Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Capture vDSO in strace

Tags:

linux-kernel

strace

system-calls

vdso

I was wondering if there is a way to capture (in other words observe) vDSO calls like gettimeofday in strace.

Also, is there a way to execute a binary without loading linux-vdso.so.1 (a flag or env variable)?

And lastly, what if I write a program that delete the linux-vdso.so.1 address from the auxiliary vector and then execve my program? Has anyone ever tried that?

like image 520
Anastasios Andronidis Avatar asked Jun 29 '16 15:06

Anastasios Andronidis

1 Answers

You can capture calls to system calls which have been implemented via the vDSO by using ltrace instead of strace. This is because calls to system calls implemented via the vDSO work differently than "normal" system calls and the method strace uses to trace system calls does not work with vDSO-implemented system calls. To learn more about how strace works, check out this blog post I wrote about strace. And, to learn more about how ltrace works, check out this other blog post I wrote about ltrace.

No, it is not possible to execute a binary without loading linux-vdso.so.1. At least, not on my version of libc on Ubuntu precise. It is certainly possible that newer versions of libc/eglibc/etc have added this as a feature but it seems very unlikely. See the next answer for why.

If you delete the address from the auxillary vector, your binary will probably crash. libc has a piece of code which will first attempt to walk the vDSO ELF object, and if this fails, will fall back to a hardcoded vsyscall address. The only way it will avoid this is if you've compiled glibc with the vDSO disabled.

There is another workaround, though, if you really, really don't want to use the vDSO. You can try using glibc's syscall function and pass in the syscall number for gettimeofday. This will force glibc to call gettimeofday via the kernel instead of the vDSO.

I've included a sample program below illustrating this. You can read more about how system calls work by reading my syscall blog post.

#include <sys/time.h>
#include <stdio.h>

#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>

int
main(int argc, char *argv[]) {
    struct timeval tv;
    syscall(SYS_gettimeofday, &tv);

    return 0;
}

Compile with gcc -o test test.c and strace with strace -ttTf ./test 2>&1 | grep gettimeofday:

09:57:32.651876 gettimeofday({1467305852, 651888}, {420, 140735905220705}) = 0 <0.000006>

like image 84
Joe Damato Avatar answered Oct 15 '22 06:10

Joe Damato
Sign in to Comment

Related questions

Extract TCP round trip time (RTT) estimations on linux
Linux Kernel - what function holds the source where port numbers are randomly chosen?
spidev cannot control the chip select signal
How to connect an ethernet device directly to a switch in linux?
create /dev/fakeDevice supporting read, write and ioctl
Is it possible to use gdb and qemu to debug linux user space programs and kernel space simultaneously?
Pool of Memory in Kernel driver for Multiple processes
What is the difference between dma_mmap_coherent and remap_pfn_range?
How to get history of Pods run on Kubernetes Node?
Force Linux to use only memory over 4G?
Which is the correct way to register a new net_device?
Does a page fault causes the faulting process to reschedule?
stack prefaulting in linux - single or multiple faults needed
What are the "struct file_operations" arguments?
Why driver programming prefer kzalloc over kmalloc
Difference in writing a platform device driver for x86 and ARM
The purpose of wrapping a pointer in struct in C
Timekeeping in Linux kernel 2.6
Pass large amount of binary data from u-boot to linux kernel
Linux, will zeroed page pagefault on first read or on first write?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!