I am calling a user-space application, /usr/bin/myapp, from a Linux Kernel Module using call_usermodehelper(). The myapp returns 2228 when it exits. I should receive same value i.e 2228 as a return value of call_usermodehelper() in the kernel module. However, I am receiving a different value, that is 46080.
My question is, why I don't receive the value I return from myapp as the return value of call_usermodehelper()? Note, myapp executes successfully when I call it from kernel module using call_usermodehelper(). I don't return 0 as a success code. I return 2228 on exit.
Here is the sample code:
user-space's application code:
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("%s called successfully\n", argv[0]);
return 2228;
}
Kernel Module's Code:
int call_userspaceapp()
{
int ret = -EPERM;
char *argv[] = {"/usr/bin/myapp", "11", "22", "33", NULL};
char *envp[] = {"HOME=/", NULL};
ret = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
printk("%s returns value %d", argv[0], ret);
return ret;
}
However, I am receiving a different value, that is 46080.
Exit status has 8 bits and return value is just like waitpid return value. See userspace definition of WEXITSTATUS to access the exit status, which is 46080 >> 8 = 180, which is equal to the returned exit status 2228 % 256 = 180. Here drbd_nl.c I found an example of call_usermodehelper that also accesses the exit status with (ret >> 8) && 0xff, just like WEXITSTATUS.
Related
The following (broken) example code scanf's an input string to an integer, but allow an empty string through to as 0:
#include <stdio.h>
#include <string.h>
int parse(const char *p)
{
int value; // whoops! forgot to 0 here.
if (*p && sscanf(p, "%d", &value) != 1)
return -1;
return value;
}
int main(int argc, char **argv)
{
const char *p = argc > 1 ? argv[1] : "";
int value = parse(p);
printf("value = %d\n", value);
}
but it compiles clean with -Wall.
https://godbolt.org/z/sPbx99Ms5
but fails with obvious problems:
$ ./test 123
value = 123
$ ./test xxx
value = -1
$ ./test ""
value = 32765
I realise it's quite hard for it to work out that the scanf might not fill in a value as it
can't see the code, but is there a flag or a scanner I could run on a (large) body of code to try and find if there are places where uninitialized variables are being passed by pointer?
... even something that would just find all uninitialized variables would be useful.
I have a file called myhj.txt which I hid with using this command from cmd attrib +h +s +r myhj.txt. Now I can't open the file with standart fopen() function in C, so I have decided to use GetFileAttributes() function which does not return an error. According to MSDN, when the function succeeds the return value is File Attribute Constants
I don't know how to get their values as the program crushes when it tries to run printf() down below. Also would it work stable when the file is hidden? How do I access a hidden file with all of its values?
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
FILE *log;
int main(int argc, char *argv[]) {
if(GetFileAttributes("myhj.txt") == INVALID_FILE_ATTRIBUTES){
printf("invalid get last error %d", GetLastError());
}else{
printf("%s", FILE_ATTRIBUTE_DIRECTORY);
}
}
It crashes because %s expects a null-terminated string but the FILE_ATTRIBUTE_* constants are integers instead, so it ends up trying to read a string from an invalid memory address. Use %d instead:
printf("%d", FILE_ATTRIBUTE_DIRECTORY);
GetFileAttributes() returns a DWORD, which is an unsigned int, so use %u for it:
DWORD att = GetFileAttributes("myhj.txt");
if (att == INVALID_FILE_ATTRIBUTES) {
printf("invalid get last error %d", GetLastError());
}
else {
printf("%u", att);
}
To check for specific values, test each bit separately using the bitwise AND operator (&):
DWORD att = GetFileAttributes("file.ext");
if (att == INVALID_FILE_ATTRIBUTES) {
printf("error!\n");
}
else
{
if (att & FILE_ATTRIBUTE_DIRECTORY) printf("directory\n");
if (att & FILE_ATTRIBUTE_HIDDEN) printf("hidden\n");
...
}
If you set the read-only attribute on a file, you cannot perform destructive operations on it...
"gethostbyname" returns a pointer to this structure:
struct hostent {
char *h_name; /* official name of host */
char **h_aliases; /* alias list */
int h_addrtype; /* host address type */
int h_length; /* length of address */
char **h_addr_list; /* list of addresses from name server */
};
When I try to use it, h_name points to a valid string: the partial name I supply is expanded to the correct fully qualified host name.
The value of h_addr_list is 4
h_name is valid
h_aliasis is a valid pointer to a null pointer
h_addrtype is 2 (AF_INET, IPV4)
h_length is 0 (should be 4, or perhaps a multiple of 4)
h_addr_list is 4, fails when dereferenced.
I'm running a 32 bit process (MS Office), the h_name pointer is a valid 32 bit pointer. WTF am I doing wrong? Does gethostbyname work for other people, or on other versions of OSX?
I was able to run this small example successfully on 10.10.4 (taken from paulschreiber.com)
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
int main(int argc, char **argv) {
if (argc < 2) {
printf("Usage: %s hostname", argv[0]);
exit(-1);
}
struct hostent *hp = gethostbyname(argv[1]);
if (hp == NULL) {
printf("gethostbyname() failed\n");
} else {
printf("%s = ", hp->h_name);
unsigned int i=0;
while ( hp -> h_addr_list[i] != NULL) {
printf( "%s ", inet_ntoa( *( struct in_addr*)( hp -> h_addr_list[i])));
i++;
}
printf("\n");
}
}
However, it did segfault on 64-bit without #include <arpa/inet.h: without that, no prototype for inet_ntoa is found, the return type is assumed to be an int (when it's actually a char *), and on 64-bit this truncates the pointer and causes a segfault.
I am trying to write an Ruby script to pass strings to a simple server running in a VM and I am stuck at passing the strings without creating inifinite loops in my server program.
The Content of the Server(written in C):
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORTNO 12346
int h=0,b=0,p=0;
#define BUFFER_SIZE 512
int checksec(FILE* f){
FILE* key;
char buf[1024];
if(h&b&p){
key=fopen("easy_key","r");
fread(buf,1024,1,key);
fprintf(f,"%s",buf);
fclose(key);
return 0;
}
return 1;
}
void hekers(FILE* f){
volatile int zeroWeekend;
char buf[32];
fprintf(f,"So you want to be an 31337 Hax0r?\n");
fgets(buf,40,f);
switch(strcmp("y3$\n",buf)){
case 0:
fprintf(f,"First you must get power\n");
break;
default:
fprintf(f,"Well then go away\n");
break;
}
if(zeroWeekend==0xcafebabe){
h=1;
}
return;
}
void batmenss(FILE* f){
volatile int batsignet;
char buf[32];
fprintf(f,"So you want to be the batman?\n");
fgets(buf,40,f);
switch(strcmp("YESSSSSSS\n",buf)){
case 0:
fprintf(f,"First you must get rich\n");
break;
default:
fprintf(f,"Well then go away\n");
break;
}
if(batsignet==0x12345678){
b=1;
}
return;
}
void pokemans(FILE* f){
volatile int pikachy;
char buf[32];
fprintf(f,"So you want to be the best there ever was?\n");
fgets(buf,40,f);
switch(strcmp("catchemall\n",buf)){
case 0:
fprintf(f,"First you must get respect\n\n");
break;
default:
fprintf(f,"Well then go away\n");
break;
}
if(pikachy==0xfa75beef){
p=1;
}
return;
}
void readInput(int sock){
int msg;
char choice[4];
char buffer[BUFFER_SIZE];
FILE* fptr = fdopen(sock, "r+");
char* prompt="Do you want to be a?\n"
"1.) Pokemon Master\n"
"2.) Elite Hacker\n"
"3.) The Batman\n";
while(checksec(fptr)){
fprintf(fptr,"%s",prompt);
fgets(choice,4,fptr);
switch(choice[0]){
case '1':
pokemans(fptr);
break;
case '2':
hekers(fptr);
break;
case '3':
batmenss(fptr);
break;
default:
fprintf(fptr,"\nThat is not one of the choices\n");
fflush(fptr);
}
}
fprintf(fptr, "%s", buffer);
fflush(fptr);
fclose(fptr);
return;
}
int main(int argc, char *argv[])
{
char buffer[BUFFER_SIZE];
int sockfd, newsockfd, portno, pid;
socklen_t clilen;
struct sockaddr_in serv_addr, cli_addr;
/*
if (argc < 2) {
fprintf(stderr,"ERROR, no port provided\n");
exit(1);
}
*/
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0){
perror("ERROR opening socket");
exit(1);
}
bzero((char *) &serv_addr, sizeof(serv_addr));
//portno = atoi(argv[1]);
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr("0.0.0.0");
serv_addr.sin_port = htons(PORTNO);
if (bind(sockfd, (struct sockaddr *) &serv_addr,
sizeof(serv_addr)) < 0){
perror("ERROR on binding");
exit(1);
}
listen(sockfd,5);
clilen = sizeof(cli_addr);
while (1) {
newsockfd = accept(sockfd,
(struct sockaddr *) &cli_addr, &clilen);
if (newsockfd < 0)
perror("ERROR on accept");
pid = fork();
if (pid < 0)
perror("ERROR on fork");
if (pid == 0) {
close(sockfd);
readInput(newsockfd);
return;
}
else close(newsockfd);
waitpid(-1,NULL,WNOHANG);
} /* end of while */
close(sockfd);
return 0; /* we never get here */
}
When I connect to the server, it looks like this:
user#DESKTOP-LINUX:~/Documents/tob/ctf/exploits/binary1_workshop/easy$ nc 192.168.178.40 12346
Do you want to be a?
1.) Pokemon Master
2.) Elite Hacker
3.) The Batman
Now the Program waits for an input and another string will be printed and then the Program waits for another input and so on...
Now the real problem comes when I try to use a Ruby Script that should dictate the input that the Program should get.
I tried it with this Ruby Script (Filename: script.rb):
#!/usr/bin/env ruby
firstinput = "1"
puts select + "\r\n"
secondinput = "2"
puts secondinput + "\r\n"
And executed it with this command:
user#DESKTOP-LINUX:~/Documents/Code/binary1_workshop_exploits$ ./script.rb | nc 192.168.178.40 12346
But the output is just an infinite loop of the "main menu"...
How do I fix this problem?
P.S. I am running Ubuntu 14.04 64-Bit and the VM with the Server is running Ubuntu 14.04 32-Bit
I am trying to use the SIGCHLD handler but for some reason it prints of the command I gave infinitely. If I remove the struct act it works fine.
Can anyone take a look at it, I am not able to understand what the problem is.
Thanks in advance!!
/* Simplest dead child cleanup in a SIGCHLD handler. Prevent zombie processes
but dont actually do anything with the information that a child died. */
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
typedef char *string;
/* SIGCHLD handler. */
static void sigchld_hdl (int sig)
{
/* Wait for all dead processes.
* We use a non-blocking call to be sure this signal handler will not
* block if a child was cleaned up in another part of the program. */
while (waitpid(-1, NULL, WNOHANG) > 0) {
}
}
int main (int argc, char *argv[])
{
struct sigaction act;
int i;
int nbytes = 100;
char my_string[nbytes];
string arg_list[5];
char *str;
memset (&act, 0, sizeof(act));
act.sa_handler = sigchld_hdl;
if (sigaction(SIGCHLD, &act, 0)) {
perror ("sigaction");
return 1;
}
while(1){
printf("myshell>> ");
gets(my_string);
str=strtok(my_string," \n");
arg_list[0]=str;
i =1;
while ( (str=strtok (NULL," \n")) != NULL){
arg_list[i]= str;
i++;
}
if (i==1)
arg_list[i]=NULL;
else
arg_list[i+1]=NULL;
pid_t child_pid;
child_pid=fork();
if (child_pid == (pid_t)-1){
printf("ERROR OCCURED");
exit(0);
}
if(child_pid!=0){
printf("this is the parent process id is %d\n", (int) getpid());
printf("the child's process ID is %d\n",(int)child_pid);
}
else{
printf("this is the child process, with id %d\n", (int) getpid());
execvp(arg_list[0],arg_list);
printf("this should not print - ERROR occured");
abort();
}
}
return 0;
}
I haven't run your code, and am merely hypothesizing:
SIGCHLD is arriving and interrupting fgets (I'll just pretend you didn't use gets). fgets returns before actually reading any data, my_string contains the tokenized list that it had on the previous loop, you fork again, enter fgets, which is interrupted before reading any data, and repeat indefinitely.
In other words, check the return value of fgets. If it is NULL and has set errno to EINTR, then call fgets again. (Or set act.sa_flags = SA_RESTART.)