Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to write a signal handler to catch SIGSEGV?

I want to write a signal handler to catch SIGSEGV. I protect a block of memory for read or write using

char *buffer; char *p; char a; int pagesize = 4096;  mprotect(buffer,pagesize,PROT_NONE) 

This protects pagesize bytes of memory starting at buffer against any reads or writes.

Second, I try to read the memory:

p = buffer; a = *p  

This will generate a SIGSEGV, and my handler will be called. So far so good. My problem is that, once the handler is called, I want to change the access write of the memory by doing

mprotect(buffer,pagesize,PROT_READ); 

and continue normal functioning of my code. I do not want to exit the function. On future writes to the same memory, I want to catch the signal again and modify the write rights and then record that event.

Here is the code:

#include <signal.h> #include <stdio.h> #include <malloc.h> #include <stdlib.h> #include <errno.h> #include <sys/mman.h>  #define handle_error(msg) \     do { perror(msg); exit(EXIT_FAILURE); } while (0)  char *buffer; int flag=0;  static void handler(int sig, siginfo_t *si, void *unused) {     printf("Got SIGSEGV at address: 0x%lx\n",(long) si->si_addr);     printf("Implements the handler only\n");     flag=1;     //exit(EXIT_FAILURE); }  int main(int argc, char *argv[]) {     char *p; char a;     int pagesize;     struct sigaction sa;      sa.sa_flags = SA_SIGINFO;     sigemptyset(&sa.sa_mask);     sa.sa_sigaction = handler;     if (sigaction(SIGSEGV, &sa, NULL) == -1)         handle_error("sigaction");      pagesize=4096;      /* Allocate a buffer aligned on a page boundary;        initial protection is PROT_READ | PROT_WRITE */      buffer = memalign(pagesize, 4 * pagesize);     if (buffer == NULL)         handle_error("memalign");      printf("Start of region:        0x%lx\n", (long) buffer);     printf("Start of region:        0x%lx\n", (long) buffer+pagesize);     printf("Start of region:        0x%lx\n", (long) buffer+2*pagesize);     printf("Start of region:        0x%lx\n", (long) buffer+3*pagesize);     //if (mprotect(buffer + pagesize * 0, pagesize,PROT_NONE) == -1)     if (mprotect(buffer + pagesize * 0, pagesize,PROT_NONE) == -1)         handle_error("mprotect");      //for (p = buffer ; ; )     if(flag==0)     {         p = buffer+pagesize/2;         printf("It comes here before reading memory\n");         a = *p; //trying to read the memory         printf("It comes here after reading memory\n");     }     else     {         if (mprotect(buffer + pagesize * 0, pagesize,PROT_READ) == -1)         handle_error("mprotect");         a = *p;         printf("Now i can read the memory\n");      } /*  for (p = buffer;p<=buffer+4*pagesize ;p++ )      {         //a = *(p);         *(p) = 'a';         printf("Writing at address %p\n",p);      }*/      printf("Loop completed\n");     /* Should never happen */     exit(EXIT_SUCCESS); } 

The problem is that only the signal handler runs and I can't return to the main function after catching the signal.

like image 706
Adi Avatar asked Apr 18 '10 18:04

Adi


People also ask

What does signal SIGSEGV mean?

The SIGSEGV signal is raised when you attempt to illegally access or modify memory. SIGSEGV is usually caused by using uninitialized or NULL pointer values or by memory overlays.

Can SIGSEGV be ignored?

Trying to ignore or handle a SIGSEGV is the wrong approach. A SIGSEGV triggered by your program always indicates a bug. Either in your code or code you delegate to. Once you have a bug triggered, anything could happen.

What does a signal handler do?

A signal handler is a function which is called by the target environment when the corresponding signal occurs. The target environment suspends execution of the program until the signal handler returns or calls longjmp() . Signal handlers can be set with signal() or sigaction() .


2 Answers

When your signal handler returns (assuming it doesn't call exit or longjmp or something that prevents it from actually returning), the code will continue at the point the signal occurred, reexecuting the same instruction. Since at this point, the memory protection has not been changed, it will just throw the signal again, and you'll be back in your signal handler in an infinite loop.

So to make it work, you have to call mprotect in the signal handler. Unfortunately, as Steven Schansker notes, mprotect is not async-safe, so you can't safely call it from the signal handler. So, as far as POSIX is concerned, you're screwed.

Fortunately on most implementations (all modern UNIX and Linux variants as far as I know), mprotect is a system call, so is safe to call from within a signal handler, so you can do most of what you want. The problem is that if you want to change the protections back after the read, you'll have to do that in the main program after the read.

Another possibility is to do something with the third argument to the signal handler, which points at an OS and arch specific structure that contains info about where the signal occurred. On Linux, this is a ucontext structure, which contains machine-specific info about the $PC address and other register contents where the signal occurred. If you modify this, you change where the signal handler will return to, so you can change the $PC to be just after the faulting instruction so it won't re-execute after the handler returns. This is very tricky to get right (and non-portable too).

edit

The ucontext structure is defined in <ucontext.h>. Within the ucontext the field uc_mcontext contains the machine context, and within that, the array gregs contains the general register context. So in your signal handler:

ucontext *u = (ucontext *)unused; unsigned char *pc = (unsigned char *)u->uc_mcontext.gregs[REG_RIP]; 

will give you the pc where the exception occurred. You can read it to figure out what instruction it was that faulted, and do something different.

As far as the portability of calling mprotect in the signal handler is concerned, any system that follows either the SVID spec or the BSD4 spec should be safe -- they allow calling any system call (anything in section 2 of the manual) in a signal handler.

like image 81
Chris Dodd Avatar answered Oct 02 '22 21:10

Chris Dodd


You've fallen into the trap that all people do when they first try to handle signals. The trap? Thinking that you can actually do anything useful with signal handlers. From a signal handler, you are only allowed to call asynchronous and reentrant-safe library calls.

See this CERT advisory as to why and a list of the POSIX functions that are safe.

Note that printf(), which you are already calling, is not on that list.

Nor is mprotect. You're not allowed to call it from a signal handler. It might work, but I can promise you'll run into problems down the road. Be really careful with signal handlers, they're tricky to get right!

EDIT

Since I'm being a portability douchebag at the moment already, I'll point out that you also shouldn't write to shared (i.e. global) variables without taking the proper precautions.

like image 25
Steven Schlansker Avatar answered Oct 02 '22 22:10

Steven Schlansker