Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: WeiJiLab/kernel-inline-hook-framework
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: WeiJiLab/kernel-inline-hook-framework
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ibt
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 1 commit
  • 12 files changed
  • 1 contributor

Commits on Mar 6, 2026

  1. [POC] Add intel IBT support 

    This is only a proof-of-concept of passing intel IBT constraint. At
least from my testing, this patch can work on machine which support ibt
feature.

However the implementation is unfinished:

1) prep_callfunc() will patch ENDBR64 to the beginning of functions, this is
   a must in order to let inline hook continue working, but I didn't protect
   the text patching with stop_machine() or stack_activeness_safety_check(),
   So in rare cases, machine might crash due to this. Also I didn't restore
   the ENDBR64 back to its original inst when inline hook disabled.

2) I bet AMD and ARM eventually will come up with something similar, so
   the code need to be more generic.

3) Also need to hack the building process calling objtool. Of course objtool
   have no idea of the runtime patching in prep_callfunc():

      LD [M]  hookFrameTest.o
    hookFrameTest.o: error: objtool: hook_vfs_read+0x24: relocation to !ENDBR: .text+0x7
    hookFrameTest.o: error: objtool: hook_vfs_read_init+0x47: relocation to !ENDBR: .text+0x7
    hookFrameTest.o: error: objtool: hook_fuse_open_init+0x47: relocation to !ENDBR: .text+0x25a
    hookFrameTest.o: error: objtool: hook_fuse_open+0x1d: relocation to !ENDBR: .text+0x25a
    make[4]: *** [/home/test/linux-7.0-rc1/scripts/Makefile.build:505: hookFrameTest.o] Error 1
    make[4]: *** Deleting file 'hookFrameTest.o'
    make[3]: *** [/home/test/linux-7.0-rc1/Makefile:2101: .] Error 2
    make[2]: *** [/home/test/linux-7.0-rc1/Makefile:248: __sub-make] Error 2
    make[2]: Leaving directory '/root/kernel-hook-framework/linux/sample'
    make[1]: *** [Makefile:248: __sub-make] Error 2
    make[1]: Leaving directory '/home/test/linux-7.0-rc1'
    make: *** [Makefile:55: x86_64] Error 2

The intel IBT feature is not a common case nowadays, only be seen in some
physical machines(and maybe KVM?), like intel meteorlake CPU. But I'm sure
IBT will be used more widely later.

This does making inline hook's life harder. But fuck this, I'm a hacker!
Though I got little spare time and limited machine use time, so
I have to stop right now and put my unfinished implementation here, for
future reference.

Signed-off-by: Tao Liu <[email protected]>
    @liutgnu
    liutgnu committed Mar 6, 2026
    Configuration menu
    Copy the full SHA
    3beb28e View commit details
    Browse the repository at this point in the history
Loading