| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 09 Feb 2012 17:17:57 +0900
From: Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
To: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc: Denys Vlasenko <vda.linux@...glemail.com>,
Peter Zijlstra <peterz@...radead.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>, Ingo Molnar <mingo@...e.hu>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux-mm <linux-mm@...ck.org>, Andi Kleen <andi@...stfloor.org>,
Christoph Hellwig <hch@...radead.org>,
Steven Rostedt <rostedt@...dmis.org>,
Roland McGrath <roland@...k.frob.com>,
Thomas Gleixner <tglx@...utronix.de>,
Arnaldo Carvalho de Melo <acme@...radead.org>,
Anton Arapov <anton@...hat.com>,
Ananth N Mavinakayanahalli <ananth@...ibm.com>,
Jim Keniston <jkenisto@...ux.vnet.ibm.com>,
Stephen Rothwell <sfr@...b.auug.org.au>,
yrl.pp-manager.tt@...achi.com
Subject: Re: [PATCH v10 3.3-rc2 1/9] uprobes: Install and remove breakpoints.
(2012/02/09 15:37), Srikar Dronamraju wrote:
>>
>> No, that is a meaningless operation.
>> As I originally said,
>>
>>> insn_get_length(insn);
>>> if (insn->rex_prefix.nbytes) {
>>> cursor = uprobe->insn + insn_offset_rex_prefix(insn);
>>> *cursor &= 0xfe; /* Clearing REX.B bit */
>>> }
>>
>
> I am confused by why we need to call insn_get_length(insn) before
> checking insn->rex_prefix.nbytes? Is it needed.
Ah, certainly, no, if the insn is already decoded.
> Denys and Masami, can you please confirm if below is fine.
>
>
> #ifdef CONFIG_X86_64
> /*
> * If uprobe->insn doesn't use rip-relative addressing, return
> * immediately. Otherwise, rewrite the instruction so that it accesses
> * its memory operand indirectly through a scratch register. Set
> * uprobe->arch_info.fixups and uprobe->arch_info.rip_rela_target_address
> * accordingly. (The contents of the scratch register will be saved
> * before we single-step the modified instruction, and restored
> * afterward.)
> *
> * We do this because a rip-relative instruction can access only a
> * relatively small area (+/- 2 GB from the instruction), and the XOL
> * area typically lies beyond that area. At least for instructions
> * that store to memory, we can't execute the original instruction
> * and "fix things up" later, because the misdirected store could be
> * disastrous.
> *
> * Some useful facts about rip-relative instructions:
> * - There's always a modrm byte.
> * - There's never a SIB byte.
> * - The displacement is always 4 bytes.
> */
> static void handle_riprel_insn(struct mm_struct *mm, struct uprobe *uprobe,
> struct insn *insn)
> {
> u8 *cursor;
> u8 reg;
>
> if (mm->context.ia32_compat)
> return;
>
> uprobe->arch_info.rip_rela_target_address = 0x0;
> if (!insn_rip_relative(insn))
> return;
Here, I think it is better to add a comment that
insn_rip_relative() decodes until modrm. :)
>
> /* Clear REX.b bit (extension of MODRM.rm field):
> * we want to encode rax/rcx, not r8/r9.
> */
> if (insn->rex_prefix.nbytes) {
> cursor = uprobe->insn + insn_offset_rex_prefix(insn);
> *cursor &= 0xfe;
> }
>
> /*
> * Point cursor at the modrm byte. The next 4 bytes are the
> * displacement. Beyond the displacement, for some instructions,
> * is the immediate operand.
> */
> cursor = uprobe->insn + insn_offset_modrm(insn);
> insn_get_length(insn);
>
> /*
> * Convert from rip-relative addressing to indirect addressing
> * via a scratch register. Change the r/m field from 0x5 (%rip)
> * to 0x0 (%rax) or 0x1 (%rcx), and squeeze out the offset field.
> */
> reg = MODRM_REG(insn);
> if (reg == 0) {
> /*
> * The register operand (if any) is either the A register
> * (%rax, %eax, etc.) or (if the 0x4 bit is set in the
> * REX prefix) %r8. In any case, we know the C register
> * is NOT the register operand, so we use %rcx (register
> * #1) for the scratch register.
> */
> uprobe->arch_info.fixups = UPROBES_FIX_RIP_CX;
> /* Change modrm from 00 000 101 to 00 000 001. */
> *cursor = 0x1;
> } else {
> /* Use %rax (register #0) for the scratch register. */
> uprobe->arch_info.fixups = UPROBES_FIX_RIP_AX;
> /* Change modrm from 00 xxx 101 to 00 xxx 000 */
> *cursor = (reg << 3);
> }
>
> /* Target address = address of next instruction + (signed) offset */
> uprobe->arch_info.rip_rela_target_address = (long)insn->length
> + insn->displacement.value;
> /* Displacement field is gone; slide immediate field (if any) over. */
> if (insn->immediate.nbytes) {
> cursor++;
> memmove(cursor, cursor + insn->displacement.nbytes,
> insn->immediate.nbytes);
> }
> return;
> }
Confirmed, this looks good to me ;)
Thanks!
--
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@...achi.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists