Full clone support for both x86_64 and RISC-V

.github/workflows/main.yml

@@ -15,7 +15,7 @@ jobs:
     # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
     # You can convert this to a matrix build if you need cross-platform coverage.
     # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
-    runs-on: [ubuntu-20.04]
+    runs-on: [ubuntu-24.04]
 
     steps:
     - uses: actions/checkout@v3

.gitignore

@@ -8,6 +8,8 @@ build/
 .idea/
 cmake-build-debug/
 test/*.so
-test/riscv/bin/
-test/riscv/build/
-test/riscv/*.txt
+test/bin/
+test/build/
+test/testdir/
+test/testfile.txt
+test/testfile2.txt

CMakeLists.txt

@@ -30,7 +30,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-cmake_minimum_required(VERSION 3.3)
+cmake_minimum_required(VERSION 3.10)
 project(syscall_intercept C ASM)
 
 set(CMAKE_DISABLE_IN_SOURCE_BUILD ON)
@@ -43,11 +43,10 @@ endif()
 
 option(PERFORM_STYLE_CHECKS
 	"check coding style, license headers (requires perl)" OFF)
+option(BUILD_TESTS "build and enable tests" ON)
 if(CMAKE_SYSTEM_PROCESSOR MATCHES "^(x86(_64)?)$")
-	option(BUILD_TESTS "build and enable tests" ON)
 	option(BUILD_EXAMPLES "build examples" ON)
 elseif (CMAKE_SYSTEM_PROCESSOR MATCHES "^(riscv(32|64))$")
-	option(BUILD_TESTS "build and enable tests" OFF)
 	option(BUILD_EXAMPLES "build examples" OFF)
 endif()
 option(TREAT_WARNINGS_AS_ERRORS
@@ -56,6 +55,28 @@ option(EXPECT_SPURIOUS_SYSCALLS
 	"account for some unexpected syscalls in tests - enable while using sanitizers, gcov" OFF)
 option(STATIC_CAPSTONE "statically link libcapstone into the shared library" OFF)
 
+#####################################
+# External projects
+#####################################
+file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/capstone)
+
+set(CAPSTONE_INCLUDE_FOLDER "${CMAKE_CURRENT_BINARY_DIR}/capstone/_deps/capstone-src/include/capstone")
+set(CAPSTONE_LIB_FOLDER "${CMAKE_CURRENT_BINARY_DIR}/capstone/_deps/capstone-build")
+
+execute_process(
+        COMMAND ${CMAKE_COMMAND}
+        -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+        -DBUILD_SHARED_LIBS=ON
+        -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+        -DCMAKE_INSTALL_PREFIX:PATH=<INSTALL_DIR>
+        "${CMAKE_CURRENT_SOURCE_DIR}/capstone"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/capstone"
+)
+
+execute_process(COMMAND make
+        WORKING_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/capstone"
+)
+
 find_program(CTAGS ctags)
 if(CTAGS)
 	option(AUTO_RUN_CTAGS "create tags file every on every rebuild" ON)
@@ -68,7 +89,7 @@ set(SYSCALL_INTERCEPT_VERSION_PATCH 0)
 set(SYSCALL_INTERCEPT_VERSION
 	${SYSCALL_INTERCEPT_VERSION_MAJOR}.${SYSCALL_INTERCEPT_VERSION_MINOR}.${SYSCALL_INTERCEPT_VERSION_PATCH})
 
-include(cmake/find_capstone.cmake)
+
 include(GNUInstallDirs)
 include(cmake/toolchain_features.cmake)
 include(CheckLanguage)
@@ -105,10 +126,9 @@ elseif (CMAKE_SYSTEM_PROCESSOR MATCHES "^(riscv(32|64))$")
 	)
 endif()
 
-# set the following directories according with your installation of capstone
-include_directories(include "/usr/local/include/capstone")
-include_directories(${PROJECT_SOURCE_DIR}/src)
-link_directories("/usr/local/lib")
+
+include_directories(include ${PROJECT_SOURCE_DIR}/src ${CAPSTONE_INCLUDE_FOLDER})
+link_directories(${CAPSTONE_LIB_FOLDER})
 
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 

README.md

@@ -1,20 +1,24 @@
 # syscall_intercept
 
+
 [//]: # ([![Build Status](https://travis-ci.org/pmem/syscall_intercept.svg)](https://travis-ci.org/pmem/syscall_intercept))
 
 [//]: # ([![Coverage Status](https://codecov.io/github/pmem/syscall_intercept/coverage.svg)](https://codecov.io/gh/pmem/syscall_intercept))
 
 [//]: # ([![Coverity Scan Build Status](https://scan.coverity.com/projects/12890/badge.svg)](https://scan.coverity.com/projects/syscall_intercept))
 
-This repository contains a multi-architecture porting of [syscall_intercept](https://github.com/pmem/syscall_intercept) working on both x86_64 and RISC-V
+This repository contains a multi-architecture porting of [syscall_intercept](https://github.com/pmem/syscall_intercept) working on both **x86_64** and **RISC-V**.
+Full-featured support for **aarch64** (ARM64) is in progress.
 
+[![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause)
 # Dependencies #
 
+
 ## Runtime dependencies ##
 
  * libcapstone -- the disassembly engine used under the hood
    (RISC-V support requires version **5.0** or higher, while apt installs version 4.0.2 by default, as february 2025).
-   Compiling capstone by hand will require setting [CMakeLists.txt](CMakeLists.txt#L109) accordingly 
+   Since a manual installation of Capstone could not be automatically detected while compiling syscall_intercept, we ensured that libcapstone v5.0.6 is **automatically compiled** from source during the syscall_intercept cmake execution.
 
 ## Build dependencies ##
 
@@ -56,20 +60,14 @@ There is an install target. For now, all it does, is cp.
 make install
 ```
 
-Testing on **x86_64**:
+Running test suite:
 ```shell
 make test
 ```
 
-Testing on **RISC-V**:\
-Go to `syscall_intercept/test/riscv/`, then
-```shell
-make
-make test
-```
-
 # Synopsis #
 
+
 ```c
 #include <libsyscall_intercept_hook_point.h>
 ```
@@ -188,6 +186,7 @@ ls: reading directory '.': Operation not supported
 
 # Under the hood: #
 
+
 ##### Assumptions: #####
 In order to handle syscalls in user space, the library relies
 on the following assumptions:
@@ -311,20 +310,20 @@ aa20a: bltu     a5,a0,aa262 <__open+0xaa>   | aa20a: bltu     a5,a0,aa262 <__ope
 ```
 
 # Limitations: #
+
+
 * Only Linux is supported
 * Only x86\_64 and RISC-V are supported
 * Only tested with glibc, although perhaps it works
 with some other libc implementations as well
 * RISC-V version assumes `$t6` is not used as base pointer or as source
 register without being reinitialized after an `ecall` and before the ending of
-a function - tested with glibc 2.35, 2.37 and 2.39
-* :warning: **Clone** is not fully handled on **RISC-V**. Whereas in x86_64
-   version it is possible to define post-clone hook functions for both the
-   parent and child threads, on RISC-V it is only possible to define a pre-clone
-   hook function therefore providing a similar interception to every other system
-   calls. An example is present in [intercept_sys_clone.c](test/riscv/src/intercept_sys_clone.c)
+a function. While this assumption involves heuristics, this choice was tested 
+on different glibc version, i.e. 2.35, 2.37 and 2.39, and on different kernel
+implementations manifesting a consistent and working behaviour.
 
 # Debugging: #
+
 Besides logging, the most important factor during debugging is to make
 sure the system calls in the debugger are not intercepted. To achieve this, use
 the INTERCEPT_HOOK_CMDLINE_FILTER variable described above.
@@ -340,7 +339,8 @@ process itself.
 
 # RISC-V porting #
 
-Ottavio Monticelli <[email protected]> (Maintainer) \
+
+Ottavio Monticelli <[email protected]> (Maintainer) \
 Marco Edoardo Santimaria <[email protected]> (Maintainer) \
 Marco Aldinucci <[email protected]> (Maintainer and Principal Investigator) \
 Iacopo Colonnelli <[email protected]> (Maintainer and Principal Investigator)

capstone/CMakeLists.txt

@@ -0,0 +1,15 @@
+cmake_minimum_required(VERSION 3.10)
+project(capstone)
+include(FetchContent)
+
+#####################################
+# Import external project from git
+#####################################
+FetchContent_Declare(capstone
+        GIT_REPOSITORY https://github.com/capstone-engine/capstone.git
+        # the following git tag refers to capstone version 5.0.6
+        GIT_TAG accf4df62f1fba6f92cae692985d27063552601c
+)
+
+FetchContent_MakeAvailable(capstone)
+

src/arch/riscv/intercept_template.S

@@ -57,6 +57,24 @@ intercept_asm_wrapper_tmpl:
     sd t3, 48(sp)
     sd t4, 56(sp)
     sd t5, 64(sp)
+    /*
+     * t5 content will be evaluated in intercept_wrapper to determine which
+     * interception routine must be called. 1 for post_clone, 0 otherwise
+     */
+    li t5, 0 # choose intercept_routine
+    j intercept_asm_wrapper_patch_desc_addr
+post_clone:
+    addi sp, sp, -72
+    addi t6, sp, 72 # sp+72 is the sp value before interception
+    sd t6, 0(sp)
+    sd ra, 16(sp)
+    sd t0, 24(sp)
+    sd t1, 32(sp)
+    sd t2, 40(sp)
+    sd t3, 48(sp)
+    sd t4, 56(sp)
+    sd t5, 64(sp)
+    li t5, 1 # choose intercept_routine_post_clone
 intercept_asm_wrapper_patch_desc_addr:
     /* load patch_desc address in t0 */
 
@@ -135,11 +153,18 @@ intercept_asm_wrapper_wrapper_level1_addr:
      * If t6 is zero, a0 contains a syscall number, and that syscall
      * is executed here.
      * If t6 is 1, a0 contains the return value of the hooked syscall.
+     * If t6 is 2, a clone syscall is executed here.
      */
     beqz t6, execute_unhandled_ecall
     srli t6, t6, 1
     beqz t6, handled_ecall
-    ebreak # if t6 holds invalid value, i. e. different from 0 or 1
+    srli t6, t6, 1
+    beqz t6, execute_clone
+    ebreak # if t6 holds invalid value, i. e. different from 0, 1 or 2
+
+execute_clone:
+    ecall
+    j post_clone
 
 execute_unhandled_ecall:
     ecall

src/arch/riscv/intercept_wrapper.S

@@ -110,8 +110,14 @@ intercept_wrapper:
     /* argument passed to intercept_routine */
     mv a0, sp
 
-    jal intercept_routine
+    li t0, 1
+    beq t5, t0, l0 # which function should be called?
 
+    jal intercept_routine
+    j l1
+l0:
+    jal intercept_routine_post_clone
+l1:
     /*
      * At this point, the return value of the C
      * function (a struct wrapper_ret instance) is in a0, a1.
@@ -130,7 +136,14 @@ intercept_wrapper:
     ld t3, 32(sp)
     ld t4, 40(sp)
 
-    /* no point in restoring in context values at 48(sp), 56(sp) and 64(sp) */
+    /*
+     * No point in restoring in context values at 48(sp) and 56(sp), while a0
+     * must be restored only if system call has not been handled yet
+     */
+    li a1, 1
+    beq t6, a1, handled_ecall
+    ld a0, 64(sp)
+handled_ecall:
     ld a1, 72(sp)
     ld a2, 80(sp)
     ld a3, 88(sp)

src/arch/riscv/patcher.c

@@ -555,8 +555,8 @@ create_j(unsigned char *from, void *to)
 	uint32_t *instructions = (uint32_t *)from;
 	debug_dump("%p: ecall -> jalr %ld\t# %p\n", from, delta, to);
 
-	const ptrdiff_t JALR_MAX_OFFSET =  2147481598; // ((2^31-1)-4095)+(2^11-1) = 0x7ffff000 + 0x7ff
-	const ptrdiff_t JALR_MIN_OFFSET = -2147483648; // (-2^31) = -0x80000000
+	const ptrdiff_t JALR_MAX_OFFSET =  ABS_MAX_POS_OFFSET; // ((2^31-1)-4095)+(2^11-2) = 0x7ffff000 + 0x7fe
+	const ptrdiff_t JALR_MIN_OFFSET = -(ABS_MAX_NEG_OFFSET); // (-2^31) = -0x80000000 - 0x800
 
 	if ((delta & 0x1) != 0) {
 

src/intercept.c

@@ -621,6 +621,25 @@ get_syscall_in_context(struct context *context, struct syscall_desc *sys)
 	sys->args[5] = SIXTH_ARG_REG;
 }
 
+/*
+ * intercept_routine_post_clone
+ * The routine called by an assembly wrapper when a clone syscall returns zero,
+ * and a new stack pointer is used in the child thread.
+ */
+struct wrapper_ret
+intercept_routine_post_clone(struct context *context)
+{
+	if (THREAD_PID == 0) {
+		if (intercept_hook_point_clone_child != NULL)
+			intercept_hook_point_clone_child();
+	} else {
+		if (intercept_hook_point_clone_parent != NULL)
+			intercept_hook_point_clone_parent(THREAD_PID);
+	}
+
+	return (struct wrapper_ret){FIRST_RET_REG = THREAD_PID, SECOND_RET_REG = 1 };
+}
+
 /*
  * intercept_routine(...)
  * This is the function called from the asm wrappers,
@@ -679,7 +698,7 @@ intercept_routine(struct context *context)
 #if defined(__x86_64__) || defined(_M_X64)
 	if (desc.nr == SYS_vfork || desc.nr == SYS_rt_sigreturn) {
 #elif defined(__riscv)
-	if (desc.nr == SYS_clone || desc.nr == SYS_rt_sigreturn) {
+	if (desc.nr == SYS_rt_sigreturn) {
 #endif
 		/* can't handle these syscalls the normal way */
 		return (struct wrapper_ret){FIRST_RET_REG = SYSCALL_NR, SECOND_RET_REG = 0 };
@@ -698,7 +717,7 @@ intercept_routine(struct context *context)
 		 * the clone_child_intercept_routine instead, executing
 		 * it on the new child threads stack, then returns to libc.
 		 */
-#if defined(__x86_64__) || defined(_M_X64)
+
 		if (desc.nr == SYS_clone && desc.args[1] != 0) {
 			return (struct wrapper_ret){
 				FIRST_RET_REG = SYSCALL_NR, SECOND_RET_REG = 2 };
@@ -711,36 +730,31 @@ intercept_routine(struct context *context)
 		}
 #endif
 		else
-#endif
+
 			result = syscall_no_intercept(desc.nr,
 					desc.args[0],
 					desc.args[1],
 					desc.args[2],
 					desc.args[3],
 					desc.args[4],
 					desc.args[5]);
+
+		/*
+		 * Here clone calls with arg[1] == 0 are granted the execution
+		 * of their post_clone hook functions
+		 */
+		if (desc.nr == SYS_clone) {
+			THREAD_PID = result;
+			intercept_routine_post_clone(context);
+		}
+#ifdef SYS_clone3
+		else if (desc.nr == SYS_clone3) {
+			THREAD_PID = result;
+			intercept_routine_post_clone(context);
+		}
+#endif
 	}
 
 	intercept_log_syscall(patch, &desc, KNOWN, result);
 	return (struct wrapper_ret){ FIRST_RET_REG = result, SECOND_RET_REG = 1 };
 }
-
-/*
- * intercept_routine_post_clone
- * The routine called by an assembly wrapper when a clone syscall returns zero,
- * and a new stack pointer is used in the child thread.
- */
-
-struct wrapper_ret
-intercept_routine_post_clone(struct context *context)
-{
-	if (THREAD_PID == 0) {
-		if (intercept_hook_point_clone_child != NULL)
-			intercept_hook_point_clone_child();
-	} else {
-		if (intercept_hook_point_clone_parent != NULL)
-			intercept_hook_point_clone_parent(THREAD_PID);
-	}
-
-	return (struct wrapper_ret){FIRST_RET_REG = THREAD_PID, SECOND_RET_REG = 1 };
-}

src/intercept.h

@@ -245,6 +245,8 @@ void activate_patches(struct intercept_desc *desc);
 #define SIXTH_ARG_REG PARAM_BY_ARCH(context->r9,context->a[5])
 #define FIRST_RET_REG PARAM_BY_ARCH(.rax,.a[0])
 #define SECOND_RET_REG PARAM_BY_ARCH(.rdx,.a[1])
+#define ABS_MAX_NEG_OFFSET PARAM_BY_ARCH(INT32_MAX,((long)INT32_MAX+0x800))
+#define ABS_MAX_POS_OFFSET PARAM_BY_ARCH(INT32_MAX,INT32_MAX-0x801)
 
 bool is_overwritable_nop(const struct intercept_disasm_result *ins);