How to to jump to trampoline manually on ᴀᴍᴅ64

32 views
Skip to first unread message

lael.c...@gmail.com

unread,
Sep 9, 2016, 4:48:27 PM9/9/16
to Native-Client-Discuss
Hello,

In order to understand better. I’d like to write my own trampoline switch in order to call ɴaᴄl for using system call from untrusted code.

But I couldn’t found where it’s performed in the ɴaᴄl code.

I’d like to know what should be written for performing the wrapping of malloc() and at which address in order to trigger the trampoline *(also if I need to set some registers)*

Thanks…

Bennet Yee (余仕斌)

unread,
Sep 9, 2016, 5:51:27 PM9/9/16
to Native Client Discuss

You can find the trampoline code here, approximately:

https://codereview.chromium.org/293009/diff/4001/native_client/src/trusted/service_runtime/arch/x86_32/tramp.S

You'd have to find the file rather than the code review diff, obviously. Using phone, so googling is a little harder.

If you just want to just jump to a trampoline, it is just a jump to an address. That's in the libc repo now, I think.

plz xqz typos. replying by fone.


--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.

lael.c...@gmail.com

unread,
Sep 9, 2016, 7:35:51 PM9/9/16
to Native-Client-Discuss


Le vendredi 9 septembre 2016 23:51:27 UTC+2, Bennet Yee a écrit :

You can find the trampoline code here, approximately:

https://codereview.chromium.org/293009/diff/4001/native_client/src/trusted/service_runtime/arch/x86_32/tramp.S


I would like to say thanks if I didn’t asked a 64 bits answer. 

Bennet Yee (余仕斌)

unread,
Sep 9, 2016, 8:00:34 PM9/9/16
to Native Client Discuss

Try to figure out what to change in the URL to get there 64 but answer.

plz xqz typos. replying by fone.

--

Victor Khimenko

unread,
Sep 9, 2016, 9:05:34 PM9/9/16
to Native Client Discuss
On Sat, Sep 10, 2016 at 2:00 AM, Bennet Yee (余仕斌) <benne...@gmail.com> wrote:

Try to figure out what to change in the URL to get there 64 but answer.

plz xqz typos. replying by fone.

On Sep 9, 2016 4:35 PM, <lael.c...@gmail.com> wrote:


Le vendredi 9 septembre 2016 23:51:27 UTC+2, Bennet Yee a écrit :

You can find the trampoline code here, approximately:

https://codereview.chromium.org/293009/diff/4001/native_client/src/trusted/service_runtime/arch/x86_32/tramp.S


I would like to say thanks if I didn’t asked a 64 bits answer. 

--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsubscri...@googlegroups.com.

To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.

Bennet Yee (余仕斌)

unread,
Sep 9, 2016, 9:15:29 PM9/9/16
to Native Client Discuss
On Fri, Sep 9, 2016 at 6:05 PM, Victor Khimenko <kh...@chromium.org> wrote:


On Sat, Sep 10, 2016 at 2:00 AM, Bennet Yee (余仕斌) <benne...@gmail.com> wrote:

Try to figure out what to change in the URL to get there 64 but answer.

I would say that it's a bit unfair request: that CL does not touch 64-bit trampolines code, repository is long dead and files were moved around and renamed since.

i was using my phone, so i couldn't find things easily.  another suggestion, which works -- and is a good search technique to learn -- is to search for an identifier from that CL:


gets as the first result


which isn't want lael.cellier wanted either, but easily gets to the URLs that you provided w/ a few clicks.  it's better to teach how to fish^Wsearch, rather than to give a search result.  :-)



--
bennet s yee
i usually don't capitalize due to mild tendonitis

lael.c...@gmail.com

unread,
Sep 9, 2016, 9:52:52 PM9/9/16
to Native-Client-Discuss


Le samedi 10 septembre 2016 03:05:34 UTC+2, khim a écrit :


On Sat, Sep 10, 2016 at 2:00 AM, Bennet Yee (余仕斌) <benne...@gmail.com> wrote:
I would say that it's a bit unfair request: that CL does not touch 64-bit trampolines code, repository is long dead and files were moved around and renamed since.

Current source lives around here:
 Why the Springboard ? Do I have to care about it if I don’t care about the return value ?
 This doesn’t explain more things than the ones I know. This doesn’t tell the place about where to jump, nor what values should be written for performing mprotect() for example since it refers to elsewhere (sorry for looking like a dumb for failing to find the related informations)

Or, do you suggest this something which is automatically generated because this changes at most ꜱᴅᴋ versions ?

In my case the loader is nacl_interep…

Victor Khimenko

unread,
Sep 10, 2016, 4:42:59 AM9/10/16
to Native Client Discuss
On Sat, Sep 10, 2016 at 3:52 AM, <lael.c...@gmail.com> wrote:

Le samedi 10 septembre 2016 03:05:34 UTC+2, khim a écrit :

On Sat, Sep 10, 2016 at 2:00 AM, Bennet Yee (余仕斌) <benne...@gmail.com> wrote:
I would say that it's a bit unfair request: that CL does not touch 64-bit trampolines code, repository is long dead and files were moved around and renamed since.

Current source lives around here:
 Why the Springboard ? Do I have to care about it if I don’t care about the return value ?

I don't know what you plan to do thus I have no idea what you need. Springboard is used to return to untrusted code.
 
 This doesn’t explain more things than the ones I know. This doesn’t tell the place about where to jump, nor what values should be written for performing mprotect() for example since it refers to elsewhere (sorry for looking like a dumb for failing to find the related informations)

Or, do you suggest this something which is automatically generated because this changes at most ꜱᴅᴋ versions ?

It's possible but I'm not sure if that actually happens or not.
 
In my case the loader is nacl_interep…

Then you probably want to look in it's sources, ne? Syscall is not something magical, it's just an address. You can see how they are called here, e.g.:

And files above are the complementary part which is getting called.

The calling conventions are as with regular functions.

And the code which you need to alter depends on the loader you are using thus I have no idea how to add syscalls to it. In sel_ldr it's done with the use of NaClAddSyscall function ... And syscalls are tied to the rest of sel_ldr here:

lael.c...@gmail.com

unread,
Sep 10, 2016, 8:41:30 AM9/10/16
to Native-Client-Discuss
Le samedi 10 septembre 2016 10:42:59 UTC+2, khim a écrit :

I don't know what you plan to do thus I have no idea what you need. Springboard is used to return to untrusted code.
That’s what I thought. I don’t have to care about it. 

Then you probably want to look in it's sources, ne? Syscall is not something magical, it's just an address. You can see how they are called here, e.g.:
Yeah, what I want is recreate the NACL_SYSCALL macro in assembly.
Because I think I can’t just perform the same thing I would with the linux Vsyscall

The calling conventions are as with regular functions.
Do you mean I have to set parameters in registers ? According to https://www.chromium.org/nativeclient/reference/anatomy-of-a-sys they are fetched from stack. I’m definitely lost on what I should do

And the code which you need to alter depends on the loader you are using thus I have no idea how to add syscalls to it. In sel_ldr it's done with the use of NaClAddSyscall function ... And syscalls are tied to the rest of sel_ldr here:
That’s a good start, but this doesn’t  tell the target jump address to where parameters should written.

lael.c...@gmail.com

unread,
Sep 10, 2016, 8:49:21 AM9/10/16
to Native-Client-Discuss
Or rather, no NACL_SYSCALL doesn’t perform what I want.

I want the equivalent of this in ɴaᴄl
.text
.globl _start

_start:
# and exit
  movq  $0, %rdi
  movq  $60, %rax
  syscall
Just replace _start: with the parameters required to perform a trampoline call and the syscall instruction with a jump to trigger the trampoline call

Victor Khimenko

unread,
Sep 10, 2016, 1:58:20 PM9/10/16
to Native Client Discuss
On Sat, Sep 10, 2016 at 2:49 PM, <lael.c...@gmail.com> wrote:
Or rather, no NACL_SYSCALL doesn’t perform what I want.

It does.
 
I want the equivalent of this in ɴaᴄl
.text
.globl _start

_start:
# and exit
  movq  $0, %rdi
  movq  $60, %rax
  syscall
Just replace _start: with the parameters required to perform a trampoline call and the syscall instruction with a jump to trigger the trampoline call

This would be something like:

  mov $60, %rdi
  callq 66016(%r15)

Syscalls in NaCl are called just like a regular functions at fixed addresses, but the whole NaCl "universe" is "shifted" to where %r15 points to.

lael.c...@gmail.com

unread,
Sep 10, 2016, 3:14:52 PM9/10/16
to Native-Client-Discuss
Le samedi 10 septembre 2016 19:58:20 UTC+2, khim a écrit :

This would be something like:

  mov $60, %rdi
  callq 66016(%r15)
Ok,  so the address is r15+0x101E0 (I have no specific knowledge for non load/store instruction sets). Isn’t it ?

And in which register shall I place the syscall number ? rax ?

Bennet Yee (余仕斌)

unread,
Sep 10, 2016, 5:22:41 PM9/10/16
to Native Client Discuss

the syscall number is implicit, derived from the trampoline address.  IIRC, the region from 64k-128k are filled w/ trampolines, most of which return ENOSYS.

plz xqz tpos, rplyng by fone


--

lael.c...@gmail.com

unread,
Sep 10, 2016, 5:33:15 PM9/10/16
to Native-Client-Discuss
Le samedi 10 septembre 2016 23:22:41 UTC+2, Bennet Yee a écrit :

the syscall number is implicit, derived from the trampoline address.  IIRC, the region from 64k-128k are filled w/ trampolines, most of which return ENOSYS.

plz xqz tpos, rplyng by fone

Do you mean each wrapped system calls has it’s own address ? If yes how can I determine them according to the system call wrapped number ?

Bennet Yee (余仕斌)

unread,
Sep 10, 2016, 5:48:37 PM9/10/16
to Native Client Discuss

https://chromium.googlesource.com/native_client/src/native_client.git/+/master/src/trusted/service_runtime/arch/x86_64/sel_ldr_x86_64.c

for how trampolines are installed.

plz xqz tpos, rplyng by fone

--

lael.c...@gmail.com

unread,
Sep 10, 2016, 5:54:32 PM9/10/16
to Native-Client-Discuss
Le samedi 10 septembre 2016 23:48:37 UTC+2, Bennet Yee a écrit :

https://chromium.googlesource.com/native_client/src/native_client.git/+/master/src/trusted/service_runtime/arch/x86_64/sel_ldr_x86_64.c

for how trampolines are installed.

plz xqz tpos, rplyng by fone

looks like to be the wrong file since NaClPatchOneTrampoline() is called with the computed address directly. The doesn’t even seems to be relative to r15 but 64 bits absolute.
Reply all
Reply to author
Forward
0 new messages