pwndbg icon indicating copy to clipboard operation
pwndbg copied to clipboard
verified publisher icon pwndbg

some x86_64 syscall args not annotated

Open k4lizen opened this issue 11 months ago • 4 comments

Description

For a lot of x86_64 linux syscalls, the arguments aren't annotated with the proper names.

Steps to reproduce

int main () {
  return 0;
}

gcc main.c -o main -g

pwndbg> start
pwndbg> stepsyscall
   0x7ffff7e84ee9 <_exit+25>    mov    eax, edx
 ► 0x7ffff7e84eeb <_exit+27>    syscall  <SYS_exit_group>
        rdi: 0
        rsi: 0xffffffffffffff88
        rdx: 0xe7
        r10: 0x7fffffffdfc0 —▸ 0x7ffff7ffe310 —▸ 0x555555554000 ◂— 0x10102464c457f
   0x7ffff7e84eed <_exit+29>    cmp    rax, -0x1000
   0x7ffff7e84ef3 <_exit+35>    jbe    _exit+24                    <_exit+24>

It's supposed to be:

Image

My setup

Pwndbg: 2025.04.18 build: 50912d40 Python: 3.13.3 GDB: 16.3 Capstone: 6.0.0 Unicorn: 2.1.3 Pwnlib: 4.14.0

k4lizen avatar May 25 '25 18:05 k4lizen

The syscall arguments are taken from glibc function signatures but some syscalls don't have glibc wrappers. According to man -K "glibc provides no wrapper for" those syscalls are:

arch_prctl, clone3, delete_module, exit_group, futex, getdents, io_destroy, io_getevents, ipc, kcmp, listmount, _llseek, lookup_dcookie, membarrier, memfd_secret, modify_ldt, mount_setattr, openat2, perf_event_open, pidfd_getfd, pidfd_open, pidfd_send_signal, pivot_root, s390_guarded_storage, s390_runtime_instr, s390_sthyi, seccomp, set_tid_address, socketcall, spu_create, spu_run, statmount, subpage_prot, tkill, userfaultfd

but only the following exist on x86_64 (according to https://syscalls.mebeim.net/?table=x86/64/x64/latest):

arch_prctl, clone3, delete_module, exit_group, futex, getdents, io_destroy, io_getevents, kcmp, lookup_dcookie, listmount, membarrier, memfd_secret, modify_ldt, mount_setattr, openat2, perf_event_open, pidfd_getfd, pidfd_open, pidfd_send_signal, pivot_root, seccomp, set_tid_address, statmount, tkill, userfaultfd

Then there's the rt_sigaction syscall, which only exists under a different name (sigaction) in glibc. Just leaving this here...

Ordoviz avatar May 25 '25 21:05 Ordoviz

Perhaps we should have separate functions file for syscall arguments data (vs glibc function arguments data)?

Currently we blindly do this in pwndbg/arguments.py:

    elif CS_GRP_INT in instruction.groups:
        # Get the syscall number and name
        name = instruction.syscall_name
        abi = pwndbg.aglib.arch.syscall_abi
        target = None

        if name is None or abi is None:
            return []

[...]

    func = pwndbg.lib.functions.functions.get(name, None)

The name here is exit_group which is not available in functions_data.py.

Optionally we can just add those missing syscall function data into functions_data.py ...

disconnect3d avatar May 29 '25 13:05 disconnect3d

i think it makes sense for it to be a seperate file. ideally it should be checked for desync with the kernel with some CI. how did we generate the functions_data.py file in the first place?

k4lizen avatar May 29 '25 14:05 k4lizen