Try   HackMD

2022q1 第 13 週測驗題

tags: linux2022

目的: 檢驗學員對 並行和多執行緒程式設計Linux 核心記憶體管理 的認知

作答表單:

測驗 1

考慮一個運用 Linux 核心記憶體管理CS:APP 第 9 章 提到的 mmap 系統呼叫,來實作類似 C++ std::vector 的機制,並自動管理記憶體,程式碼列表如下:

#include <asm-generic/param.h>
#define PAGESIZE EXEC_PAGESIZE

#include <err.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>

/* how many directories per (preallocated) page
 * -> (PAGESIZE/16) = 256 for 4KiB pages.
 * each path can be in the medium (PAGESIZE - 4 * 256 - 20) / 256 Bytes.
 * The notify dirlist ist dynamically grown.
 */
#define N_VM_ELEMENTS (PAGESIZE / 16)

/* the macro OPTFENCE(...) can be invoked with any parameter.
 * The parameters will get calculated, even if gcc doesn't recognize
 * the use of the parameters, e.g. cause they are needed for an inlined asm
 * syscall.
 *
 * The macro translates to an asm jmp and a function call to the function
 * opt_fence, which is defined with the attribute "noipa" -
 * (the compiler "forgets" the function body, so gcc is forced to generate
 * all arguments for the function.)
 */
void __attribute__((noipa, cold, naked)) opt_fence(void *p, ...) {}
#define _optjmp(a, b) asm(a "OPTFENCE_" #b)
#define _optlabel(a) asm("OPTFENCE_" #a ":")
#define __optfence(a, ...)  \
    _optjmp("jmp ", a);     \
    opt_fence(__VA_ARGS__); \
    _optlabel(a)
#define OPTFENCE(...) __optfence(__COUNTER__, __VA_ARGS__)

/* Avoids with uint32 the penalty of unaligned memory access */
typedef unsigned int p_rel;

static inline char *_getaddr(p_rel *i, p_rel addr)
{
    return ((char *) i + addr);
}
/* translate a relative pointer to an absolute address */
#define getaddr(addr) _getaddr(&addr, addr)

static inline p_rel _setaddr(p_rel *i, char *p)
{
    return (*i = (p - (char *) i));
}
/* store the absolute pointer as relative address in relative_p */
#define setaddr(relative_p, pointer) _setaddr(&relative_p, pointer)

typedef struct __vm {
    p_rel array[N_VM_ELEMENTS];
    struct __vm *next;
    int max, subtract;
    /* dynamic string section starts here */
    char str[0];
} vm_t;

vm_t *vm_new()
{
    vm_t *node = mmap(0, PAGESIZE, PROT_READ | PROT_WRITE,
                      MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    if (node == MAP_FAILED)
        err(ENOMEM, "Failed to map memory");

    node->max = N_VM_ELEMENTS;
    node->next = NULL; /* for clarity */
    setaddr(node->array[0], node->str);

    /* prevent compilers from optimizing assignments out */
    OPTFENCE(node);
    return node;
}

const char *vm_get(int num, vm_t *nod)
{
    num -= nod->subtract;
    if (num < 0)
        return NULL;

    while (num >= (nod->max - 1)) { /* otherwise, addr > map */
        num -= nod->max - 1;
        if (!nod->next)
            return 0;
        nod = nod->next;
    }

    return getaddr(nod->array[num]);
}

void vm_destroy(vm_t *nod, void *(callback)(const char *e))
{
    const char *ee;
    for (int a = nod->subtract; (ee = vm_get(a, nod)); a++)
        callback(ee);

    do {
        char *tmp = (char *) nod;
        nod = nod->next;
        munmap(tmp, PAGESIZE);
    } while (nod);
}

static vm_t *vm_extend_map(vm_t *nod)
{
    nod->next = mmap(0, PAGESIZE, PROT_READ | PROT_WRITE,
                     MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    nod = nod->next;
    nod->max = N_VM_ELEMENTS;
    setaddr(nod->array[0], nod->str);
    return nod;
}

/* append a path. num MUST be sequential */
void vm_add(int num, const char *path, vm_t *nod)
{
    if (!nod->subtract)
        nod->subtract = num;
    num -= nod->subtract;

    while (num >= (nod->max - 1)) {
        num -= MMMM;
        if (!nod->next) {
            nod = vm_extend_map(nod);
            break;
        }
        nod = nod->next;
    }

    if (nod->array[num + 1])
        err(0, "Num %d already used!\n", num);

    if ((int) ((nod->array[num] + (sizeof(p_rel) * (N_VM_ELEMENTS - num)) +
                strlen(path))) >= PAGESIZE) {
        nod->max = num + 1; /* addr > map */
        NNNN;
        nod = vm_extend_map(nod);
    }

    char *p = stpcpy(getaddr(nod->array[num]), path);
    p++;
    setaddr(nod->array[num + 1], p);
}

static void *dealloc(const char *e)
{
    /* FIXME: implement real deallocation */
    return NULL;
}

int main(int argc, char **argv)
{
    vm_t *vm = vm_new();

    vm_add(1, "First element\n", vm);
    vm_add(2, "Second element\n", vm);

    char buf[64];
    strcpy(buf, "Element    #  \n");

    for (int i = 3; i < 10; i++) {
        buf[12] = i + '0';
        vm_add(i, buf, vm);
    }

    printf("fetch, 5: %s", vm_get(5, vm));

    for (int i = 10; i < 400; i++) {
        sprintf(buf, "Element (extending the medium size): %d\n", i);
        vm_add(i, buf, vm);
    }

    printf("fetch: %s", vm_get(15, vm));
    printf("fetch: %s", vm_get(155, vm));
    printf("fetch: %s", vm_get(355, vm));
    printf("fetch: %s", vm_get(100, vm));
    printf("fetch: %s", vm_get(224, vm));

    vm_destroy(vm, dealloc);
    return (0);
}

在 GNU/Linux 參考執行輸出:

fetch, 5: Element    #5 
fetch: Element (extending the medium size): 15
fetch: Element (extending the medium size): 155
fetch: Element (extending the medium size): 355
fetch: Element (extending the medium size): 100
fetch: Element (extending the medium size): 224

請補完程式碼,使其執行符合預期。作答規範:

  • MMMMNNNN 均為 C 表示式,以符合 C99 規範撰寫最精簡的形式

延伸問題:

  1. 解釋上述程式碼運作原理,指出其缺失並改進
  2. 擴充上述程式碼為通用的 malloc 和 free 實作
  3. 參照 mmap-benchmark,佐以 madvise 系統呼叫,調整特定樣式 (pattern) 的記憶體存取,從而達到更高效的表現

    參照 microsoft/mimalloc

測驗 2

考慮使用 mmap 和 memfd 系統呼叫的 circular buffer 實作: cbuf (部分程式碼遮蔽)。參考執行結果:

Test #0: PASSED (57698)
Test #1: PASSED (64222)
Test #2: PASSED (59112)
...
Test #98: PASSED (59448)
Test #99: PASSED (55487)
Average for 100 tests: 57340

請補完程式碼,使其執行符合預期。作答規範:

  • CCCC 為 C 表示式,以符合 C99 規範撰寫最精簡的形式

測驗 3

你所不知道的 C 語言:連結器和執行檔資訊 提過 ELF 執行檔格式,更多資訊可見 Executable and Linkable Format,以 64 位元 ELF 來說,開頭的幾個位元組的意義:

offset size Purpose
0x00 4 0x7F followed by ELF(45 4c 46) in ASCII; these four bytes constitute the magic number.
0x04 1 This byte is set to either 1 or 2 to signify 32- or 64-bit format, respectively.
0x05 1 This byte is set to either 1 or 2 to signify little or big endianness, respectively. This affects interpretation of multi-byte fields starting with offset 0x10.
x06 1 Set to 1 for the original and current version of ELF.
待續

以下是相關的函式及系統呼叫:

給定要載入的程式碼: (檔名 hello.c)

#include <stdio.h>
int main() { return puts("Hello!"); }

以下程式碼可載入並動態修改程式行為:

#define _GNU_SOURCE /* See feature_test_macros(7) */
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>

static void file_execution(size_t size, char *elf, char **f_file, char **envp)                       
{
    char e_elf[256];
    int des = memfd_create("targ_file", FD_CLOEXEC);
    write(des, elf, size);
    sprintf(e_elf, "/proc/self/fd/%u", des);
    execve(e_elf, f_file, envp);
}

int main(int argc, char **argv, char **envp)
{
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <elf_file>\n", argv[0]);
        exit(EXIT_FAILURE);
    }
    int des = open(argv[1], O_RDONLY);
    struct stat l_stat;
    fstat(des, &l_stat);
    char *elf = malloc(l_stat.st_size);
    read(des, elf, l_stat.st_size);
    char *str = memmem(elf, l_stat.st_size, "Hello!", 6);
    str[0] = 'Y', str[5] = 'w';
    file_execution(l_stat.st_size, elf, &argv[1], envp);
    return EXIT_SUCCESS;
}

編譯和執行:



gcc -Wall -o execelf execelf.c
./execelf hello

預期會得到 "Yellow" 輸出

接下來的程式碼嘗試在既有的 ELF 檔案內嵌另一個 ELF 檔案 (可預先加密),目的是隱匿特定的程式,避免被掃毒程式或防火牆偵測出來,或將高價值的程式嵌入到文件、圖片,甚至是影音檔案中,透過特定的載入器自檔案提取出執行檔並執行,這手法在 Digital rights management (DRM)Digital watermarking 領域不算少見。

假設即將被嵌入的程式碼名為 payload.c:

#include <stdio.h>                          
int main() { puts("Hello world!"); return 0; }

編譯並移去除錯用的符號:

$ gcc -Os payload.c -o payload
$ strip -s payload

接著我們要開發得以載入 ELF 的程式,在這之前,

假定程式載入器檔名為 loader.c,內容如下:

/* A program that executes a second (embedded) ELF */

#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>

/* ELF format
 * https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
 */
static bool valid_elf(char *ptr)
{
    return (ptr[4] == 1 || ptr[4] == 2) /* offset 0x4: 32/64-bit format */ &&
           (ptr[5] == 1 || ptr[5] == 2) /* offset 0x5: endianness */ &&
           (ptr[6] == 1); /* offset 0x6: current version */
}

int main(int argc, char *argv[], char **envp)
{
    int pid = getpid();
    int ret = 0;

    char proc_path[32];
    sprintf(proc_path, "/proc/%d/exe", pid);
    int filedesc = open(proc_path, O_RDONLY);
    if (filedesc < 0) {
        printf("Invalid file descriptor for /proc: %d\n", filedesc);
        return -1;
    }

    /* Find the size of this executable */
    struct stat st;
    stat(proc_path, &st);
    size_t size = st.st_size;

    char *entirefile = malloc(size);
    if (!entirefile) {
        printf("Insufficient memory.\n");
        return -2;
    }

    read(filedesc, entirefile, size);
    close(filedesc);

    /* find the second ELF header, which 52 or 64 bytes long for 32-bit and
     * 64-bit binaries respectively.
     */
    const char elf_magic[] = {0x7F, 'E', 'L', 'F'};
    char *newelf = memmem(entirefile + 52, size - 52, elf_magic, 4);
    if (newelf && !valid_elf(newelf)) /* forcely find again for real ELF */
        newelf = memmem(newelf + 6, size - (intptr_t) newelf - 6, elf_magic, 4);
    if (!newelf || !valid_elf(newelf)) {
        printf("No second ELF header found.\n");
        ret = -3;
        goto cleanup;
    }

    int newsize = AAA;
    int memfd = memfd_create("hidden", 0);
    if (memfd < 0) {
        printf("Invalid memfd.\n");
        ret = -4;
        goto cleanup;
    }

    /* Write ELF to temporary memory file */
    write(memfd, newelf, newsize);

    // Deploy the payload as a different process
    fork();
    if (BBB) {
        ret = fexecve(memfd, argv, envp); /* Execute the in-memory ELF */
        /* The above will only return if there is an error. */
        printf("Fail to execute payload. ret=%d (%s)\n", ret, strerror(errno));
    }

cleanup:
    free(entirefile);
    return ret;
}

編譯、嵌入上述 payload 執行檔,然後再執行: (你沒看錯,真的用 cat 命令)

$ gcc -Wall loader.c -o loader
$ cat payload >> loader
$ ./loader

在 x86_64 GNU/Linux (核心版本: 5.4) 預期輸出為:

Hello world!

注意:只有一行 "Hello world!" 字串

請補完程式碼,只要考慮 x86_64 硬體架構即可。

作答區 (注意: 複選題,儘量選取有效的答案)

AAA = ?

  • (a) newelf - entirefile
  • (b) size - newelf
  • (c) entirefile - newelf
  • (d) size - newelf - entirefile
  • (e) size - newelf + entirefile
  • (f) newelf - entirefile + size
  • (g) entirefile - newelf - size

BBB = ?

  • (a) getpid()
  • (b) getpid() != pid
  • (c) getpid() == pid
  • (d) 0
  • (e) 1

延伸問題:

  1. 解釋上述程式碼運作原理,指出其中不足處並改進;
  2. 參照 Embedding binary data in executablesincbin,將 payload 加密並嵌入到給定的 C 程式中,允許在執行時期解密再載入 payload 並執行
Last changed by 
sysprog
System Software Programming
954

Read more

單一指令處理器 (OISC)

指令集是 CPU 指令所組成的集合,可極縮至一指令 (OISC) 並達成圖靈完備,已用於同態加密晶片、可堆疊 FPGA 多核處理器,及經微碼擴充到 RISC-V 且通過形式化驗證的實作。NISC 與 ZISC 分別靠編譯器靜態排程與硬體向量比對取代指令解碼,換得低功耗與高吞吐;近期研究亦將單指令 FLEQ 硬編碼於迴圈 Transformer,顯示深度模型可直接充任通用運算主體。極簡控制邏輯正成為雲端隱私運算與專用加速器的技術選項。

Jun 5, 2025
從 CPU cache coherence 談 Linux spinlock 可擴展能力議題

本文探討 spinlock 本身的效能和可擴展能力 (scalability) 議題

Jun 4, 2025
淺談 Microkernel 設計和真實世界中的應用

本講座則是專注於作業系統領域,同時,&quot;Microkernel&quot; 也不全然指其 &quot;micro&quot; 微小之意,而且是探討相對於傳統 Monolithic kernel 的 Microkernel

Jun 3, 2025
並行程式設計: 概念

解說錄影: Part 1 / Part 2 / Part 3 / Part 4 / Part 5/ Part 6 / Part 7

May 30, 2025
Read more from sysprog
Published on HackMD