Add logic for patching calls to the x86-64 vsyscall page

library.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #define XOPEN_SOURCE 500
 
 #include "library.h"
 
 #include <algorithm>
 #include <elf.h>
@@ skipping 346 matching lines @@
     *extraSpace = maps->allocNearAddr(near, *extraLength,
                                       PROT_READ|PROT_WRITE|PROT_EXEC);
   }
   if (*extraSpace) {
     *extraLength -= needed;
     return *extraSpace + *extraLength;
   }
   Sandbox::die("Insufficient space to intercept system call");
 }
 
+#if defined(__x86_64__)
+static bool isCallToVsyscallPage(char* code) {
+  // Look for these instructions, which are a call to the x86-64
+  // vsyscall page, which the kernel puts at a fixed address:
+  //
+  //   48 c7 c0 00 XX 60 ff    mov    $0xffffffffff60XX00,%rax
+  //   ff d0                   callq  *%rax
+  //
+  // This will not catch all calls to the vsyscall page, but it
+  // handles the important cases that glibc contains.  The vsyscall
+  // page is deprecated, so it is unlikely that new instruction
+  // sequences for calling it will be introduced.
+  return (code[0] == '\x48' &&
+          code[1] == '\xc7' &&
+          code[2] == '\xc0' &&
+          code[3] == '\x00' &&
+          (code[4] == '\x00' || code[4] == '\x04' || code[4] == '\x08') &&
+          code[5] == '\x60' &&
+          code[6] == '\xff' &&
+          code[7] == '\xff' &&
+          code[8] == '\xd0');
+}
+
+static void patchCallToVsyscallPage(char* code) {
+  // We replace the mov+callq with these instructions:
+  //
+  //   b8 XX XX XX XX   mov $X, %eax  // where X is the syscall number
+  //   0f 05            syscall 
+  //   90               nop
+  //   90               nop
+  //
+  // The syscall instruction will later be patched by the general case.
+  if (code[4] == '\x00') {
+    // Use __NR_gettimeofday == 96 == 0x60.
+    const char replacement[] = "\xb8\x60\x00\x00\x00\x0f\x05\x90\x90";
+    memcpy(code, replacement, sizeof(replacement) - 1);
+  } else if (code[4] == '\x04') {
+    // Use __NR_time == 201 == 0xc9.
+    const char replacement[] = "\xb8\xc9\x00\x00\x00\x0f\x05\x90\x90";
+    memcpy(code, replacement, sizeof(replacement) - 1);
+  } else if (code[4] == '\x08') {
+    // Use __NR_getcpu == 309 == 0x135.
+    const char replacement[] = "\xb8\x35\x01\x00\x00\x0f\x05\x90\x90";
+    memcpy(code, replacement, sizeof(replacement) - 1);
+  }
+}
+#endif
+
 void Library::patchSystemCallsInFunction(const Maps* maps, int vsys_offset,
                                          char* start, char* end,
                                          char** extraSpace, int* extraLength) {
   typedef std::set<char *, std::less<char *>, SystemAllocator<char *> >
     BranchTargets;
   BranchTargets branch_targets;
   for (char *ptr = start; ptr < end; ) {
     unsigned short insn = next_inst((const char **)&ptr, __WORDSIZE == 64);
     char *target;
     if ((insn >= 0x70 && insn <= 0x7F) /* Jcc */ || insn == 0xEB /* JMP */) {
       target = ptr + (reinterpret_cast<signed char *>(ptr))[-1];
     } else if (insn == 0xE8 /* CALL */ || insn == 0xE9 /* JMP */ ||
                (insn >= 0x0F80 && insn <= 0x0F8F) /* Jcc */) {
       target = ptr + (reinterpret_cast<int *>(ptr))[-1];
     } else {
       continue;
     }
     branch_targets.insert(target);
   }
   struct Code {
     char*          addr;
     int            len;
     unsigned short insn;
     bool           is_ip_relative;
   } code[5] = { { 0 } };
   int codeIdx = 0;
   char* ptr = start;
   while (ptr < end) {
+    #if defined(__x86_64__)
+    if (isCallToVsyscallPage(ptr)) {
+      patchCallToVsyscallPage(ptr);
+    }
+    #endif
     // Keep a ring-buffer of the last few instruction in order to find the
     // correct place to patch the code.
     char *mod_rm;
     code[codeIdx].addr = ptr;
     code[codeIdx].insn = next_inst((const char **)&ptr, __WORDSIZE == 64,
                                    0, 0, &mod_rm, 0, 0);
     code[codeIdx].len = ptr - code[codeIdx].addr;
     code[codeIdx].is_ip_relative =
       #if defined(__x86_64__)
         mod_rm && (*mod_rm & 0xC7) == 0x5;
@@ skipping 619 matching lines @@
 }
 
 void Library::patchSystemCallsInRange(char* start, char* stop,
                                       char** extraSpace, int* extraLength) {
   char* func = start;
   int nopcount = 0;
   bool has_syscall = false;
   for (char *ptr = start; ptr < stop; ptr++) {
     #if defined(__x86_64__)
     if ((*ptr == '\x0F' && ptr[1] == '\x05' /* SYSCALL */) ||
-        (isVDSO_ && *ptr == '\xFF')) {
+        (isVDSO_ && *ptr == '\xFF') ||
+        isCallToVsyscallPage(ptr)) {
     #elif defined(__i386__)
     if ((*ptr   == '\xCD' && ptr[1] == '\x80' /* INT $0x80 */) ||
         (*ptr   == '\x65' && ptr[1] == '\xFF' &&
          ptr[2] == '\x15' /* CALL %gs:.. */)) {
     #else
     #error Unsupported target platform
     #endif
       ptr++;
       has_syscall = true;
       nopcount    = 0;
@@ skipping 142 matching lines @@
   }
   iter = symbols_.find("__kernel_rt_sigreturn");
   if (iter != symbols_.end() && iter->second.st_value) {
     __kernel_rt_sigreturn = asr_offset_ + iter->second.st_value;
   }
 
   return true;
 }
 
 } // namespace