Skip to content
GitLab
Open
Issue created by Derek Bruening@derekbrueningContributor

handle early injection into a #! script

This issue covers getting drrun with early injection to execute a script. This used to work with late injection but was never a high priority and it regressed when we went to early injection.

Xref #1925 (closed) and 30a73d72 removing some drinjectlib blockers.

Xref #2091 for handling an observed execve of a #! script, and its 1b763ba7 adding script parsing logic which should be shareable here.

Today this is what happens:

$ bin64/drrun -- /tmp/abc.sh
<Application /tmp/abc.sh (196610) DynamoRIO usage error : Failed to read app ELF headers.  Check path and architecture.>
<Usage error: Failed to read app ELF headers.  Check path and architecture. (/home/bruening/dr/git/src/core/unix/loader.c, line 1814)
version 7.0.17735, custom build
-early_inject 
0x00007fff9091f620 0x00007f8b9c4d72e9
0x00007fff9091f670 0x00007f8b9c6d30f0
0x00007fff909200b0 0x00007f8b9c683828>
(gdb) bt
#0  report_dynamorio_problem (dcontext=0x0, dumpcore_flag=16, exception_addr=0x0, report_ebp=0x0, fmt=0x7fd01f5b5fcf "Usage error: %s (%s, line %d)")
    at /home/bruening/dr/git/src/core/utils.c:2127
#1  0x00007fd01f3762e9 in external_error (file=0x7fd01f60fbc0 "/home/bruening/dr/git/src/core/unix/loader.c", line=1814, 
    msg=0x7fd01f6103e0 "Failed to read app ELF headers.  Check path and architecture.") at /home/bruening/dr/git/src/core/utils.c:202
#2  0x00007fd01f5720f0 in privload_early_inject (sp=0x7ffc75699c20, old_libdr_base=0x0, old_libdr_size=140722278341216)
    at /home/bruening/dr/git/src/core/unix/loader.c:1812
#3  0x00007fd01f522828 in reloaded_xfer () at /home/bruening/dr/git/src/core/arch/x86/x86.asm:1187
#4  0x0000000000000001 in ?? ()
#5  0x00007ffc7569b164 in ?? ()
#6  0x0000000000000000 in ?? ()
(gdb) up 2
#2  0x00007fd01f5720f0 in privload_early_inject (sp=0x7ffc75699c20, old_libdr_base=0x0, old_libdr_size=140722278341216)
    at /home/bruening/dr/git/src/core/unix/loader.c:1812
1812	    apicheck(success,
(gdb) p exe_path
$1 = 0x7ffc7569bf9d "/tmp/abc.sh"

It works fine if we're in control of the parent:

$ bin64/drrun -- suite/tests/bin/linux.execve64 /tmp/abc.sh
<Starting application /home/bruening/dr/git/build_x64_dbg_tests/suite/tests/bin/linux.execve64 (195512)>
parent is running under DynamoRIO
<-- parent 195512 forked child 195513 -->
parent waiting for child
child is running under DynamoRIO
<-- execve /bin/bogus_will_fail -->
<-- execve /bin/bash -->
<Starting application /bin/bash (195513)>
abc
<Stopping application /bin/bash (195513)>
child has exited
<Stopping application /home/bruening/dr/git/build_x64_dbg_tests/suite/tests/bin/linux.execve64 (195512)>
$ bin64/drrun -- bash -c /tmp/abc.sh
<Starting application /bin/bash (197081)>
<-- execve /bin/bash -->
<Starting application /bin/bash (197081)>
abc
<Stopping application /bin/bash (197081)>