libsgxstep/vdso: elementary PoC to locate VDSO

jovanbulck · Sep 28, 2024 · aa17750 · aa17750
1 parent 15e89a9
commit aa17750
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 6 deletions.
diff --git a/libsgxstep/elf_parser.h b/libsgxstep/elf_parser.h
@@ -11,7 +11,6 @@ struct symbol {
 };
 
 uintptr_t get_symbol_offset(const char *name);
-static void add_symbol(const char *name, uintptr_t address);
 void register_symbols(const char *filename);
 
 #endif
diff --git a/libsgxstep/enclave.c b/libsgxstep/enclave.c
@@ -27,7 +27,7 @@
 #include "pt.h"
 #include <fcntl.h>
 #include <string.h>
-#include "aep.h"
+#include "enclu.h"
 
 /* See aep_trampoline.S to see how these are used. */
 extern void sgx_step_aep_trampoline(void);

diff --git a/libsgxstep/aep.c → libsgxstep/enclu.c b/libsgxstep/aep.c → libsgxstep/enclu.c
@@ -1,5 +1,5 @@
 #include "debug.h"
-#include "aep.h"
+#include "enclu.h"
 #define __USE_GNU
 #include <signal.h>
 #include <string.h>
@@ -74,6 +74,8 @@ void xs_sigtrap_handler(int signo, siginfo_t * si, void  *ctx)
     }
 }
 
+void xs_trap_vdso(void);
+
 void __attribute__((constructor)) xs_register_fault_handler(void)
 {
     struct sigaction act, old_act;
@@ -86,4 +88,6 @@ void __attribute__((constructor)) xs_register_fault_handler(void)
     sigfillset(&act.sa_mask);
     info("installing sigtrap handler to intercept ENCLU..");
     ASSERT(!sigaction(SIGTRAP, &act, &old_act));
-}
+
+    xs_trap_vdso();
+}
diff --git a/libsgxstep/aep.h → libsgxstep/enclu.h b/libsgxstep/aep.h → libsgxstep/enclu.h
@@ -1,5 +1,5 @@
-#ifndef SGX_STEP_AEP_INC
-#define SGX_STEP_AEP_INC
+#ifndef SGX_STEP_ENCLU_H_INC
+#define SGX_STEP_ENCLU_H_INC
 
 void* xs_get_aep(void);
 void xs_set_aep(void* aep);

diff --git a/libsgxstep/vdso.c b/libsgxstep/vdso.c
@@ -0,0 +1,57 @@
+#include <sys/auxv.h>
+#include <stdio.h>
+#include <gelf.h>
+#include <string.h>
+#include <stdlib.h>
+#include "debug.h"
+#include <sys/mman.h>
+#include <sys/ptrace.h>
+
+void xs_trap_vdso(void)
+{
+    Elf_Scn *scn = NULL;
+    char *vdso_base = (void *) getauxval(AT_SYSINFO_EHDR);
+    ASSERT( vdso_base );
+    ASSERT(elf_version(EV_CURRENT) != EV_NONE);
+
+    info("found VDSO base at %p", vdso_base);
+
+    GElf_Ehdr *ehdr = (GElf_Ehdr *) vdso_base;
+    ASSERT( memcmp(ehdr->e_ident, ELFMAG, SELFMAG) == 0 && "ELF magic");
+
+    /* Parse the ELF program header table to find the dynamic linking table */
+    GElf_Phdr *phdrtab = (GElf_Phdr *) (vdso_base + ehdr->e_phoff);
+    GElf_Dyn *dyntab = 0;
+    uint64_t load_offset = 0;
+    for (int i = 0; i < ehdr->e_phnum; i++)
+    {
+	if (phdrtab[i].p_type == PT_DYNAMIC)
+	    dyntab = (GElf_Dyn *) (vdso_base + phdrtab[i].p_offset);
+    }
+    ASSERT( dyntab != 0 && "dyntab not found" );
+
+    /* Parse the dynamic linking table to find the vdso symtab */
+    GElf_Sym *symtab = NULL;
+    char *strtab = NULL;
+    for (int i = 0; dyntab[i].d_tag != DT_NULL; i++)
+        if (dyntab[i].d_tag == DT_SYMTAB)
+                symtab = (GElf_Sym *) (vdso_base + dyntab[i].d_un.d_ptr);
+        else if (dyntab[i].d_tag == DT_STRTAB)
+                strtab = vdso_base + dyntab[i].d_un.d_ptr;
+    ASSERT( symtab && strtab ); 
+
+    /* print symbol names */
+	char *vdso_enter_pt = NULL;
+    // index 0 is reserved: https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-79797.html#chapter6-tbl-23
+    for (int i = 1; ; i++) {
+        // Assuming the symbol table is terminated by a symbol with st_value == 0
+        if (symtab[i].st_value == 0) {
+            break; // End of symbol table
+        }
+		if (!strcmp("__vdso_sgx_enter_enclave", strtab + symtab[i].st_name))
+		{
+			vdso_enter_pt = vdso_base + symtab[i].st_value;
+			info("found `__vdso_sgx_enter_enclave` at %p", vdso_enter_pt);
+		}
+    }
+}