Introduction to the analysis of system function under Linux

This article mainly briefly analyzes the system functions under linux, which has a certain reference value. Interested friends can refer to the simple analysis

The relevant content of the system function under Linux is as follows

int
libc_system (const char *line)
{
 if (line == NULL)
  /* Check that we have a command processor available. It might
    not be available after a chroot(), for example. */
  return do_system ("exit 0") == 0;

 return do_system (line);
}
weak_alias (libc_system, system)

The code is located in glibc/sysdeps/posix/system.c, where system is a weak alias of libc_system, and libc_system is the front-end function of do_system, with parameters For inspection, next look at the do_system function.

static int
do_system (const char *line)
{
 int status, save;
 pid_t pid;
 struct sigaction sa;
#ifndef _LIBC_REENTRANT
 struct sigaction intr, quit;
#endif
 sigset_t omask;

 sa.sa_handler = SIG_IGN;
 sa.sa_flags = 0;
 sigemptyset (&sa.sa_mask);

 DO_LOCK ();
 if (ADD_REF () == 0)
  {
   if (sigaction (SIGINT, &sa, &intr) < 0)
  {
   (void) SUB_REF ();
   goto out;
  }
   if (sigaction (SIGQUIT, &sa, &quit) < 0)
  {
   save = errno;
   (void) SUB_REF ();
   goto out_restore_sigint;
  }
  }
 DO_UNLOCK ();

 /* We reuse the bitmap in the &#39;sa&#39; structure. */
 sigaddset (&sa.sa_mask, SIGCHLD);
 save = errno;
 if (sigprocmask (SIG_BLOCK, &sa.sa_mask, &omask) < 0)
  {
#ifndef _LIBC
   if (errno == ENOSYS)
  set_errno (save);
   else
#endif
  {
   DO_LOCK ();
   if (SUB_REF () == 0)
    {
     save = errno;
     (void) sigaction (SIGQUIT, &quit, (struct sigaction *) NULL);
    out_restore_sigint:
     (void) sigaction (SIGINT, &intr, (struct sigaction *) NULL);
     set_errno (save);
    }
  out:
   DO_UNLOCK ();
   return -1;
  }
  }

#ifdef CLEANUP_HANDLER
 CLEANUP_HANDLER;
#endif

#ifdef FORK
 pid = FORK ();
#else
 pid = fork ();
#endif
 if (pid == (pid_t) 0)
  {
   /* Child side. */
   const char *new_argv[4];
   new_argv[0] = SHELL_NAME;
   new_argv[1] = "-c";
   new_argv[2] = line;
   new_argv[3] = NULL;

   /* Restore the signals. */
   (void) sigaction (SIGINT, &intr, (struct sigaction *) NULL);
   (void) sigaction (SIGQUIT, &quit, (struct sigaction *) NULL);
   (void) sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL);
   INIT_LOCK ();

   /* Exec the shell. */
   (void) execve (SHELL_PATH, (char *const *) new_argv, environ);
   _exit (127);
  }
 else if (pid < (pid_t) 0)
  /* The fork failed. */
  status = -1;
 else
  /* Parent side. */
  {
   /* Note the system() is a cancellation point. But since we call
   waitpid() which itself is a cancellation point we do not
   have to do anything here. */
   if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid)
  status = -1;
  }

#ifdef CLEANUP_HANDLER
 CLEANUP_RESET;
#endif

 save = errno;
 DO_LOCK ();
 if ((SUB_REF () == 0
    && (sigaction (SIGINT, &intr, (struct sigaction *) NULL)
    | sigaction (SIGQUIT, &quit, (struct sigaction *) NULL)) != 0)
   || sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL) != 0)
  {
#ifndef _LIBC
   /* glibc cannot be used on systems without waitpid. */
   if (errno == ENOSYS)
  set_errno (save);
   else
#endif
  status = -1;
  }
 DO_UNLOCK ();

 return status;
}

do_system

First of all, the function sets up some signal handlers to handle the SIGINT and SIGQUIT signals. We don’t care too much here. The key code segment is here

#ifdef FORK
 pid = FORK ();
#else
 pid = fork ();
#endif
 if (pid == (pid_t) 0)
  {
   /* Child side. */
   const char *new_argv[4];
   new_argv[0] = SHELL_NAME;
   new_argv[1] = "-c";
   new_argv[2] = line;
   new_argv[3] = NULL;

   /* Restore the signals. */
   (void) sigaction (SIGINT, &intr, (struct sigaction *) NULL);
   (void) sigaction (SIGQUIT, &quit, (struct sigaction *) NULL);
   (void) sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL);
   INIT_LOCK ();

   /* Exec the shell. */
   (void) execve (SHELL_PATH, (char *const *) new_argv, environ);
   _exit (127);
  }
 else if (pid < (pid_t) 0)
  /* The fork failed. */
  status = -1;
 else
  /* Parent side. */
  {
   /* Note the system() is a cancellation point. But since we call
   waitpid() which itself is a cancellation point we do not
   have to do anything here. */
   if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid)
  status = -1;
  }

First, call the system call fork through the front-end function Generate a child process, in which fork has two return values. The pid of the child process is returned to the parent process, and 0 is returned to the child process. So the child process executes 6-24 lines of code, and the parent process executes 30-35 lines of code.

The logic of the child process is very clear. execve is called to execute the program specified by SHELL_PATH. The parameters are passed through new_argv, and the environment

variable is the global variable environ.

SHELL_PATH and SHELL_NAME are defined as follows

#define  SHELL_PATH  "/bin/sh"  /* Path of the shell. */
#define  SHELL_NAME  "sh"    /* Name to give it. */

In fact, it generates a sub-process to call

/bin/sh -c "command" to execute the The command passed in by system.

The following is actually the reason and focus of my research on the system function:

In the pwn question of CTF, calling the system function through stack overflow sometimes fails. I heard the masters say that the environment variable is overwritten. , but I have always been confused. I studied it in depth today and finally figured it out.

The environment variables required by the system function here are stored in the global variable environ, so what is the content of this variable.

environ is defined in glibc/csu/libc-start.c. Let’s look at a few key statements.

# define LIBC_START_MAIN libc_start_main

libc_start_main is the function called by _start, which involves some initialization work at the beginning of the program. If you don’t understand these terms, you can read this article. Next, look at the LIBC_START_MAIN function.

STATIC int
LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
     int argc, char **argv,
#ifdef LIBC_START_MAIN_AUXVEC_ARG
     ElfW(auxv_t) *auxvec,
#endif
     typeof (main) init,
     void (*fini) (void),
     void (*rtld_fini) (void), void *stack_end)
{
 /* Result of the 'main' function. */
 int result;

 libc_multiple_libcs = &_dl_starting_up && !_dl_starting_up;

#ifndef SHARED
 char **ev = &argv[argc + 1];

 environ = ev;

 /* Store the lowest stack address. This is done in ld.so if this is
   the code for the DSO. */
 libc_stack_end = stack_end;

　　　　......
 /* Nothing fancy, just call the function. */
 result = main (argc, argv, environ MAIN_AUXVEC_PARAM);
#endif

 exit (result);
}

We can see that the value of environ is defined on line 19 without define SHARED. Before the startup program calls LIBC_START_MAIN, it will first save the environment variables and the

string in argv (actually, it is saved on the stack), and then sequentially save the addresses of each string in the environment variable and each string in argv. The address of the item string and argc are pushed onto the stack, so the environment variable array must be located directly behind the argv array, separated by an empty address. So the &argv[argc + 1] statement on line 17 takes the first address of the environment variable array on the stack, saves it to ev, and finally saves it to environ. Line 203 calls the main function, which will push the environ value onto the stack. There is no problem if this is overwritten by stack overflow, as long as the address in environ is not overwritten.

So, when the length of the stack overflow is too large and the overflow content covers the important content in the address in environ, calling the system function will fail. How far the specific environment variable is from the overflow address can be checked by interrupting in _start.

The above is the detailed content of Introduction to the analysis of system function under Linux. For more information, please follow other related articles on the PHP Chinese website!