Why can't I load hook plugin?

[Peter Teoh]

I just downloaded the TEMU and compiled with with gcc-34 inside my
Ubuntu 10.04 environment. I have no problem starting up temu and
"load_plugin tracecap.so", as well as "enable_emulation", and also had
check that the quest.log is created and logged. "linux_ps" worked as
well, as I had updated kernelinfo.conf and recompiled temu. I was
also able to tracebyname or trace <pid> "<file.out>" etc as well.

But every time I attempted to load a hook plugin, I will get a
crash. (The directory and name of the hook plugin should be correct,
as it is derived by entering the tab key, and if entered wrongly, it
will not process anyway) The present hook plugin has been simplified
to its simpliest form as follows:

void internal_init_plugin()
{
printf("hello");
}

And immediate after "load_hooks <dir> <hook_file>" temu will
coredump. The coredump faulted as follows (notice below the command
line I used to start the temu):

warning: Can't read pathname for load map: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.
1".
Core was generated by `./temu -m 512 -monitor stdio -loadvm myfirst /
root/temu/ubuntu10.04_qcow2.img'.
Program terminated with signal 11, Segmentation fault.
#0 _cnf_find_entry (pcr=0xbfb61c98, cn_parent=0x0,
fullpath=0xbfb61c9c "",
path=0x8de46992 "hook plugins", flags=0) at entry.c:110
110 cn_list = cn_parent->first_child;
(gdb) bt
#0 _cnf_find_entry (pcr=0xbfb61c98, cn_parent=0x0,
fullpath=0xbfb61c9c "",
path=0x8de46992 "hook plugins", flags=0) at entry.c:110
#1 0x8dd35119 in cnf_find_entry_f (cn_root=<optimized out>,
path=<optimized out>, flags=0) at entry.c:213
#2 0x8dcd4697 in parse_plugin_ini (file_name=<optimized out>)
at ../shared/hooks/hook_plugin_loader.cpp:171
#3 load_hook_plugins(unsigned int *, const char *, const char *,
struct {...} *, confType) (mon_cr3=0x8df00808, pa_path=0x8deffcc0
"project_simple.so",
pl_path=0x8deffbc0 "../shared/hooks/hook_plugins",
plugin_info=0x8df00100,
file_type=ini) at ../shared/hooks/hook_plugin_loader.cpp:237
#4 0x8dcc6d2b in do_load_hooks (
hooks_dirname=0x1646e4e0 "../shared/hooks/hook_plugins",
plugins_filename=0x1646e438 "project_simple.so") at commands.c:456
#5 0x08071d88 in monitor_handle_command1 (opaque=0x0,
cmdline=0x8183840 "load_hooks ../shared/hooks/hook_plugins
project_simple.so ") at /root/temu/temu-dso/monitor.c:2354
#6 0x080b4743 in readline_handle_byte (ch=0) at readline.c:398
#7 0x08071575 in term_read (opaque=0x0,
buf=0xbfb62e30 "\r\030\b\203\304\004[\303S\203\354\004B
\005\017\225\300,\001\210B\005\017\266A\006\070B
\006\017\225\300,\001\210B\006\017\266A\a8B\a\017\225\300,\001\210B\a
\017\266A\b8B\b\017", size=1)
at /root/temu/temu-dso/monitor.c:2600
#8 0x08065464 in fd_chr_read (opaque=0x1636f5f0)
---Type <return> to continue, or q <return> to quit---
at /root/temu/temu-dso/vl.c:2036
#9 0x0806acb2 in main_loop_wait (timeout=0) at /root/temu/temu-dso/
vl.c:7381
#10 0x0806ee62 in main (argc=8, argv=0xbfb66c04)
at /root/temu/temu-dso/vl.c:7504



In line #1, cn_parent=0x0, this the cause of the problem. Reading the
file shared/llconf/src/entry.c:

static
void _cnf_find_entry(struct cnfresult **pcr, struct cnfnode
*cn_parent,
char *fullpath, const char *path, int flags)
{
cn_list = cn_parent->first_child;

cn_parent cannot be zero, otherwise it will be null-ptr
dereferencing. Anyone got a good reason/diagnosis of why cn_parent
is null?


Thanks.

[Stephen McCamant]

>>>>> "PT" == Peter Teoh <htmlde...@gmail.com> writes:

PT> I just downloaded the TEMU and compiled with with gcc-34 inside my
PT> Ubuntu 10.04 environment. I have no problem starting up temu and
PT> "load_plugin tracecap.so", as well as "enable_emulation", and also
PT> had check that the quest.log is created and logged. "linux_ps"
PT> worked as well, as I had updated kernelinfo.conf and recompiled
PT> temu. I was also able to tracebyname or trace <pid> "<file.out>"
PT> etc as well.

PT> But every time I attempted to load a hook plugin, I will get a
PT> crash. (The directory and name of the hook plugin should be
PT> correct, as it is derived by entering the tab key, and if entered
PT> wrongly, it will not process anyway) The present hook plugin has
PT> been simplified to its simpliest form as follows:

PT> void internal_init_plugin()
PT> {
PT> printf("hello");
PT> }

PT> And immediate after "load_hooks <dir> <hook_file>" temu will
PT> coredump. The coredump faulted as follows (notice below the
PT> command line I used to start the temu):

It would have also helped to mention the specific arguments to
"load_hooks" you used. From the backtrace I'm guessing it was:

(qemu) load_hooks ../shared/hooks/hook_plugins project_simple.so

PT> warning: Can't read pathname for load map: Input/output error.
PT> [Thread debugging using libthread_db enabled]
PT> Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.
PT> 1".
PT> Core was generated by `./temu -m 512 -monitor stdio -loadvm myfirst /
PT> root/temu/ubuntu10.04_qcow2.img'.
PT> Program terminated with signal 11, Segmentation fault.
PT> #0 _cnf_find_entry (pcr=0xbfb61c98, cn_parent=0x0,
PT> fullpath=0xbfb61c9c "",
PT> path=0x8de46992 "hook plugins", flags=0) at entry.c:110
PT> 110 cn_list = cn_parent->first_child;
PT> (gdb) bt
PT> #0 _cnf_find_entry (pcr=0xbfb61c98, cn_parent=0x0,
PT> fullpath=0xbfb61c9c "",
PT> path=0x8de46992 "hook plugins", flags=0) at entry.c:110
PT> #1 0x8dd35119 in cnf_find_entry_f (cn_root=<optimized out>,
PT> path=<optimized out>, flags=0) at entry.c:213
PT> #2 0x8dcd4697 in parse_plugin_ini (file_name=<optimized out>)
PT> at ../shared/hooks/hook_plugin_loader.cpp:171
PT> #3 load_hook_plugins(unsigned int *, const char *, const char *,
PT> struct {...} *, confType) (mon_cr3=0x8df00808, pa_path=0x8deffcc0
PT> "project_simple.so",
PT> pl_path=0x8deffbc0 "../shared/hooks/hook_plugins",
PT> plugin_info=0x8df00100,
PT> file_type=ini) at ../shared/hooks/hook_plugin_loader.cpp:237
PT> #4 0x8dcc6d2b in do_load_hooks (
PT> hooks_dirname=0x1646e4e0 "../shared/hooks/hook_plugins",
PT> plugins_filename=0x1646e438 "project_simple.so") at commands.c:456
PT> #5 0x08071d88 in monitor_handle_command1 (opaque=0x0,
PT> cmdline=0x8183840 "load_hooks ../shared/hooks/hook_plugins
PT> project_simple.so ") at /root/temu/temu-dso/monitor.c:2354
PT> #6 0x080b4743 in readline_handle_byte (ch=0) at readline.c:398
PT> #7 0x08071575 in term_read (opaque=0x0,
PT> buf=0xbfb62e30 "\r\030\b\203\304\004[\303S\203\354\004B
PT> \005\017\225\300,\001\210B\005\017\266A\006\070B
PT> \006\017\225\300,\001\210B\006\017\266A\a8B\a\017\225\300,\001\210B\a
PT> \017\266A\b8B\b\017", size=1)
PT> at /root/temu/temu-dso/monitor.c:2600
PT> #8 0x08065464 in fd_chr_read (opaque=0x1636f5f0)
PT> ---Type <return> to continue, or q <return> to quit---
PT> at /root/temu/temu-dso/vl.c:2036
PT> #9 0x0806acb2 in main_loop_wait (timeout=0) at /root/temu/temu-dso/
PT> vl.c:7381
PT> #10 0x0806ee62 in main (argc=8, argv=0xbfb66c04)
PT> at /root/temu/temu-dso/vl.c:7504



PT> In line #1, cn_parent=0x0, this the cause of the problem. Reading the
PT> file shared/llconf/src/entry.c:

PT> static
PT> void _cnf_find_entry(struct cnfresult **pcr, struct cnfnode
PT> *cn_parent,
PT> char *fullpath, const char *path, int flags)
PT> {
PT> cn_list = cn_parent->first_child;

PT> cn_parent cannot be zero, otherwise it will be null-ptr
PT> dereferencing. Anyone got a good reason/diagnosis of why cn_parent
PT> is null?

This crash is inside the llconf library, which tracecap uses for
parsing .ini files. However this library is quite stable, so I think
it's unlikely that the bug is within the library: more likely it has
to do with how the library is being called from Tracecap.

The second argument to "load_hooks" is supposed to be a text
configuration file in .ini format listing which hooks to load,
e.g. "tracecap/ini/hook_plugin.ini". Given that the crash is in
llconf, the format of this file would be relevant. But if you're
passing a .so file, that seems likely to be the problem, since I
wouldn't expect that to work. (On my machine it doesn't cause a
segfault, but that wouldn't be too surprising a result for passing
binary file to a text file parser.)

Tracecap will be compiled with default locations for both the
directory and the .ini file, so if your directory structure matches
what's expected, it should be enough to say

(qemu) load_hooks "" ""

where the empty string means "use the default value".

Sorry if the lack of documentation or error checking led you astray
here; patches for either would be welcome.

Hope this helps,

-- Stephen

[Henrique Sarmento]

Hey there.

I'm having another issue with load_hooks function

When I use the the command

"load_hooks /home/henrique/bitblaze/temu-1.0/shared/hooks/hook_plugins /home/henrique/bitblaze/temu-1.0/tracecap/ini/hook_plugin.ini"

I'm usually getting this message:

Files to load as plugins:

Module/function pairs to load:

my hook_plugin.ini file:

----------------------------------------------------------------------------

[hook plugins] 

; this section specifies what .so files to load

sample_hook.so = yes

[functions]

; this section specifies what functions to hook or not to hook

*::* = yes

----------------------------------------------------------------------------

The directories are correct, sometimes when I recreate the hook_plugin.ini file and test everything again, I get the following output:

Files to load as plugins:

Module/function pairs to load:

*::* = yes

Once I got the correct response from TEMU and it performed the hook function correctly (although I didn't test the output), but after that time, I'm not being able to test sample_hook or any other hook implemented by me.

Just to be clear, I compiled the sample_hooks.c file so I do have a sample_hook.so file in the specific folder.

I looked for any similar problem in the forum, but didn't succeed, any thoughts?

Thanks.