Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TC program compilation __stack_chk_fail not supported #41

Closed
h3xduck opened this issue Jul 6, 2022 · 4 comments
Closed

TC program compilation __stack_chk_fail not supported #41

h3xduck opened this issue Jul 6, 2022 · 4 comments
Labels
bug Something isn't working build issue

Comments

@h3xduck
Copy link
Owner

h3xduck commented Jul 6, 2022
edited
Loading 

➜  src git:(master) make all
  MKDIR    .output
  MKDIR    .output/libbpf
  LIB      libbpf.a
  MKDIR    /home/u1tron/TripleCross/src/.output//libbpf/staticobjs
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/netlink.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/str_error.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/xsk.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/strset.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/linker.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
  AR       /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.pc
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a 
  BPF      .output/kit.bpf.o
  GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
  CC       .output/kit.o
  CC       /home/u1tron/TripleCross/src/user/include/modules/module_manager.o
  BINARY   kit
clang -O2 -emit-llvm -g -c /home/u1tron/TripleCross/src/ebpf/include/bpf/tc.c -o - | \
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
error: <unknown>:0:0: in function classifier_egress i32 (%struct.__sk_buff*): A call to built-in function '__stack_chk_fail' is not supported.

make: *** [Makefile:107: tckit] Error 1
rm .output/kit.bpf.o

Originally posted by @yasindce1998 in #39 (comment)
@h3xduck h3xduck mentioned this issue Jul 6, 2022
Closed
@h3xduck
Copy link
Owner Author

h3xduck commented Jul 6, 2022

@yasindce1998 can you check the distro and version you are using?

lsb_release -a

The rootkit has only been tested in Ubuntu 21.04, if you are using this version already, which clang version are you on?

clang -v

@h3xduck h3xduck added bug Something isn't working build issue labels Jul 6, 2022
@yasindce1998
Copy link

@h3xduck Apologies for the late response and Thank you for reviewing it.
Here is what you needed.

~ lsb_release -a
LSB Version:    n/a
Distributor ID: Arch
Description:    Arch Linux
Release:        rolling
Codename:       n/a
➜  ~ clang -v
clang version 13.0.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-pc-linux-gnu/12.1.0
Found candidate GCC installation: /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/12.1.0
Selected GCC installation: /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/12.1.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Selected multilib: .;@m64
➜  ~

Extra informations

Operating System: Arch Linux                      
          Kernel: Linux 5.18.5-arch1-1
    Architecture: x86-64
 Hardware Vendor: Lenovo
  Hardware Model: Lenovo E41-25

@h3xduck
Copy link
Owner Author

h3xduck commented Jul 6, 2022

Yeah we didn't test the rootkit on Arch, you will have to use Ubuntu 21.04 if you want to compile it.

For the record, these are issues with using TripleCross in a different distro and version that I can think of:

  • Your compiler toolchain is different than the one in Ubuntu 21.04 (we used Clang v12). This results in the compiler sometimes generating instructions which are not valid in BPF (this is your case). You either will have to switch compiler or try with different fixes, -fno-stack-protector might work in your case.
  • The library injection module depends on specific opcodes of functions at glibc which may vary between versions. We used glibc 2.33

We may extend it to other versions in the future, but for now you may need to patch it yourself or switch to the supported system.

@yasindce1998
Copy link

@h3xduck Thank you! I can switch to Ubuntu 21.04. Thank you for the clarification!

@h3xduck h3xduck closed this as completed Jul 7, 2022
@h3xduck h3xduck mentioned this issue Jul 11, 2022
Closed
@h3xduck h3xduck mentioned this issue Feb 10, 2023
Closed
void0red added a commit to void0red/TripleCross that referenced this issue Apr 7, 2024
@void0red
src/Makefile: Fix h3xduck#41 and h3xduck#48 in compiling
49cac49 
1. use `-fno-stack-protector` to remove `__stack_chk_fail` symbol
2. use `-L` to specify libbpf library paths

Signed-off-by: void0red <void0red@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working build issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h3xduck @yasindce1998