https://github.com/advanced-microcode-patching/shiva/issues/19

Author: elfmaster

Makefile

@@ -1,7 +1,7 @@
 BUILD_DIR = './build'
 INTERP_PATH = $(PWD)/build/shiva
 PATCH_PATH = "modules/aarch64_patches"
-GCC_OPTS= -fPIC -ggdb -c 
+GCC_OPTS= -fPIC -ggdb -c
 OBJ_LIST=shiva.o shiva_util.o shiva_signal.o shiva_ulexec.o shiva_auxv.o	\
     shiva_module.o shiva_trace.o shiva_trace_thread.o shiva_error.o shiva_maps.o shiva_analyze.o \
     shiva_callsite.o shiva_target.o shiva_xref.o shiva_transform.o shiva_so.o shiva_post_linker.o

modules/aarch64_patches/fsplice/example6/fsplice_host.c

@@ -1,13 +1,6 @@
 #include <stdio.h>
 
-/*
- * .rodata string
- */
 const char *banner = "ElfMaster";
-
-/*
- * .bss static buffer
- */
 char global_buf[255];
 
 int foo(int num, char *str)

shiva.c

@@ -439,10 +439,20 @@ int main(int argc, char **argv, char **envp)
 		if (mpath != NULL) {
 			strcpy(ctx.module_path, mpath);
 		} else {
-			strcpy(ctx.module_path, SHIVA_DEFAULT_MODULE_PATH);
+			/*
+			 * If the target binary has no shiva-prelinking
+			 * and we are executing it with /lib/shiva directly
+			 * then we can flip on ulexec mode. Shiva won't load
+			 * any modules. it will simply pass control to ld-linux.so
+			 * and effectively ulexec the target ELF binary.
+			 */
+			ctx.flags |= SHIVA_OPTS_F_ULEXEC_ONLY;
 		}
 	}
 
+	if (ctx.flags & SHIVA_OPTS_F_ULEXEC_ONLY)
+		goto transfer_control;
+
 	if (shiva_module_loader(&ctx, ctx.module_path,
 	    &ctx.module.runtime, SHIVA_MODULE_F_RUNTIME) == false) {
 		fprintf(stderr, "shiva_module_loader failed\n");

shiva.h

@@ -70,6 +70,7 @@
 
 #define SHIVA_DT_NEEDED	(DT_LOOS + 10)
 #define SHIVA_DT_SEARCH (DT_LOOS + 11)
+#define SHIVA_DT_ORIG_INTERP (DT_LOOS + 12)
 
 #define SHIVA_DEFAULT_MODULE_PATH "/opt/shiva/modules/shakti.o"
 
@@ -468,6 +469,7 @@ typedef struct shiva_ctx {
 	int duplicate_pid;
 	uint64_t duplicate_base;
 	char *shiva_path; // path to /bin/shiva
+	char orig_interp_path[PATH_MAX];
 	union {
 		struct shiva_trace_regset_x86_64 regset_x86_64;
 	} regs;

shiva_target.c

@@ -87,7 +87,6 @@ shiva_target_get_module_path(struct shiva_ctx *ctx, char *buf)
 	return true;
 }
 
-
 /*
  * This function modifies the "live" dynamic segment in memory. It will modify
  * the first dynamic tag found of type 'tag' and change it to 'value'.

shiva_ulexec.c

@@ -256,6 +256,31 @@ shiva_ulexec_total_segment_len(elfobj_t *elfobj, size_t *len)
 	shiva_debug("Total mapping size: %#zu\n", *len);
 	return true;
 }
+
+bool
+shiva_ulexec_get_orig_interp(struct shiva_ctx *ctx, char *outbuf)
+{
+	struct elf_dynamic_entry dyn;
+	elf_dynamic_iterator_t dyn_iter;
+	size_t len;
+	bool res;
+
+	elf_dynamic_iterator_init(&ctx->elfobj, &dyn_iter);
+	while (elf_dynamic_iterator_next(&dyn_iter, &dyn) == ELF_ITER_OK) {
+		if (dyn.tag != SHIVA_DT_ORIG_INTERP)
+			continue;
+		res = shiva_target_copy_string(ctx, outbuf,
+		    (const char *)dyn.value, &len);
+		if (res == false) {
+			fprintf(stderr, "shiva_target_copy_string() failed at %#lx\n",
+			    dyn.value);
+			return false;
+		}
+		break;
+	}
+	return true;
+}
+
 /*
  * XXX -- We currently only support PIE binaries. This is very temporary.
  */
@@ -422,8 +447,28 @@ shiva_ulexec_prep(struct shiva_ctx *ctx)
 	shiva_auxv_iterator_t a_iter;
 	struct shiva_auxv_entry a_entry;
 
-	if (elf_type(&ctx->elfobj) == ET_DYN) {
-		interp = elf_interpreter_path(&ctx->elfobj);
+	if (elf_linking_type(&ctx->elfobj) == ELF_LINKING_DYNAMIC) {
+		/*
+		 * If the target binary is has been shiva-prelinked already,
+		 * then it's PT_INTERP segment will contain /lib/shiva. We
+		 * need the path of it's original interpreter "ld-linux.so"
+		 * so that we can prepare to map it into memory.
+		 */
+		if (shiva_target_has_prelinking(ctx) == true) {
+			char interp_path[PATH_MAX];
+
+			if (shiva_ulexec_get_orig_interp(ctx, interp_path) == false) {
+				fprintf(stderr, "shiva_target_get_orig_interp() failed\n");
+				return false;
+			}
+			interp = interp_path;
+		} else {
+			interp = elf_interpreter_path(&ctx->elfobj);
+			if (interp == NULL) {
+				fprintf(stderr, "elf_interpreter_path() failed\n");
+				return false;
+			}
+		}
 		if (interp != NULL) {
 			shiva_debug("Interp path: %s\n", interp);
 			ctx->ulexec.flags |= SHIVA_F_ULEXEC_LDSO_NEEDED;

tools/shiva-ld/shiva-ld.c

@@ -41,6 +41,7 @@
 
 #define SHIVA_DT_NEEDED	DT_LOOS + 10
 #define SHIVA_DT_SEARCH DT_LOOS + 11
+#define SHIVA_DT_ORIG_INTERP DT_LOOS + 12
 
 #define SHIVA_SIGNATURE 0x31f64
 
@@ -69,6 +70,7 @@ struct shiva_prelink_ctx {
 	char *output_exec;
 	char *search_path;
 	char *interp_path;
+	char *orig_interp_path;
 	struct {
 		elfobj_t elfobj;
 	} bin;
@@ -123,6 +125,8 @@ elf_segment_copy(elfobj_t *elfobj, uint8_t *dst, struct elf_segment segment)
 	return true;
 }
 
+#define NEW_DYN_COUNT 3
+
 bool
 shiva_prelink(struct shiva_prelink_ctx *ctx)
 {
@@ -142,6 +146,19 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 	uint8_t *old_dynamic_segment;
 	size_t old_dynamic_size, dynamic_index;
 
+	ctx->orig_interp_path = elf_interpreter_path(&ctx->bin.elfobj);
+	if (ctx->orig_interp_path == NULL) {
+		fprintf(stderr, "elf_interpreter_path() failed\n");
+		return false;
+	}
+	/*
+	 * We must do this or it will get overwritten later by an strcpy
+	 */
+	ctx->orig_interp_path = strdup(ctx->orig_interp_path);
+	if (ctx->orig_interp_path == NULL) {
+		perror("strdup");
+		return false;
+	}
 	if (elf_flags(&ctx->bin.elfobj, ELF_DYNAMIC_F) == false) {
 		fprintf(stderr, "Currently we do not support static ELF executable\n");
 		return false;
@@ -162,7 +179,7 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 		} else if (segment.type == PT_DYNAMIC) {
 			found_dynamic = true;
 			ctx->new_segment.dyn_size = elf_dtag_count(&ctx->bin.elfobj) * sizeof(ElfW(Dyn));
-			ctx->new_segment.dyn_size += (sizeof(ElfW(Dyn)) * 2);
+			ctx->new_segment.dyn_size += (sizeof(ElfW(Dyn)) * NEW_DYN_COUNT);
 			ctx->new_segment.dyn_offset = 0;
 
 			old_dynamic_size = elf_dtag_count(&ctx->bin.elfobj) * sizeof(ElfW(Dyn));
@@ -183,9 +200,10 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 			/*
 			 * Make room for the two new additional dynamic entries
 			 */
-			ctx->new_segment.filesz += sizeof(ElfW(Dyn)) * 2;
+			ctx->new_segment.filesz += sizeof(ElfW(Dyn)) * NEW_DYN_COUNT;
 			ctx->new_segment.filesz += strlen(ctx->input_patch) + 1;
 			ctx->new_segment.filesz += strlen(ctx->search_path) + 1;
+			ctx->new_segment.filesz += strlen(ctx->orig_interp_path) + 1;
 			/*
 			 * Mark the index of this segment so that we can modify it
 			 * to match the new dynamic segment location once we know it.
@@ -319,7 +337,9 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 		return false;
 	}
 
-	ElfW(Dyn) dyn[3];
+#define NEW_DYN_ENTRY_SZ 4
+
+	ElfW(Dyn) dyn[NEW_DYN_ENTRY_SZ];
 
 	/*
 	 * Write out new dynamic entry for SHIVA_DT_SEARCH and
@@ -328,9 +348,13 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 	dyn[0].d_tag = SHIVA_DT_SEARCH;
 	dyn[0].d_un.d_ptr = ctx->new_segment.vaddr + ctx->new_segment.dyn_size;
 	dyn[1].d_tag = SHIVA_DT_NEEDED;
-	dyn[1].d_un.d_ptr = ctx->new_segment.vaddr + ctx->new_segment.dyn_size + strlen(ctx->search_path) + 1;
-	dyn[2].d_tag = DT_NULL;
-	dyn[2].d_un.d_ptr = 0x0;
+	dyn[1].d_un.d_ptr = ctx->new_segment.vaddr +
+	    ctx->new_segment.dyn_size + strlen(ctx->search_path) + 1;
+	dyn[2].d_tag = SHIVA_DT_ORIG_INTERP;
+	dyn[2].d_un.d_ptr = ctx->new_segment.vaddr + ctx->new_segment.dyn_size +
+	    strlen(ctx->search_path) + 1 + strlen(ctx->input_patch) + 1;
+	dyn[3].d_tag = DT_NULL;
+	dyn[3].d_un.d_ptr = 0x0;
 
 	if (write(fd, &dyn[0], sizeof(dyn)) < 0) {
 		perror("write 4.");
@@ -345,6 +369,13 @@ shiva_prelink(struct shiva_prelink_ctx *ctx)
 		return false;
 	}
 
+	printf("Writing out original interp path: %s\n", ctx->orig_interp_path);
+
+	if (write(fd, ctx->orig_interp_path,
+	    strlen(ctx->orig_interp_path) + 1) < 0) {
+		perror("write 7.");
+		return false;
+	}
 	if (fchown(fd, st.st_uid, st.st_gid) < 0) {
 		perror("fchown");
 		return false;