WO2021115036A1 - Linux内核热补丁实现方法、电子设备及计算机可读介质 - Google Patents
Linux内核热补丁实现方法、电子设备及计算机可读介质 Download PDFInfo
- Publication number
- WO2021115036A1 WO2021115036A1 PCT/CN2020/129031 CN2020129031W WO2021115036A1 WO 2021115036 A1 WO2021115036 A1 WO 2021115036A1 CN 2020129031 W CN2020129031 W CN 2020129031W WO 2021115036 A1 WO2021115036 A1 WO 2021115036A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- instruction code
- function
- jump
- patched function
- patched
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 129
- 230000004913 activation Effects 0.000 claims description 22
- 238000003860 storage Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 376
- 230000008569 process Effects 0.000 description 48
- 230000004048 modification Effects 0.000 description 28
- 238000012986 modification Methods 0.000 description 28
- 238000007726 management method Methods 0.000 description 21
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000002950 deficient Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
- G06F8/656—Updates while running
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3644—Software debugging by instrumenting at runtime
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4406—Loading of operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4482—Procedural
- G06F9/4484—Executing subprograms
- G06F9/4486—Formation of subprogram jump address
Definitions
- the embodiments of the present disclosure relate to the field of computer technology, and in particular to a method for implementing a LINUX kernel hot patch, an electronic device, and a computer-readable medium.
- the Linux system becomes more and more complex with more and more kernel driver modules loaded, which will inevitably expose kernel and/or kernel module faults.
- the traditional solution is to solve the kernel failure and/or kernel module failure through the "cold patch" method, that is, to restart the system after replacing the kernel and/or kernel module.
- the embodiments of the present disclosure provide a method for implementing a LINUX kernel hot patch, an electronic device, and a computer readable medium, which can activate the patch function without restarting the LINUX system, ensure the stability of the LINUX system, and improve user experience.
- the embodiments of the present disclosure provide a method for implementing a LINUX kernel hot patch, which includes: modifying the header instruction code of the patched function through an atomic operation, and jumping directly or indirectly from the patched function address to the patched function address. Activation of the patch function.
- embodiments of the present disclosure provide an electronic device, including: one or more processors; a storage device, on which one or more programs are stored, when the one or more programs are used by the one or more Execution by two processors, so that the one or more processors implement the method according to any one of claims 1 to 11.
- embodiments of the present disclosure provide a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, the method according to any one of claims 1 to 11 is implemented.
- the LINUX kernel hot patch implementation method modifies the header instruction code of the patched function through an atomic operation, and jumps directly or indirectly from the patched function address to the patched function address to realize the activation of the patched function.
- Fig. 1a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure
- FIG. 1b is a schematic diagram of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure
- FIG. 2 is a flowchart of the operation of abnormal hooking of a breakpoint provided by an embodiment of the disclosure
- FIG. 3a is a flowchart of a method for removing an activated patch function according to an embodiment of the disclosure
- FIG. 3b is a schematic diagram of a method for removing an activated patch function according to an embodiment of the present disclosure
- 4a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure
- Figure 4b is a schematic diagram of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure
- Fig. 5a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure
- FIG. 5b is a schematic diagram of relay space division provided by an embodiment of the disclosure.
- FIG. 5c is a schematic diagram of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure
- Fig. 6a is a flowchart of a method for removing an activated patch function provided by an embodiment of the disclosure
- FIG. 6b is a schematic diagram of a method for removing an activated patch function according to an embodiment of the disclosure.
- FIG. 7 is a flowchart of a relay space backtracking method provided by an embodiment of the disclosure.
- FIG. 8a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure
- FIG. 8b is a schematic diagram of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure
- FIG. 9a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- FIG. 9b is a schematic diagram of a method for implementing a LINUX kernel hot patch provided by an embodiment of the present disclosure.
- FIG. 10 is a flowchart of a method for determining whether the address of the second instruction code of a patched function is traversed by the kernel stack according to an embodiment of the disclosure
- FIG. 11a is a flowchart of a method for removing an activated patch function according to an embodiment of the disclosure
- FIG. 11b is a schematic diagram of a method for removing an activated patch function according to an embodiment of the disclosure.
- FIG. 12 is a flowchart of a method for backtracking in a relay space provided by an embodiment of the disclosure.
- the LINUX system is a basic operating system for communication software.
- the current architecture supported by the Linux system mainly includes the complex instruction set computer (Complex Instruction Set Computer, CISC) architecture and the reduced instruction set computer ( Reduced Instruction Set Computer, RISC) architecture.
- CISC architecture includes X86 architecture, etc.
- RISC architecture includes Advanced RISC Machines (ARM) architecture, Microprocessor without Interlocked Piped Stages (MIPS) architecture and PowerPC processor (Performance Optimization With Enhanced RISC-Performance Computing, PPC) architecture, etc.
- this embodiment discloses a method for implementing the LINUX kernel hot patch. The method is applied to the patch management module, which is installed before the patch operation is performed. In the kernel.
- the process of installing the patch management module includes: first confirming that the compiler and checking related to the processor architecture pass; secondly, confirming that the relay area related to the processor architecture is initialized successfully, confirming that the abnormal registration of the processor-related breakpoint is successful, and making the kernel module state change Call back registration, focus on the installation and uninstallation of the patch module, and finally create the patch sysfs root node.
- the kernel and/or kernel modules can be patched.
- patch description information is stored in the patch module, and the patch description information includes the name of the patched function, the address of the patch function, and the patch mode.
- the patch management module can provide a patch interface to compile the patch module, and can also use Shell commands to install or uninstall the compiled patch module. After calling the patch interface of the patch management module to compile the patch module, you can install the patch module and parse the patch description information stored in the patch module by calling the registration patch interface and then the activation patch interface in the patch module. When it returns to normal, Indicates that the function of the patch module has taken effect.
- the hot patch management system is created in the sysfs file system
- manually operating the sysfs file can activate, deactivate, and uninstall the patch function in the patch module.
- the activation interface and the uninstall interface are: echo 1>/sys/kernel/patch management module name/patch module name/enabled, echo 0>/sys/kernel/patch management module name/patch module name/enabled and echo 0>/ sys/kernel/patch management module name/patch module name/installed.
- the atomic operation mode is an operation mode in which the operation process is not interrupted.
- the atomic operation operation includes one or more operation steps, and the sequence of the operation steps cannot be disrupted during the operation process. That is, the atomic operation mode requires the operation steps to be executed continuously and completely, without the operation process being interrupted or abnormally interrupted.
- atomic operations include physical atomic operations and logical atomic operations.
- the patched function is a defective function in the LINUX system kernel or kernel module
- the patched function is a replacement function for the patched function.
- the patch function can realize the function of the patched function, and at the same time can make up for the defects in the patched function.
- the patched function address is the address of the code segment space where the patched function is located; the patch function address is the address of the code segment space where the patched function is located, and the code segment space is located in the kernel and/or kernel module.
- the header instruction code of the patched function includes the first instruction code and/or the second instruction code of the patched function.
- the patch function can be directly or indirectly jumped from the patched function address to the patched function address, and the activation of the patched function can be realized.
- the activated patch function if the activated patch function cannot meet the requirement of thread calling, the activated patch function needs to be removed, that is, the head script that has been modified by the patch function is restored to the head script before the modification.
- the header instruction code of the patched function should be backed up to realize the modification of the patched function.
- the head script is accurately and quickly restored to the head script before modification.
- Fig. 1a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- the LINUX kernel hot patch implementation method is to add a fixed instruction code with a fixed length byte to the head of the patched function, so as to realize the jump of the patch function.
- the LINUX kernel hot patch implementation method includes:
- Step 11 Add a fixed instruction code of X bytes before the first instruction code of the patched function.
- X is an integer greater than 4. It should be noted that adding the fixed instruction code of X bytes before the first instruction code of the patched function is for patching the patched function and realizing the activation of the patched function. Therefore, in some embodiments, before adding the X-byte fixed instruction code, it is determined whether there are other activated patch functions in the patched function.
- the fixed instruction code of X bytes is added before the first instruction code of the patched function, it is determined whether there is a fixed instruction code before the first instruction code of the patched function. If an activated patch function already exists in the patch function, stop modifying the header code of the patched function. If not, it means that the patched function does not have an activated patch function, and the patched function can be patched, that is, a fixed instruction code of X bytes can be added before the first instruction code of the patched function to perform the patch function Activation.
- the header instruction code of the patched function when the header instruction code of the patched function is stopped because the fixed instruction code is set before the first instruction code of the patched function, the header instruction code of the patched function that has been activated can be modified to Patch the activated patch function.
- Step 12 Modify the first byte of the fixed instruction code into a breakpoint instruction code.
- the breakpoint instruction code can intercept the thread from which the kernel call stack calls the patched function, so that the thread cannot execute the instruction code after the breakpoint instruction code.
- Step 13 Execute the breakpoint exception according to the breakpoint instruction code during the execution of the thread.
- the thread execution process is the call process of the kernel call stack calling the patched function.
- a breakpoint exception is an operation triggered by a breakpoint during the execution of the thread, and this operation is registered in the patch management module.
- the corresponding operation flow is hooked up by modifying the corresponding register context; wherein, modifying the corresponding register context includes writing the patch function into the register.
- the operation flow of hooking includes:
- Step 21 Judge whether the currently patched function is in the process of modifying the instruction code. If the currently patched function is not in the process of modifying the instruction code, execute step 23; if the currently patched function is in the process of modifying the instruction code, then execute step 22 .
- Step 22 Determine whether the currently patched function is performing a patching operation. If the currently patched function is not performing a patching operation, perform step 23; if the currently patched function is performing a patching operation, perform step 24.
- Step 23 Perform the original breakpoint standard kernel process.
- Step 24 jump to the register written in the patch function.
- the breakpoint exception is executed through the breakpoint instruction code. It should be noted that in the process of thread execution, encountering a breakpoint is a small probability event. Therefore, in a short period of time, the breakpoint exception can be handled by hooking the operation flow in the relevant register, so that the thread execution process is not interrupted, thereby facilitating the subsequent steps of activating the patch function.
- Step 14 Modify the return execution address of the breakpoint instruction code to the jump address.
- the jump address is determined according to the address difference between the patch function and the patched function, and the jump address is stored in the last (X-1) byte of the fixed instruction code.
- Step 15 Modify the breakpoint instruction code to a jump instruction.
- the breakpoint instruction code is in the first byte of the fixed instruction code. Therefore, the jump instruction modified by the breakpoint instruction code also fixes the first byte of the instruction code.
- the jump instruction code and the last (X-1) byte of the fixed instruction code together form a length of X bytes The complete jump instruction code. Since X is an integer greater than 4, the last (X-1) byte can store the length of the address required to implement a short jump or the length of the address required to implement a long jump. According to the length, X-byte jump instruction code, the patched function can jump directly to the patch function to activate the patch function.
- Jump address modify the return execution address of the breakpoint instruction code, that is, the last 4 bytes of the Nop instruction to the offset value; finally, modify the breakpoint instruction code BRK(cc) to jump instruction jumpq(e9),
- the jump instruction jumpq(e9) and the offset value in the last 4 bytes of the Nop instruction form a complete jump instruction code to realize a complete jump call.
- the patched function address can directly jump to the patched function address. Activate the patch function.
- the step of removing the activated patch function corresponding to FIG. 1a includes:
- Step 31 Modify the first byte of the patched function into a breakpoint instruction code.
- Step 32 Execute the breakpoint exception according to the breakpoint instruction code during the execution of the thread.
- Step 33 Restore the return execution address of the breakpoint instruction code to the last (X-1) byte of the original fixed instruction code, and X is an integer greater than 4.
- Step 34 Restore the breakpoint instruction code to the first byte of the original fixed instruction code.
- the LINUX kernel hot patch implementation method first adds a fixed instruction code of X bytes before the first instruction code of the patched function, and modifies the first byte of the fixed instruction code to a breakpoint instruction Code to execute the breakpoint exception according to the breakpoint instruction code during thread execution. Secondly, the return execution address of the breakpoint instruction code is modified to a jump address, and the breakpoint instruction code is modified to a jump instruction.
- the patched function address can jump directly to the patched function address to realize the activation of the patched function.
- the breakpoint exception is registered before the header instruction of the patched function is modified, after the first byte of the fixed instruction code is modified to the breakpoint instruction code, the thread execution process even if the breakpoint is encountered
- the script can also execute breakpoint exceptions based on the breakpoint script, and the thread will not be interrupted. That is, the modification process of the head instruction of the patched function in the embodiment of the present disclosure realizes the logical atomic operation, and the LINUX system can also activate the patch function without restarting, realize the LINUX kernel hot patch, and ensure the stability of the LINUX system.
- the modification process of the head instruction of the patched function in the embodiment of the present disclosure only involves the modification of one instruction code, the modification process is simple, and the modification process does not involve the backtracking of the kernel call stack, which improves the realization of LINUX kernel heat The efficiency of the patch.
- Fig. 4a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- the LINUX kernel hot patch implementation method is aimed at the short jump mode in the RISC architecture, that is, the distance between the patched function and the patched function is relatively close, and the jump can be realized by modifying one instruction code of the patched function.
- the LINUX kernel hot patch implementation method includes:
- Step 41 Modify the first instruction code of the patched function into a jump instruction code.
- the jump instruction code is an instruction code calculated through a patch function and a patched function
- the jump instruction code includes a jump address
- the jump address is determined according to the difference between the patch function address and the patched function address.
- the patched function can directly jump to the patch function to realize the activation of the patch function.
- the purpose of modifying the first instruction code of the patched function into a jump instruction code is for patching the patched function and realizing the activation of the patched function. Therefore, in some embodiments, before modifying the first instruction code of the patched function into a jump instruction code, it is determined whether the patched function can perform the patching operation.
- the assembly instruction code of the patched function is analyzed to determine whether there is an instruction code sequence that jumps to the beginning of the patched function in the assembly instruction code. If there is an instruction code sequence that jumps to the beginning of the patched function, it is explained
- the patched function cannot perform the patching operation, stop modifying the header script of the patched function; if there is no script sequence that jumps to the beginning of the patched function, it means that the patched function can perform the patching operation, that is, the patched function can be changed
- the first instruction code is modified to jump instruction code to activate the patch function. It should be noted that in all functions, the probability of a jump to the beginning of the patched function in the assembly instruction code is extremely low.
- the patch management module can give a prompt: suggest that the patched function The existing calling function performs patching operation.
- the steps of the implementation method of the LINUX kernel hot patch in Fig. 4a are described in detail.
- the jump instruction code J_XXX is an instruction code calculated through the patch function and the patched function
- the jump instruction code includes a jump address
- the jump address is determined according to the difference between the patch function address and the patched function address.
- the patched function can directly jump to the patch function to realize the activation of the patch function.
- the step of removing the activated patch function corresponding to FIG. 4a includes:
- the LINUX kernel hot patch implementation method realizes the activation of the patch function by modifying the first instruction code of the patched function into a jump instruction code. It should be noted that the process of being modified by the head instruction of the patch function will not interrupt the thread, and the modification process realizes the physical atomic operation. Therefore, the LINUX system can also activate the patch function without restarting to realize the LINUX kernel hot patch, which ensures the stability of the LINUX system.
- the modification process of the head instruction of the patched function in the embodiment of the present disclosure only involves the modification of one instruction code, the modification process is simple, and the modification process does not involve the backtracking of the kernel call stack, which improves the realization of the LINUX kernel heat The efficiency of the patch.
- Fig. 5a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- the LINUX kernel hot patch implementation method is aimed at the long jump mode in the RISC architecture, that is, the patched function is far away from the patched function, and it is impossible to directly jump from the patched function to the patched function address by one instruction.
- a relay space for the patched function.
- This relay space is reserved in the kernel and/or the kernel module and can be connected to it.
- the patched function implements a jump code segment space through an instruction, and the relay space is initialized by the patch management module.
- the LINUX kernel hot patch implementation method includes:
- Step 51 Modify the first instruction code of the patched function into a jump instruction code.
- the jump instruction code is an instruction code calculated according to the patched function and the relay space.
- the patched function can jump to the relay space.
- the jump instruction code includes a jump address, which is determined according to the difference between the patch function address and the relay space address, and the relay space is provided with a target jump from the relay space address to the patch function address. Turn script.
- the purpose of modifying the first instruction code of the patched function into a jump instruction code is for patching the patched function and realizing the activation of the patched function. Therefore, in some embodiments, before modifying the first instruction code of the patched function into a jump instruction code, it is determined whether the patched function can perform the patching operation.
- the assembly instruction code of the patched function is analyzed to determine whether there is an instruction code sequence that jumps to the beginning of the patched function in the assembly instruction code. If there is an instruction code sequence that jumps to the beginning of the patched function, it is explained
- the patched function cannot perform the patching operation, stop modifying the header script of the patched function; if there is no script sequence that jumps to the beginning of the patched function, it means that the patched function can perform the patching operation, that is, the patched function can be changed
- the first instruction code is modified to jump instruction code to activate the patch function. It should be noted that in all functions, the probability of a jump to the beginning of the patched function in the assembly instruction code is extremely low.
- the patch management module can give a prompt: suggest that the patched function The existing calling function performs patching operation.
- Step 52 Jump from the relay space to the patch function in the relay space.
- the relay space needs to be set up in advance through the patch management module.
- write the target jump instruction code in the relay space is the instruction code calculated according to the relay space and the patch function.
- the target jump instruction code includes a target jump address, and the target jump address is determined according to the difference between the relay space address and the patch function address.
- the relay space can be divided into small spaces of corresponding length according to the type of the target jump instruction.
- the types of the target jump instruction include long jump instructions and short jump instructions. instruction.
- the small space contains a number of locations for storing instruction codes or instruction code addresses.
- Fig. 5c modify the first instruction code INSN_0 of the patched function to jump instruction code J_XXX.
- the jump instruction code is the instruction code calculated based on the patched function and the relay space.
- the patched function can jump to the relay space.
- the relay space contains the jump register, and the target jump instruction code is written in the jump register.
- the target jump instruction code is the instruction code calculated according to the relay space and the patch function. Therefore, it can be realized in the relay space. Jump from the relay space to the patch function to activate the patch function.
- the step of removing the activated patch function corresponding to FIG. 5a includes:
- Step 61 Restore the first instruction code of the patched function.
- Step 62 Reclaim the relay space.
- the steps for backtracking in the relay space include:
- Step 71 search the current program register and accumulate the first search times, determine whether any thread is using the relay space, if any thread is using the relay space, go to step 72; if no thread is using the relay space, execute Step 73.
- Step 72 Determine whether the first search times exceed the preset first search times, if it exceeds the preset first search times, stop reclaiming the relay space; if it does not exceed the preset first search times, return to step 71.
- Step 73 Reclaim the relay space.
- Step 74 Stop reclaiming the relay space.
- the LINUX kernel hot patch implementation method realizes the activation of the patch function by modifying the first instruction code of the patched function into a jump instruction code. It should be noted that since the modification process of the head instruction of the patched function does not interrupt the thread, the modification process realizes the physical atomic operation. Therefore, the LINUX system can also activate the patch function without restarting to realize the LINUX kernel hot patch, which ensures the stability of the LINUX system.
- the modification process of the head instruction of the patched function in the embodiment of the present disclosure only involves the modification of one instruction code, the modification process is simple, and the modification process does not involve the backtracking of the kernel call stack, which improves the realization of the LINUX kernel heat The efficiency of the patch.
- Fig. 8a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- the LINUX kernel hot patch implementation method is aimed at the RISC architecture with the branch delay slot attribute, that is, the instructions of the patched function include the delay slot and the instructions in the delay slot are executed first during the thread execution.
- the instructions of the patched function include the delay slot and the instructions in the delay slot are executed first during the thread execution.
- a relay space for the patched function which is reserved in the kernel and/or kernel module
- the code segment space that can jump to the patched function through one instruction, and the relay space is initialized by the patch management module.
- the LINUX kernel hot patch implementation method is suitable for the case where the first instruction of the patched function contains a delay slot, and the method includes:
- Step 81 Modify the second instruction code of the patched function into a breakpoint instruction code.
- the breakpoint instruction code can intercept the thread from which the kernel call stack calls the patched function.
- the first instruction of the current patched function contains a delay slot
- the kernel call stack calls the patched function
- it will first execute the instruction code in the delay slot, and then execute the second instruction code of the patched function . Therefore, in order to intercept the thread from which the kernel call stack calls the patched function, the second instruction code of the patched function is modified into a breakpoint instruction code.
- the breakpoint script can prevent the thread from executing the script after the breakpoint script, and execute the breakpoint exception according to the breakpoint script during thread execution.
- the breakpoint exception is an operation triggered by a breakpoint during the execution of the thread, and the operation is registered in the patch management module.
- the corresponding operation flow is hooked up by modifying the corresponding register context; wherein, modifying the corresponding register context includes writing the patch function into the register.
- the operation flow of hooking includes: judging whether it is currently in the process of modifying the instruction code, if it is not in the process of modifying the instruction code, then proceed to the original breakpoint standard kernel flow; if it is in the process of modifying the instruction code , It is judged whether the function with the current breakpoint is undergoing patching operation. If the patching operation is not performed, the original breakpoint standard kernel process is performed; if the patching operation is currently being performed, the jump is written to the register of the patched function .
- the second instruction code of the patched function is modified to the jump instruction code to patch the patched function and realize the activation of the patched function. Therefore, in some embodiments, before modifying the second instruction code of the patched function into a jump instruction code, it is determined whether the patched function can perform the patching operation.
- the assembly instruction code of the patched function is analyzed to determine whether there is an instruction code sequence that jumps to the beginning of the patched function in the assembly instruction code. If there is an instruction code sequence that jumps to the beginning of the patched function, it is explained
- the patched function cannot perform the patching operation, stop modifying the header script of the patched function; if there is no script sequence that jumps to the beginning of the patched function, it means that the patched function can perform the patching operation, that is, the patched function can be changed
- the second instruction code is modified to jump instruction code to activate the patch function. It should be noted that in all functions, the probability of a jump to the beginning of the patched function in the assembly instruction code is extremely low.
- the patch management module can give a prompt: suggest that the patched function The existing calling function performs patching operation.
- Step 82 Modify the first instruction code of the patched function into a jump instruction code, where the jump instruction code is an instruction code calculated through the patched function and the relay space.
- the jump instruction code includes a jump address, which is determined according to the difference between the patch function address and the relay space address.
- the relay space is set in advance through the patch management module.
- When setting the relay space write the target jump instruction code in the relay space.
- the target jump instruction code is the instruction code calculated according to the relay space and the patch function; the target jump instruction code contains the target jump address, The target jump address is determined according to the difference between the relay space address and the patch function address.
- Step 83 Modify the second instruction code of the patched function to an empty instruction code.
- the second instruction code of the current patched function is the breakpoint instruction code. Since the first instruction code of the patched function containing the delay slot is modified into a jump instruction code in step 82, when the kernel call stack calls the patched function, the jump instruction code will be executed first, and the breakpoint The script will no longer be executed.
- Step 84 Jump from the relay space to the patch function in the relay space.
- the relay space is provided with a target jump instruction code that jumps from the relay space address to the patch function address.
- the kernel call stack calls the patched function, it jumps to the relay space through the first instruction code of the patched function, that is, the jump instruction code, and jumps from the relay space to the patch function in the relay space.
- Fig. 8b the steps of the implementation method of the LINUX kernel hot patch in Fig. 8a are described in detail.
- the first instruction code of the patched function INSN_0 is modified to jump instruction code J_XXX.
- the jump instruction code J_XXX is an instruction code calculated through the patched function and the relay space.
- the patched function can jump to the relay space, which contains the jump register, and the target jump instruction code is written in the jump register.
- the target jump instruction code is based on the middle The instruction code calculated following the space and patch function. Therefore, it is possible to jump from the relay space to the patch function in the relay space, and realize the activation of the patch function. Finally, modify the second instruction code of the patched function to Nop instruction code.
- the LINUX kernel hot patch implementation method is suitable for patched functions with branch delay slot attributes.
- the second instruction code of the patched function is modified into a breakpoint instruction code, and in the process of thread execution The breakpoint exception is executed according to the breakpoint instruction code.
- the breakpoint exception is registered before the header instruction of the patched function is modified, after the first byte of the fixed instruction code is modified to the breakpoint instruction code, the thread execution process even if the breakpoint is encountered
- the script can also execute breakpoint exceptions based on the breakpoint script, and the thread will not be interrupted. That is, the modification process of the head instruction of the patched function in the embodiment of the present disclosure realizes the logical atomic operation, and the LINUX system can also activate the patch function without restarting, realize the LINUX kernel hot patch, and ensure the stability of the LINUX system.
- the process of modifying the header instruction of the patched function involves the modification of two instruction codes.
- the modification process is simple, and the modification process does not involve the backtracking of the kernel call stack, which improves the efficiency of implementing the LINUX kernel hot patch.
- Fig. 9a is a flowchart of a method for implementing a LINUX kernel hot patch provided by an embodiment of the disclosure.
- the LINUX kernel hot patch implementation method is aimed at the RISC architecture with the branch delay slot attribute, that is, the instructions of the patched function include the delay slot and the instructions in the delay slot are executed first during the thread execution.
- the instructions of the patched function include the delay slot and the instructions in the delay slot are executed first during the thread execution.
- a relay space for the patched function is reserved in the kernel and/or the kernel module and can be connected to it.
- the patched function implements a jump code segment space through an instruction, and the relay space is initialized by the patch management module.
- the LINUX kernel hot patch implementation method is applicable to the case where the first instruction of the patched function does not contain a delay slot, and the method includes:
- Step 91 Modify the first instruction code of the patched function into a breakpoint instruction code.
- the breakpoint instruction code can intercept the thread from which the kernel call stack calls the patched function.
- the first instruction of the current patched function does not include a delay slot
- the kernel call stack calls the patched function
- it will first execute the instruction code in the delay slot, and then execute the first instruction of the patched function. code. Therefore, in order to intercept the thread from which the kernel call stack calls the patched function, the first instruction code of the patched function is modified into a breakpoint instruction code.
- the purpose of modifying the first instruction code of the patched function into a jump instruction code is for patching the patched function and realizing the activation of the patched function. Therefore, in some embodiments, before modifying the first instruction code of the patched function into a jump instruction code, it is determined whether the patched function can perform the patching operation.
- the assembly instruction code of the patched function is analyzed to determine whether there is an instruction code sequence that jumps to the beginning of the patched function in the assembly instruction code. If there is an instruction code sequence that jumps to the beginning of the patched function, it is explained
- the patched function cannot perform the patching operation, stop modifying the header script of the patched function; if there is no script sequence that jumps to the beginning of the patched function, it means that the patched function can perform the patching operation, that is, the patched function can be changed
- the first instruction code is modified to jump instruction code to activate the patch function. It should be noted that in all functions, the probability of a jump to the beginning of the patched function in the assembly instruction code is extremely low.
- the patch management module can give a prompt: suggest that the patched function The existing calling function performs patching operation.
- Step 92 Execute the breakpoint exception according to the breakpoint instruction code during the execution of the thread.
- the breakpoint exception is an operation triggered by a breakpoint during the execution of the thread, and the operation is registered in the patch management module.
- the corresponding operation flow is hooked up by modifying the corresponding register context; wherein, modifying the corresponding register context includes writing the patch function into the register.
- the operation flow of hooking includes: judging whether it is currently in the process of modifying the instruction code, if it is not in the process of modifying the instruction code, then proceed to the original breakpoint standard kernel flow; if it is in the process of modifying the instruction code , It is judged whether the function with the current breakpoint is undergoing patching operation. If the patching operation is not performed, the original breakpoint standard kernel process is performed; if the patching operation is currently being performed, the jump is written to the register of the patched function .
- Step 93 Modify the second instruction code of the patched function to an empty instruction code.
- the kernel call stack is calling the patched function, and the thread calling the patched function has executed the first instruction code when the patched function is not modified.
- changing the second instruction code of the patched function to an empty instruction code will result in incompatibility of the instruction code sequence, that is, the first instruction code executed by the thread of the kernel call stack is the original instruction code of the patched function.
- the second instruction code of is the modified instruction code.
- determine whether the address of the second instruction code is traversed by the kernel stack that is, determine the second instruction code. Whether the instruction code is being executed, when the second instruction code is not executed, the second instruction code of the patched function will be modified to an empty instruction code.
- the step of determining whether the address of the second instruction code of the patched function is traversed by the kernel stack includes:
- Step 101 Search the current program registers of all thread stacks to determine whether the program register stores the address of the second instruction code of the patched function; if the program register of any thread stack stores the address of the second instruction code, Step 103 is executed; if the address of the second instruction code is not stored in the program registers of all thread stacks, step 102 is executed.
- Step 102 search all interrupt stacks to determine whether the address of the second instruction code is stored in the interrupt stack; if the address of the second instruction code is stored in any interrupt stack, go to step 103; if all program registers do not store the address of the second instruction code For addresses of two instruction codes, step 104 is executed.
- Step 103 Return the information that the second instruction code is currently being executed.
- Step 104 Return the current information that the second instruction code has not been executed.
- Step 94 Modify the first instruction code of the patched function into a jump instruction code, where the jump instruction code is an instruction code calculated through the patched function and the relay space.
- a target jump instruction code that jumps from the relay space address to the patch function address is set in the relay space; the target jump instruction code contains the target jump address, and the target jump address is based on the relay space address and the patch The difference of the function address is determined.
- Fig. 9b the steps of the implementation method of the LINUX kernel hot patch in Fig. 9a are described in detail.
- the patched function can jump to the relay space, which contains the jump register, and the target jump instruction code is written in the jump register.
- the target jump instruction code is based on the middle The instruction code calculated following the space and patch function. Therefore, it is possible to jump from the relay space to the patch function in the relay space, and realize the activation of the patch function.
- the step of removing the activated patch function corresponding to FIG. 8a and FIG. 9a includes:
- Step 111 Modify the first byte of the patched function into a breakpoint instruction code.
- Step 112 Restore the second instruction code of the patched function.
- Step 113 Restore the first instruction code of the patched function.
- Step 114 Reclaim the relay space.
- Fig. 11b the steps of removing the activated patch function in Fig. 8b and Fig. a9b will be correspondingly described.
- the first byte of the patched function is Jump instruction J_XXX.
- restore the second instruction code of the patched function is the Nop instruction code.
- To restore the second instruction code of the patched function is to restore the Nop instruction code to the INSN_1 instruction code.
- the steps of performing relay space backtracking include:
- Step 121 search the current program register and accumulate the first search times, determine whether any thread is using the relay space, if any thread is using the relay space, go to step 122; if no thread is using the relay space, execute Step 123.
- Step 122 Determine whether the first search times exceed the preset first search times, if it exceeds the preset first search times, go to step 126; if it does not exceed the preset first search times, go back to step 121.
- Step 123 search the kernel interrupt stack and accumulate the second search times, determine whether there is an interrupt stack using the relay space, if any thread is using the relay space, go to step 124; if no thread is using the relay space, Go to step 125.
- Step 124 Determine whether the second search times exceed the preset second search times. If the second search times exceed the preset second search times, perform step 126; if the preset second search times are not exceeded, return to step 123.
- Step 125 Reclaim the relay space.
- Step 126 Stop reclaiming the relay space.
- the LINUX kernel hot patch implementation method is suitable for patched functions with branch delay slot attributes.
- the first instruction code of the patched function is modified into a breakpoint instruction code, and in the process of thread execution The breakpoint exception is executed according to the breakpoint instruction code.
- the breakpoint exception is registered before the header instruction of the patched function is modified, after the first byte of the fixed instruction code is modified to the breakpoint instruction code, the thread execution process even if the breakpoint is encountered
- the script can also execute breakpoint exceptions based on the breakpoint script, and the thread will not be interrupted. That is, the modification process of the head instruction of the patched function in the embodiment of the present disclosure realizes the logical atomic operation, and the LINUX system can also activate the patch function without restarting, realize the LINUX kernel hot patch, and ensure the stability of the LINUX system.
- the process of modifying the header instruction of the patched function involves the modification of two instruction codes, and the modification process is simple. Moreover, the modification process only involves the backtracking of the program registers and the interrupt stack, and does not involve the backtracking of the entire kernel stack, which improves the efficiency of implementing the LINUX kernel hot patch.
- an electronic device which includes:
- One or more processors are One or more processors;
- the storage device has one or more programs stored thereon, and when the one or more programs are executed by one or more processors, the one or more processors implement any one of the above-mentioned LINUX kernel hot patch implementation methods.
- embodiments of the present disclosure provide a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, any one of the above-mentioned LINUX kernel hot patch implementation methods is implemented.
- Such software may be distributed on a computer-readable medium
- the computer-readable medium may include a computer storage medium (or non-transitory medium) and a communication medium (or transitory medium).
- the term computer storage medium includes volatile and non-volatile memory implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
- Information such as computer-readable instructions, data structures, program modules, or other data.
- Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassette, tape, magnetic disk storage or other magnetic storage device, or Any other medium used to store desired information and that can be accessed by a computer.
- a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .
Abstract
Description
Claims (10)
- 一种LINUX内核热补丁实现方法,包括:通过原子操作方式修改被补丁函数的头部指令码,由被补丁函数地址直接或间接跳转至补丁函数地址,实现补丁函数的激活。
- 根据权利要求1所述的方法,其中,还包括:在所述被补丁函数的第一条指令码前增加X字节的固定指令码;其中,X为大于4的整数;所述第一条指令码为所述头部指令码;将所述固定指令码的第一字节修改为断点指令码;在线程执行过程中根据所述断点指令码执行断点异常;将所述断点指令码的返回执行地址修改为跳转地址;将所述断点指令码修改为跳转指令。
- 根据权利要求2所述的方法,其中,所述在所述被补丁函数的第一条指令码前增加X字节的固定指令码之前,还包括:判断所述被补丁函数的第一条指令码前是否设置有固定指令码,若有,则停止修改所述被补丁函数的头部指令码。
- 根据权利要求1所述的方法,其中,还包括:将所述被补丁函数的第一条指令码修改为跳转指令码,其中,所述第一条指令码为所述头部指令码;所述跳转指令码是通过所述补丁函数和所述被补丁函数计算得到的指令码。
- 根据权利要求1所述的方法,其中,还包括:将所述被补丁函数的第一条指令码修改为跳转指令码;其中,所述第一条指令码为所述头部指令码;所述跳转指令码是根据所述被补丁函数与 中继空间计算得到的指令码;所述中继空间是内核和/或内核模块中预留的可与被补丁函数通过一条指令实现跳转的代码段空间;所述中继空间设置有由中继空间地址跳转至补丁函数地址的目标跳转指令码;在所述中继空间实现由所述中继空间跳转至补丁函数。
- 根据权利要求1所述的方法,其中,还包括:将所述被补丁函数的第二条指令码修改为断点指令码;将所述被补丁函数的第一条指令码修改为跳转指令码;其中,所述第一条指令码和所述第二条指令码为所述头部指令码;所述跳转指令码是通过被补丁函数与中继空间计算得到的指令码;所述中继空间是内核和/或内核模块中预留的可与被补丁函数通过一条指令实现跳转的代码段空间;而且,在所述中继空间设置有由所述中继空间地址跳转至补丁函数地址的目标跳转指令码;将所述被补丁函数的第二条指令码修改为空指令码;在所述中继空间实现由所述中继空间跳转至补丁函数。
- 根据权利要求1所述的方法,其中,还包括:将所述被补丁函数的第一条指令码修改为断点指令码;在线程执行过程中根据所述断点指令码执行断点异常;将所述被补丁函数的第二条指令码修改为空指令码;所述第二条指令码和所述第一条指令码为所述头部指令码;将所述被补丁函数的第一条指令码修改为跳转指令码;其中,所述跳转指令码是通过所述被补丁函数与中继空间计算得到的指令码;所述中继空间是内核和/或内核模块中预留的可与被补丁函数通过一条指令实现跳 转的代码段空间;而且,在所述中继空间设置有由所述中继空间地址跳转至补丁函数地址的目标跳转指令码。
- 根据权利要求5至7任意一项所述的方法,其中,所述将所述被补丁函数的第一条指令码修改为跳转指令码之前,还包括:设置所述中继空间;在所述中继空间写入所述目标跳转指令码;其中,所述目标跳转指令码是根据所述中继空间和所述补丁函数计算得到的指令码。
- 一种电子设备,包括:一个或多个处理器;存储装置,其上存储有一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现根据权利要求1至8任意一项所述的方法。
- 一种计算机可读介质,其上存储有计算机程序,所述程序被处理器执行时实现根据权利要求1至8任意一项所述的方法。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/783,015 US11868763B2 (en) | 2019-12-13 | 2020-11-16 | Method for implementing Linux kernel hot patch, electronic device, and computer readable medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911283684.X | 2019-12-13 | ||
CN201911283684.XA CN112988182A (zh) | 2019-12-13 | 2019-12-13 | Linux内核热补丁实现方法、电子设备及计算机可读介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021115036A1 true WO2021115036A1 (zh) | 2021-06-17 |
Family
ID=76329587
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/129031 WO2021115036A1 (zh) | 2019-12-13 | 2020-11-16 | Linux内核热补丁实现方法、电子设备及计算机可读介质 |
Country Status (3)
Country | Link |
---|---|
US (1) | US11868763B2 (zh) |
CN (1) | CN112988182A (zh) |
WO (1) | WO2021115036A1 (zh) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7472384B1 (en) * | 2003-12-02 | 2008-12-30 | Swsoft Holdings, Ltd. | System, method and computer program product for on-the-fly patching of executable code |
CN101882094A (zh) * | 2010-06-10 | 2010-11-10 | 中兴通讯股份有限公司 | 嵌入式系统制作补丁的方法和系统 |
CN102982277A (zh) * | 2012-12-24 | 2013-03-20 | 广东威创视讯科技股份有限公司 | 一种实现嵌入式系统软件补丁的方法和系统 |
CN105138341A (zh) * | 2015-09-24 | 2015-12-09 | 上海斐讯数据通信技术有限公司 | 基于MIPS架构和vxworks系统实现热补丁长跳转的方法 |
CN105988798A (zh) * | 2015-02-12 | 2016-10-05 | 中兴通讯股份有限公司 | 补丁处理方法及装置 |
US10310863B1 (en) * | 2013-07-31 | 2019-06-04 | Red Hat, Inc. | Patching functions in use on a running computer system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101799763B (zh) * | 2009-02-10 | 2013-01-30 | 华为技术有限公司 | 内核在线补丁的方法、装置和系统 |
CN102156661B (zh) * | 2010-02-11 | 2013-06-12 | 华为技术有限公司 | 在线补丁的激活方法、装置及系统 |
CN103399775A (zh) * | 2013-08-05 | 2013-11-20 | 北京华为数字技术有限公司 | 一种热补丁方法及设备 |
US9164754B1 (en) * | 2013-12-18 | 2015-10-20 | Amazon Technologies, Inc. | Runtime patching of native-code programs |
-
2019
- 2019-12-13 CN CN201911283684.XA patent/CN112988182A/zh active Pending
-
2020
- 2020-11-16 WO PCT/CN2020/129031 patent/WO2021115036A1/zh active Application Filing
- 2020-11-16 US US17/783,015 patent/US11868763B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7472384B1 (en) * | 2003-12-02 | 2008-12-30 | Swsoft Holdings, Ltd. | System, method and computer program product for on-the-fly patching of executable code |
CN101882094A (zh) * | 2010-06-10 | 2010-11-10 | 中兴通讯股份有限公司 | 嵌入式系统制作补丁的方法和系统 |
CN102982277A (zh) * | 2012-12-24 | 2013-03-20 | 广东威创视讯科技股份有限公司 | 一种实现嵌入式系统软件补丁的方法和系统 |
US10310863B1 (en) * | 2013-07-31 | 2019-06-04 | Red Hat, Inc. | Patching functions in use on a running computer system |
CN105988798A (zh) * | 2015-02-12 | 2016-10-05 | 中兴通讯股份有限公司 | 补丁处理方法及装置 |
CN105138341A (zh) * | 2015-09-24 | 2015-12-09 | 上海斐讯数据通信技术有限公司 | 基于MIPS架构和vxworks系统实现热补丁长跳转的方法 |
Also Published As
Publication number | Publication date |
---|---|
CN112988182A (zh) | 2021-06-18 |
US11868763B2 (en) | 2024-01-09 |
US20230016250A1 (en) | 2023-01-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8499289B2 (en) | Method, device and system for realizing kernel online patching | |
TWI269229B (en) | Method, device and system for supporting safe updates and multiple processor types | |
WO2017067448A1 (zh) | 一种无线固件升级方法、系统及计算机存储介质 | |
CA2347404C (en) | System and method for recovering applications | |
US9928059B1 (en) | Automated deployment of a multi-version application in a network-based computing environment | |
CN107783776B (zh) | 固件升级包的处理方法及装置、电子设备 | |
US11748245B2 (en) | Object-oriented regression-candidate filter | |
US9063819B2 (en) | Extensible patch management | |
CN106775610B (zh) | 一种电子设备启动方法及一种电子设备 | |
WO2021142761A1 (zh) | 为芯片打补丁的方法及芯片 | |
CN110874237A (zh) | 软件升级方法、装置、终端以及可读存储介质 | |
CN106997313B (zh) | 一种应用程序的信号处理方法、系统及终端设备 | |
WO2016082450A1 (zh) | 一种用户终端的升级方法和用户终端 | |
CN114860291A (zh) | 一种引导及应用程序灵活储存与升级的方法 | |
US7269722B1 (en) | Preview of UNIX boot process from multi-user level | |
WO2020107436A1 (zh) | 程序的升级方法和嵌入式设备 | |
WO2021115036A1 (zh) | Linux内核热补丁实现方法、电子设备及计算机可读介质 | |
JP4931711B2 (ja) | カーネル更新方法、情報処理装置、プログラムおよび記憶媒体 | |
CN116880877A (zh) | 虚拟机增强工具升级方法、装置、计算机设备和存储介质 | |
WO2021012170A1 (zh) | 固件启动方法、设备及计算机可读存储介质 | |
CN116382753A (zh) | 一种基于网络的设备固件高可靠性远程升级方法 | |
CN116028084A (zh) | 一种基于OpenStack云平台跨版本热升级的方法、系统及终端 | |
WO2021135995A1 (zh) | 虚拟机组件处理方法及装置 | |
CN114327574A (zh) | 一种差分升级方法、电子设备及存储介质 | |
US9081727B2 (en) | Method, apparatus and computer program for loading files during a boot-up process |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20898359 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20898359 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 28/02/2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20898359 Country of ref document: EP Kind code of ref document: A1 |