Cannot modify sys_call_table

[nasekomoe]

Hello everybody!
I've got a trouble with my kernel module since I updated Ubuntu 8.04 last time. So, it's all about kernel 2.6.24-21 and higher... I think so, because I didn't change my sources for a long time.
I detected that the string below, that worked perfectly until last update, doesn't work now:

sys_call_table[__NR_clone] = my_sys_clone;

sys_call_table - system call table, address taken from System.map file
my_sys_clone - my own sys_clone function, that I replace the original call with

Below is the error message (dmesg):

[ 1672.577687] ..................
[ 1672.577687] BUG: unable to handle kernel paging request at c0385a60
[ 1672.577797] IP: [<e08600e9>] roc_watcher_modroc_watcher_init+0xe9/0x10c
[ 1672.578784] *pde = 005c1067 *pte = 00385161
[ 1672.579543] Oops: 0003 [#1] SMP
[ 1672.579906] Modules linked in: proc_watcher_mod(+) isofs udf crc_itu_t binfmt_misc af_packet bridge stp bnep rfcomm sco l2cap bluetooth ppdev vmblock vmci vmmemctl speedstep_lib cpufreq_powersave cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative freq_table video output sbs sbshc pci_slot wmi battery iptable_filter ip_tables x_tables vmhgfs lp loop ipv6 snd_ens1371 gameport snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy parport_pc parport snd_seq_oss evdev snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq container psmouse serio_raw snd_timer snd_seq_device ac button snd pcspkr i2c_piix4 soundcore snd_page_alloc intel_agp i2c_core shpchp agpgart pci_hotplug ext3 jbd mbcache sd_mod crc_t10dif sr_mod cdrom sg pcnet32 mptspi mptscsih mii uhci_hcd mptbase scsi_transport_spi ata_piix ata_generic pata_acpi usbcore libata scsi_mod dock thermal processor fan fbcon tileblit font bitblit softcursor fuse vmxnet
[ 1672.580036]
[ 1672.580036] Pid: 5950, comm: insmod Not tainted (2.6.27-7-generic #1)
[ 1672.580036] EIP: 0060:[<e08600e9>] EFLAGS: 00010282 CPU: 0
[ 1672.580036] EIP is at proc_watcher_init+0xe9/0x10c [proc_watcher_mod]
[ 1672.580036] EAX: c01023c0 EBX: 00000000 ECX: e0c4c666 EDX: c0385880
[ 1672.580036] ESI: e0860000 EDI: 00000000 EBP: de7fff1c ESP: de7fff0c
[ 1672.580036] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 1672.580036] Process insmod (pid: 5950, ti=de7fe000 task=dd4ebed0 task.ti=de7fe000)
[ 1672.580036] Stack: e0c4ce6c 00000001 e0c4fc04 00000000 de7fff8c c0101120 00000000 00000000
[ 1672.580036] 00000111 00000000 00000000 00000000 00000000 00000000 00000000 e0c5d064
[ 1672.580036] 0000001a e0c4da8c 00000000 00000000 c014c604 00000000 00000000 e0c4da80
[ 1672.580036] Call Trace:
[ 1672.580036] [<c0101120>] ? _stext+0x30/0x160
[ 1672.580036] [<c014c604>] ? __blocking_notifier_call_chain+0x14/0x70
[ 1672.580036] [<c015c208>] ? sys_init_module+0x88/0x1b0
[ 1672.580036] [<c01aff3f>] ? sys_close+0x7f/0xd0
[ 1672.580036] [<c0103f7b>] ? sysenter_do_call+0x12/0x2f
[ 1672.580036] =======================
[ 1672.580036] Code: 00 e8 dc c5 3e 00 a1 04 da c4 e0 e8 e2 c4 3e 00 8b 15 04 fc c4 e0 85 d2 89 15 08 fc c4 e0 74 15 8b 82 e0 01 00 00 a3 00 fc c4 e0 <c7> 82 e0 01 00 00 10 c3 c4 e0 89 d8 83 c4 0c 5b 5d c3 c7 04 24
[ 1672.580036] EIP: [<e08600e9>] proc_watcher_init+0xe9/0x10c [proc_watcher_mod] SS:ESP 0068:de7fff0c
[ 1672.580036] ---[ end trace 2b123145b19e26a4 ]---

Does anybody know if there are some changes in new kernel about system calls and sys_call_table? Please, help!

Thanks!

PS. I tried the same on Ubuntu 8.10 (2.6.27-7) - no changes, the same result

[cypherpunk]

Even if it is late but the Solution may interest others too:
In the entry.S file you will find:

Code:

.section .rodata,"a"
#include "syscall_table_32.S"

sys_call_table -> ReadOnly
You have to compile the Kernel new if you want to "hack" around with sys_call_table...

[gerard4143]

Or....if you wanted to try something exotic you could walk the page tables and find the page with the address in question and change it to read write access...

Note I got this to work on a 2.6.22.14-72.fc6 i586 kernel

[nasekomoe]

Hi everybody. Thanks for replies. I solved the problem long ago by modifying access to memory pages. I have implemented two functions that do it for my upper level code:

#include <asm/cacheflush.h>
#ifdef KERN_2_6_24
#include <asm/semaphore.h>
int set_page_rw(long unsigned int _addr)
{
struct page *pg;
pgprot_t prot;
pg = virt_to_page(_addr);
prot.pgprot = VM_READ | VM_WRITE;
return change_page_attr(pg, 1, prot);
}

int set_page_ro(long unsigned int _addr)
{
struct page *pg;
pgprot_t prot;
pg = virt_to_page(_addr);
prot.pgprot = VM_READ;
return change_page_attr(pg, 1, prot);
}

#else
#include <linux/semaphore.h>
int set_page_rw(long unsigned int _addr)
{
return set_memory_rw(_addr, 1);
}

int set_page_ro(long unsigned int _addr)
{
return set_memory_ro(_addr, 1);
}

#endif // KERN_2_6_24


------------------

But, as I remember, none of this two implementations are working for 2.6.27-8 and higher kernels. There must be some different mechanism of changing memory pages permissions.

Good luck!

[gerard4143]

I should give it a try since I have a box loaded with 2.6.27.7-9-default kernel...

[fenerista]

wrong message :0

delete it if you see .

[Linuxerlive]

Right

If your kernels version is > 2.6.24 (I tested it using Ubuntu 8.04 = kv 2.6.24) than you have to recompile your kernel and put CONFIG_DEBUG_RODATA out of the menu.

Then you have no problem hooking syscalls. the sys_read() function will be the one you will need!

change_page_attr(pg, 1, prot);

Will NOT work for kernels > 2.6.24 for it is depriciated!
There might be some other ways, via intel debug lowlevel stuff...

but for you - recompiling the kernel - is the easiest way.