1 int 2 __libc_system (const char *line) 3 { 4 if (line == NULL) 5 /* Check that we have a command processor available. It might 6 not be available after a chroot(), for example. */ 7 return do_system ("exit 0") == 0; 8 9 return do_system (line); 10 } 11 weak_alias (__libc_system, system)
代码位于glibc/sysdeps/posix/system.c,这里system是__libc_system的弱别名,而__libc_system是do_system的前端函数,进行了参数的检查,接下来看do_system函数。
1 static int 2 do_system (const char *line) 3 { 4 int status, save; 5 pid_t pid; 6 struct sigaction sa; 7 #ifndef _LIBC_REENTRANT 8 struct sigaction intr, quit; 9 #endif 10 sigset_t omask; 11 12 sa.sa_handler = SIG_IGN; 13 sa.sa_flags = 0; 14 __sigemptyset (&sa.sa_mask); 15 16 DO_LOCK (); 17 if (ADD_REF () == 0) 18 { 19 if (__sigaction (SIGINT, &sa, &intr) < 0) 20 { 21 (void) SUB_REF (); 22 goto out; 23 } 24 if (__sigaction (SIGQUIT, &sa, &quit) < 0) 25 { 26 save = errno; 27 (void) SUB_REF (); 28 goto out_restore_sigint; 29 } 30 } 31 DO_UNLOCK (); 32 33 /* We reuse the bitmap in the 'sa' structure. */ 34 __sigaddset (&sa.sa_mask, SIGCHLD); 35 save = errno; 36 if (__sigprocmask (SIG_BLOCK, &sa.sa_mask, &omask) < 0) 37 { 38 #ifndef _LIBC 39 if (errno == ENOSYS) 40 __set_errno (save); 41 else 42 #endif 43 { 44 DO_LOCK (); 45 if (SUB_REF () == 0) 46 { 47 save = errno; 48 (void) __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL); 49 out_restore_sigint: 50 (void) __sigaction (SIGINT, &intr, (struct sigaction *) NULL); 51 __set_errno (save); 52 } 53 out: 54 DO_UNLOCK (); 55 return -1; 56 } 57 } 58 59 #ifdef CLEANUP_HANDLER 60 CLEANUP_HANDLER; 61 #endif 62 63 #ifdef FORK 64 pid = FORK (); 65 #else 66 pid = __fork (); 67 #endif 68 if (pid == (pid_t) 0) 69 { 70 /* Child side. */ 71 const char *new_argv[4]; 72 new_argv[0] = SHELL_NAME; 73 new_argv[1] = "-c"; 74 new_argv[2] = line; 75 new_argv[3] = NULL; 76 77 /* Restore the signals. */ 78 (void) __sigaction (SIGINT, &intr, (struct sigaction *) NULL); 79 (void) __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL); 80 (void) __sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL); 81 INIT_LOCK (); 82 83 /* Exec the shell. */ 84 (void) __execve (SHELL_PATH, (char *const *) new_argv, __environ); 85 _exit (127); 86 } 87 else if (pid < (pid_t) 0) 88 /* The fork failed. */ 89 status = -1; 90 else 91 /* Parent side. */ 92 { 93 /* Note the system() is a cancellation point. But since we call 94 waitpid() which itself is a cancellation point we do not 95 have to do anything here. */ 96 if (TEMP_FAILURE_RETRY (__waitpid (pid, &status, 0)) != pid) 97 status = -1; 98 } 99 100 #ifdef CLEANUP_HANDLER 101 CLEANUP_RESET; 102 #endif 103 104 save = errno; 105 DO_LOCK (); 106 if ((SUB_REF () == 0 107 && (__sigaction (SIGINT, &intr, (struct sigaction *) NULL) 108 | __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL)) != 0) 109 || __sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL) != 0) 110 { 111 #ifndef _LIBC 112 /* glibc cannot be used on systems without waitpid. */ 113 if (errno == ENOSYS) 114 __set_errno (save); 115 else 116 #endif 117 status = -1; 118 } 119 DO_UNLOCK (); 120 121 return status; 122 }
首先函数设置了一些信号处理程序,来处理SIGINT和SIGQUIT信号,此处我们不过多关心,关键代码段在这里
1 #ifdef FORK 2 pid = FORK (); 3 #else 4 pid = __fork (); 5 #endif 6 if (pid == (pid_t) 0) 7 { 8 /* Child side. */ 9 const char *new_argv[4]; 10 new_argv[0] = SHELL_NAME; 11 new_argv[1] = "-c"; 12 new_argv[2] = line; 13 new_argv[3] = NULL; 14 15 /* Restore the signals. */ 16 (void) __sigaction (SIGINT, &intr, (struct sigaction *) NULL); 17 (void) __sigaction (SIGQUIT, &quit, (struct sigaction *) NULL); 18 (void) __sigprocmask (SIG_SETMASK, &omask, (sigset_t *) NULL); 19 INIT_LOCK (); 20 21 /* Exec the shell. */ 22 (void) __execve (SHELL_PATH, (char *const *) new_argv, __environ); 23 _exit (127); 24 } 25 else if (pid < (pid_t) 0) 26 /* The fork failed. */ 27 status = -1; 28 else 29 /* Parent side. */ 30 { 31 /* Note the system() is a cancellation point. But since we call 32 waitpid() which itself is a cancellation point we do not 33 have to do anything here. */ 34 if (TEMP_FAILURE_RETRY (__waitpid (pid, &status, 0)) != pid) 35 status = -1; 36 }
首先通过前端函数调用系统调用fork产生一个子进程,其中fork有两个返回值,对父进程返回子进程的pid,对子进程返回0。所以子进程执行6-24行代码,父进程执行30-35行代码。
子进程的逻辑非常清晰,调用execve执行SHELL_PATH指定的程序,参数通过new_argv传递,环境变量为全局变量__environ。
其中SHELL_PATH和SHELL_NAME定义如下
1 #define SHELL_PATH "/bin/sh" /* Path of the shell. */ 2 #define SHELL_NAME "sh" /* Name to give it. */
其实就是生成一个子进程调用/bin/sh -c "命令"来执行向system传入的命令。
下面其实是我研究system函数的原因与重点:
在CTF的pwn题中,通过栈溢出调用system函数有时会失败,听师傅们说是环境变量被覆盖,但是一直都是懵懂,今天深入学习了一下,总算搞明白了。
在这里system函数需要的环境变量储存在全局变量__environ中,那么这个变量的内容是什么呢。
__environ是在glibc/csu/libc-start.c中定义的,我们来看几个关键语句。
# define LIBC_START_MAIN __libc_start_main
__libc_start_main是_start调用的函数,这涉及到程序开始时的一些初始化工作,对这些名词不了解的话可以看一下这篇文章。接下来看LIBC_START_MAIN函数。
1 STATIC int 2 LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), 3 int argc, char **argv, 4 #ifdef LIBC_START_MAIN_AUXVEC_ARG 5 ElfW(auxv_t) *auxvec, 6 #endif 7 __typeof (main) init, 8 void (*fini) (void), 9 void (*rtld_fini) (void), void *stack_end) 10 { 11 /* Result of the 'main' function. */ 12 int result; 13 14 __libc_multiple_libcs = &_dl_starting_up && !_dl_starting_up; 15 16 #ifndef SHARED 17 char **ev = &argv[argc + 1]; 18 19 __environ = ev; 20 21 /* Store the lowest stack address. This is done in ld.so if this is 22 the code for the DSO. */ 23 __libc_stack_end = stack_end;
......
202 /* Nothing fancy, just call the function. */ 203 result = main (argc, argv, __environ MAIN_AUXVEC_PARAM); 204 #endif 205 206 exit (result); 207 }
我们可以看到,在没有define SHARED的情况下,在第19行定义了__environ的值。启动程序调用LIBC_START_MAIN之前,会先将环境变量和argv中的字符串保存起来(其实是保存到栈上),然后依次将环境变量中各项字符串的地址,argv中各项字符串的地址和argc入栈,所以环境变量数组一定位于argv数组的正后方,以一个空地址间隔。所以第17行的&argv[argc + 1]语句就是取环境变量数组在栈上的首地址,保存到ev中,最终保存到__environ中。第203行调用main函数,会将__environ的值入栈,这个被栈溢出覆盖掉没什么问题,只要保证__environ中的地址处不被覆盖即可。
所以,当栈溢出的长度过大,溢出的内容覆盖了__environ中地址中的重要内容时,调用system函数就会失败。具体环境变量距离溢出地址有多远,可以通过在_start中下断查看。