How to Apply Live Hot Patches to Running Applications Without Restart

Preface

Hot patching is a technique that dynamically fixes bugs in memory‑resident code while a program is running. At UCloud we use kernel hot patches and application hot patches to repair core business defects and security vulnerabilities without restarting services.

Principle

Application hot patching typically compiles patch source into a loadable shared library (patch.so), loads it into the target process address space with a loader, and after safety checks replaces the original function code with the new version.

The process involves a loader (Loader), the target process T, and the patch library patch.so, where a function func is replaced by func_v2.

Hot Patch

Write patch source and compile into patch.so containing both original and new function symbols.

Loader loads patch.so, uses dlsym to locate func, makes its entry writable, and redirects it to func_v2.

All subsequent calls to func are redirected to func_v2, after which the program continues.

Hot Patch Loader

Loader finds the address of dlopen (or __libc_dlopen_mode) in the target process.

Using ptrace, Loader attaches to T, pushes the patch name onto T's stack, sets the instruction pointer to dlopen, and arranges arguments (filename, RTLD_NOW).

Loader sets a fake return address (0x0) so that a SIGSEGV is generated after dlopen returns, allowing Loader to regain control.

After dlopen finishes, Loader reads the return value from %rax, restores the original register state, and detaches.

Implementation

We demonstrate a simple x86_64 hot‑patch demo. The patch library contains a constructor that replaces the original print function with a new version that prints “Goodbye”.

Build steps and example code are shown (omitted for brevity).

Verification

Running the target program (printing “Hello” every second) and loading libnew.so changes the output to “Goodbye”. GDB inspection confirms that the entry of print was patched to the expected machine code.

Conclusion

Application hot patching can replace globally visible functions in shared libraries, enabling rapid, user‑transparent bug fixes such as the glibc GHOST vulnerability. The technique is simple and reliable but requires careful manual patch writing and cannot modify local functions or variables.