iovyroot icon indicating copy to clipboard operation
iovyroot copied to clipboard

Published 20 hours ago verified publisher icon dosomder

Missing exports in kallsymsprint output

Open sweetlilmre opened this issue 8 years ago • 1 comments

Running kallsymsprint on certain targets (e.g. Lenovo TAB3 - 7, Android 5.1, 32-bit) generates a symbol list that is missing most offset names. No ptmx_fops, sidtab, policytab etc. "selinux_is_enabled" is found as opposed to "selinux_enabled". I'm sure there is an obvious explanation for this, but I have no idea as to why. I have observed this for other ROM kernels, so this is not device specific.

Could someone enlighten me, and if possible provide a mechanism to get around this (assuming that this is not a result of some kernel patching to prevent precisely this)?

sweetlilmre avatar Aug 08 '16 16:08 sweetlilmre

If the symbols have been removed from kallsyms you need to use IDA and reverse some functions.

  • For selinux_enabled you can reverse selinux_is_enabled
  • For selinux_enforcing you can reverse sel_read_enforce
  • For ptmx_fops you can reverse unix98_pty_init
    • Find unix98_pty_init via xref from ptmx_open

Example for selinux_enforcing: Disassembled code of sel_read_enforce

ROM:C0352A5C                 STMFD           SP!, {R4-R7,LR}
ROM:C0352A60                 MOV             R5, R3
ROM:C0352A64                 LDR             R4, =__stack_chk_guard
ROM:C0352A68                 SUB             SP, SP, #0x1C
ROM:C0352A6C                 MOV             R7, R1
ROM:C0352A70                 MOV             R6, R2
ROM:C0352A74                 MOV             R1, #0xC
ROM:C0352A78                 LDR             R2, =aD_3 ; "%d"
ROM:C0352A7C                 ADD             R0, SP, #0x30+var_28
ROM:C0352A80                 LDR             R3, [R4]
ROM:C0352A84                 STR             R3, [SP,#0x30+var_1C]
ROM:C0352A88                 LDR             R3, =0xC10DF0D8
ROM:C0352A8C                 LDR             R3, [R3]
ROM:C0352A90                 BL              scnprintf
ROM:C0352A94                 STR             R0, [SP,#0x30+var_30]
ROM:C0352A98                 MOV             R2, R5
ROM:C0352A9C                 ADD             R3, SP, #0x30+var_28
ROM:C0352AA0                 MOV             R0, R7
ROM:C0352AA4                 MOV             R1, R6
ROM:C0352AA8                 BL              simple_read_from_buffer
ROM:C0352AAC                 LDR             R2, [SP,#0x30+var_1C]
ROM:C0352AB0                 LDR             R3, [R4]

Actual source code from http://lxr.free-electrons.com/source/security/selinux/selinuxfs.c?v=3.4#L129

129 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
130                                 size_t count, loff_t *ppos)
131 {
132         char tmpbuf[TMPBUFLEN];
133         ssize_t length;
134 
135         length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
136         return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
137 }

From the source code we can see that selinux_enforcing is passed as the 4th argument to scnprintf. That means it must usually be in register R3

TMPBUFLEN is a constant of 0xC which is passed on the following line

ROM:C0352A74                 MOV             R1, #0xC

Therefore the next function call is most likely to scnprintf. And the next write to R3 register is here

ROM:C0352A88                 LDR             R3, =0xC10DF0D8

Now we know selinux_enforcing is 0xC10DF0D8

dosomder avatar Aug 08 '16 16:08 dosomder