Arch_prctl on 大飞的博客 https://www.dafei.me/tags/arch_prctl/ Recent content in Arch_prctl on 大飞的博客 Hugo zh-cn Fri, 22 May 2026 02:00:00 +0000 从零写OS(三十一):运行 musl libc 程序 —— 两个隐藏的寄存器 Bug https://www.dafei.me/posts/os-31-musl-libc/ Fri, 22 May 2026 02:00:00 +0000 https://www.dafei.me/posts/os-31-musl-libc/ <p>上一章对齐了 Linux syscall ABI,现在试着跑一个真正用 musl libc 静态编译的 C 程序。目标很简单:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">#include</span> <span style="color:#75715e">&lt;stdio.h&gt;</span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">int</span> <span style="color:#a6e22e">main</span>(<span style="color:#66d9ef">int</span> argc, <span style="color:#66d9ef">char</span> <span style="color:#f92672">**</span>argv) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;hello from musl libc!</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>); </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">printf</span>(<span style="color:#e6db74">&#34;argc=%d</span><span style="color:#ae81ff">\n</span><span style="color:#e6db74">&#34;</span>, argc); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>编译:<code>musl-gcc -static -O2 -o hello.elf hello.c</code></p> <p>结果踩了两个隐藏很深的寄存器 bug,花了不少时间才找出来。</p> <h2 id="新增的-syscall">新增的 syscall</h2> <p>musl libc 启动时会调用一批 syscall,其中有三个是绕不过的:</p> <table> <thead> <tr> <th>syscall</th> <th>编号</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td>arch_prctl(ARCH_SET_FS, addr)</td> <td>158</td> <td>设置 TLS base(FS 寄存器)</td> </tr> <tr> <td>set_tid_address(tidptr)</td> <td>218</td> <td>设置线程 ID 地址,返回 pid</td> </tr> <tr> <td>writev(fd, iov, iovcnt)</td> <td>20</td> <td>向量写,musl 的 stdio 用它输出</td> </tr> </tbody> </table> <p><code>arch_prctl</code> 需要写 MSR <code>0xC0000100</code>(FS.base),这是 TLS 的基地址,musl 用来存放线程局部变量:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">case</span> SYS_ARCH_PRCTL: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (a1 <span style="color:#f92672">==</span> ARCH_SET_FS) { </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">wrmsr</span>(<span style="color:#ae81ff">0xC0000100</span>, a2); <span style="color:#75715e">// FS.base MSR </span></span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> (<span style="color:#66d9ef">uint64_t</span>)(<span style="color:#f92672">-</span>EINVAL); </span></span></code></pre></div><p><code>writev</code> 需要遍历 iov 数组,把多段数据拼起来写到 tty:</p>