In response to: System hardening leads to CVE-2015-3341 and fun with DTrace

http://engineering.freeagent.com/2015/08/19/finding-CVE-2015-3341/

> I may be missing something here but I couldn’t figure out if it was
> possible to use DTrace to check the values in this sanity check in
> the kernel easily. If you know a way, let me know!

There is a way. It's just not obvious at first. The trick is to
realize that if you can somehow get the address of 'da' and 'pr' you
can print the data. So start with 'prp' and follow the breadcrumbs.

https://github.com/illumos/illumos-gate/blob/359db861fd14071f8a25831efe3bf3790980d071/usr/src/uts/common/os/klpd.c#L888

prp = (pfexec_reply_t *)da.rbuf;

So prp is really da.rbuf.

while ((dres = door_ki_upcall(pfd->klpd_door, &da)) != 0) {

And da is filled in by door_ki_upcall(). This is just another kernel
function that we can intercept with the fbt provider. We can determine
the address by intercepting function entry and then pretty print the
structures on function exit, like so:

dtrace -qn '
fbt::door_ki_upcall:entry {
    self->dap = (door_arg_t *)arg1;
    self->prp = (pfexec_reply_t *)self->dap->rbuf;
}

fbt::door_ki_upcall:return {
    print(*self->dap);
    printf("\n");
    print(*self->prp);
}'

However, this would trigger on any upcall. We should do this only when
we know it's getting invoked from pfexec_call().

dtrace -qn '
fbt::pfexec_call:entry { self->on = 1; }

fbt::door_ki_upcall:entry /self->on / {
    self->dap = (door_arg_t *)arg1;
    self->prp = (pfexec_reply_t *)self->dap->rbuf;
}

fbt::door_ki_upcall:return /self->on/ {
    print(*self->dap);
    printf("\n");
    print(*self->prp);
}

fbt::pfexec_call:return { self->on = 0; }'


And here's an example of the output:

door_arg_t {
    char *data_ptr = 0xffffff003e505ba0
    size_t data_size = 0x30
    door_desc_t *desc_ptr = 0
    uint_t desc_num = 0
    char *rbuf = 0xffffff003e505ba0
    size_t rsize = 0x30
}
pfexec_reply_t {
    uint_t pfr_vers = 0x1
    uint_t pfr_len = 0
    uid_t pfr_ruid = 0xffffffff
    uid_t pfr_euid = 0xffffffff
    gid_t pfr_rgid = 0xffffffff
    gid_t pfr_egid = 0xffffffff
    boolean_t pfr_setcred = B_FALSE
    boolean_t pfr_scrubenv = B_FALSE
    boolean_t pfr_clearflag = B_FALSE
    boolean_t pfr_allowed = B_TRUE
    uint_t pfr_ioff = 0
    uint_t pfr_loff = 0
}

There is nothing stopping you from using your custom printf format
strings. I thought I'd demonstrate the print() action since it is so
useful and can save a lot of time when debugging.