1 Star 1 Fork 0

Rong Tao/libcare

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
README.rst 5.61 KB
一键复制 编辑 原始数据 按行查看 历史
Rong Tao 提交于 2021-09-16 05:29 . GitHub libcare

LibCare -- Patch Userspace Code on Live Processes

Welcome to LibCare --- Live Patch Updates for Userspace Processes and Libraries.

LibCare delivers live patches to any of your Linux executables or libraries at the runtime, without the need for restart of your applications. Most frequently it is used to perform critical security updates such as glibc's GHOST (aka CVE-2015-0235, see how we deal with it in GHOST sample) and QEMU's CVE-2017-2615, but can also be used for serious bug fixes on the fly to avoid interruption of service (see server sample).

See https://kernelcare.com for live Linux Kernel updates also.


How the live patches are generated?


We use the same code generating procedure we used in production for years in kernelcare.com: 我们用相同的代码生成步骤

  1. both original and patched source code are translated to assembler,
  2. 原始的和补丁都被编译成汇编语言
  3. corresponding assembler files are compared and new instrumented assembler code is generated, where patches are stored into special ELF sections,
  4. 相关的汇编文件比较,并且新的汇编会在补丁存放的特定的ELF section区域生成
  5. instrumented assembler code is compiled using target project's build system while patch ELF sections are collected in binaries',
  6. 汇编指令使用目标系统编译成目标文件
  7. binary patch files are extracted from the ELF sections.
  8. 二进制补丁文件是从 ELF section中提取出来的

The libcare-patch-make script is a handy script for the patch generation for a makeable project. Just do:

$ src/libcare-patch-make some_serious_bug.patch

And find binary patches for all the deliverables of the project in the patchroot directory. See our simple server for usage sample.

For more details follow to the patch preparation chapter of the internals.

How the live patches are applied?

live patches 如何应用

It is a lot like loading a shared library into another process' memory: 更像将共享库加载到另一个可执行文件中:

  1. our binary libcare-ctl (the doctor) attaches to a patient via ptrace(2),
  2. patient's objects are examined by the doctor,
  3. doctor puppets the patient to allocate patch memory near the original object,
  4. references in the patch are resolved by the doctor, the patch code is ready to be executed now,
  5. doctor rewrites targeted original functions with unconditional jumps to the appropriate patched versions, ensuring that no thread of patient is executing them first.
  6. 二进制`libcare-ctl`(医生),通过调用ptrace(2)添加病人
  7. 医生检查病人的物品,
  8. 医生伪装病人在原始对象附近分配补丁内存,
  9. 补丁中的引用由医生解析,补丁代码现在可以执行了,
  10. 医生通过无条件跳转到适当的补丁版本来重写目标原始函数,确保没有患者线程首先执行它们。

Now the patient executes patched versions of the functions.

For more details follow to the Patching chapter of the internals.

Will my patches re-apply if I restart the process?

Not at the moment. We only track start of the new processes for the tests, see here.

Does live patching affect performance?

Negligibly. Since code patches simply redirect execution from original code functions to the new ones the overhead is small and comparable to additional “jmp” instruction.

Installation and dependencies

All the Linux-distros with available libunwind, elfutils and binutils packages are supported.

However, the libcare is only tested on Ubuntu from 12.04 to 16.04 and on CentOS from 6.8 to 7.x.


To install the dependencies on RHEL/CentOS do the following:

$ sudo yum install -y binutils elfutils elfutils-libelf-devel libunwind-devel

To install the dependencies on Debian/Ubuntu do the following:

$ sudo apt-get install -y binutils elfutils libelf-dev libunwind-dev

Building libcare

To build libcare emit at project's root dir:

$ make -C src

This should build all the utilities required to produce a patch out of some project's source code.

It is highly recommended to run the tests as well, enabling Doctor libcare-ctl to attach ptracecles to any of the processes first:

$ sudo setcap cap_sys_ptrace+ep ./src/libcare-ctl
$ make -C tests && echo OK

Now all the required tools are built and we can build some patches. Skip to server sample for that.

How does it work?

Internals are quite confusing and are described here.

马建仓 AI 助手


D67c1975 1850385 1daf7b77 1850385