Can't find system call mount in XNU source code

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Can't find system call mount in XNU source code

Postby chengyang » Mon Oct 31, 2016 4:54 am

I'm rearching an exploit about mount syscall on xnu, and the function is used by mount("nfs", path, 0, &xdrbuf)
the comment says that it will later call a vulnerable function nfs_convert_old_nfs_args, so I want to checkout how it happens.

But when I go through the xnu code, nfs_convert_old_nfs_args can be found but I don't know how it's called,
I could only find these:
Code: Select all
/bsd/sys/mount.h, declares the founction but no implemention;
syscall.h, a syscall number table;
syscalls.master, seems to be used to gennerate another syscall table, syscall.c


where is the implemention of syscalls ? Maybe in the libsystem? Can't find useful sources for libsystem...

If you have any intrest on the exp, it can be found herehttps://www.exploit-db.com/exploits/32813/
chengyang
 
Posts: 14
Joined: Wed Aug 03, 2016 7:44 am

Re: Can't find system call mount in XNU source code

Postby morpheus » Thu Nov 03, 2016 1:02 am

Code: Select all
Zephyr: morpheus$ grep mount /usr/include/sys/syscall.h
         /* 21  old mount */
         /* 22  old umount */
#define   SYS_unmount        159
#define   SYS_mount          167
#define   SYS___mac_mount    424
#define   SYS___mac_get_mount 425


In XNU's code the sys calls are generated by bsd/kern/syscalls.master:

21 AUE_NULL ALL { int enosys(void); } { old mount }
22 AUE_NULL ALL { int enosys(void); } { old umount }
159 AUE_UNMOUNT ALL { int unmount(user_addr_t path, int flags); }
167 AUE_MOUNT ALL { int mount(char *type, char *path, int flags, caddr_t data); }
424 AUE_MAC_MOUNT ALL { int __mac_mount(char *type, char *path, int flags, caddr_t data, struct mac *mac_p); }
425 AUE_MAC_GET_MOUNT ALL { int __mac_get_mount(char *path, struct mac *mac_p); }


And you can find the call easily (#167) in bsd/vfs/vfs_syscalls.c where it directs to the MACF (label aware) version:


Code: Select all
/*
 * Mount a file system.
 */
/* ARGSUSED */
int
mount(proc_t p, struct mount_args *uap, __unused int32_t *retval)
{
        struct __mac_mount_args muap;

        muap.type = uap->type;
        muap.path = uap->path;
        muap.flags = uap->flags;
        muap.data = uap->data;
        muap.mac_p = USER_ADDR_NULL;
        return (__mac_mount(p, &muap, retval));
}
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Can't find system call mount in XNU source code

Postby chengyang » Thu Nov 03, 2016 2:09 am

I've got it, thank you.
At first I made a mistake that I thought the syscall mount("nfs", path, 0, &xdrbuf) and mount(proc_t p, struct mount_args *uap, __unused int32_t *retval) are not the same thing.

But after comparing about it and any other syscalls, I guess the syscall method will add a process argument, and combine all previous arguments into the mount_args.
chengyang
 
Posts: 14
Joined: Wed Aug 03, 2016 7:44 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests