually open the pandora box of emulating all of /proc, but I really don't want to go down that route.

Since all these files already do exist on the host view, I don't think we have to fake stat(). The file size will be wrong either way.

So yes, eventually we might have to use the big sledge hammer of emulating all of /proc, but as long as I can refrain from it I will :). It's just a _lot_ of work.

Alex

> 
> Dave

Re: [Qemu-devel] [PATCH 0/5] linux-user: fake some /proc/self entries

[Alexander Graf]

On 03.11.2011, at 03:47, Riku Voipio <riku.voipio@iki.fi> wrote:

> On Wed, Nov 02, 2011 at 08:23:21PM +0100, Alexander Graf wrote:
>> When running linux-user programs in QEMU, the guest program can examine
>> itself by checking /proc/self/ files. And some libraries really do use
>> this!
>> 
>> Unfortunately, when checking /proc/self/ today, the guest program sees
>> the QEMU files, exposing wrong information to the guest program.
> 
>> This patch set fakes auxv, maps and stat to make gtk, pthread and boehm
>> gc happy.
> 
> This is awesome stuff, but unfortunately just a day after 1.0 hard freeze :(
> David pointed out that more files in proc could be done, but this is a good start.

I'm sure we'll find more nice little issues later, so no worries. There is a world post-1.0 :)

Alex

> 
> Riku
> 
>> Alex
>> 
>> Alexander Graf (5):
>>  linux-user: save auxv length
>>  linux-user: add open() hijack infrastructure
>>  linux-user: fake /proc/self/maps
>>  linux-user: fake /proc/self/stat
>>  linux-user: fake /proc/self/auxv
>> 
>> linux-user/elfload.c |   15 ++-----
>> linux-user/qemu.h    |    1 +
>> linux-user/syscall.c |  123 ++++++++++++++++++++++++++++++++++++++++++++++++-
>> 3 files changed, 125 insertions(+), 14 deletions(-)
>> 

Re: [Qemu-devel] [PATCH 3/5] linux-user: fake /proc/self/maps

[Alexander Graf]

Alexander Graf wrote:
> glibc's pthread_attr_getstack tries to find the stack range from
> /proc/self/maps. Unfortunately, /proc is usually the host's /proc
> which means linux-user guests see qemu's stack there.
>
> Fake the file with a constructed maps entry that exposes the guest's
> stack range.
>
> Signed-off-by: Alexander Graf <agraf@suse.de>
> ---
>  linux-user/syscall.c |   15 +++++++++++++++
>  1 files changed, 15 insertions(+), 0 deletions(-)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 38953ba..a51b457 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -4600,6 +4600,20 @@ int get_osversion(void)
>      return osversion;
>  }
>  
> +
> +static int open_self_maps(void *cpu_env, int fd)
> +{
> +    TaskState *ts = ((CPUState *)cpu_env)->opaque;
> +
> +    dprintf(fd, "%08llx-%08llx rw-p %08llx 00:00 0          [stack]\n",
> +                (unsigned long long)ts->info->stack_limit,
> +                (unsigned long long)(ts->stack_base + (TARGET_PAGE_SIZE - 1))
> +                                     & TARGET_PAGE_MASK,
>   

This needs to be guarded by:

#if defined(TARGET_ARM) || defined(TARGET_M68K) || defined(TARGET_UNICORE32)

Any idea how to fetch the stack range from somewhere else for other archs?

Alex