| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20091120172418.GF6869@linux-mips.org>
Date: Fri, 20 Nov 2009 17:24:18 +0000
From: Ralf Baechle <ralf@...ux-mips.org>
To: Wu Zhangjin <wuzhangjin@...il.com>
Cc: rostedt@...dmis.org, Nicholas Mc Guire <der.herr@...r.at>,
zhangfx@...ote.com, Ingo Molnar <mingo@...e.hu>,
Thomas Gleixner <tglx@...utronix.de>,
Frederic Weisbecker <fweisbec@...il.com>,
linux-kernel@...r.kernel.org, linux-mips@...ux-mips.org
Subject: Re: [PATCH v9 06/10] tracing: add function graph tracer support
for MIPS
On Fri, Nov 20, 2009 at 08:34:34PM +0800, Wu Zhangjin wrote:
> The implementation of function graph tracer for MIPS is a little
> different from X86.
>
> in MIPS, gcc(with -pg) only transfer the caller's return address(at) and
> the _mcount's return address(ra) to us.
>
> For the kernel part without -mlong-calls:
>
> move at, ra
> jal _mcount
>
> For the module part with -mlong-calls:
>
> lui v1, hi16bit_of_mcount
> addiu v1, v1, low16bit_of_mcount
> move at, ra
> jal _mcount
>
> Without -mlong-calls,
>
> if the function is a leaf, it will not save the return address(ra):
>
> ffffffff80101298 <au1k_wait>:
> ffffffff80101298: 67bdfff0 daddiu sp,sp,-16
> ffffffff8010129c: ffbe0008 sd s8,8(sp)
> ffffffff801012a0: 03a0f02d move s8,sp
> ffffffff801012a4: 03e0082d move at,ra
> ffffffff801012a8: 0c042930 jal ffffffff8010a4c0 <_mcount>
> ffffffff801012ac: 00020021 nop
>
> so, we can hijack it directly in _mcount, but if the function is non-leaf, the
> return address is saved in the stack.
>
> ffffffff80133030 <copy_process>:
> ffffffff80133030: 67bdff50 daddiu sp,sp,-176
> ffffffff80133034: ffbe00a0 sd s8,160(sp)
> ffffffff80133038: 03a0f02d move s8,sp
> ffffffff8013303c: ffbf00a8 sd ra,168(sp)
> ffffffff80133040: ffb70098 sd s7,152(sp)
> ffffffff80133044: ffb60090 sd s6,144(sp)
> ffffffff80133048: ffb50088 sd s5,136(sp)
> ffffffff8013304c: ffb40080 sd s4,128(sp)
> ffffffff80133050: ffb30078 sd s3,120(sp)
> ffffffff80133054: ffb20070 sd s2,112(sp)
> ffffffff80133058: ffb10068 sd s1,104(sp)
> ffffffff8013305c: ffb00060 sd s0,96(sp)
> ffffffff80133060: 03e0082d move at,ra
> ffffffff80133064: 0c042930 jal ffffffff8010a4c0 <_mcount>
> ffffffff80133068: 00020021 nop
>
> but we can not get the exact stack address(which saved ra) directly in
> _mcount, we need to search the content of at register in the stack space
> or search the "s{d,w} ra, offset(sp)" instruction in the text. 'Cause we
> can not prove there is only a match in the stack space, so, we search
> the text instead.
>
> as we can see, if the first instruction above "move at, ra" is not a
> store instruction, there should be a leaf function, so we hijack the at
> register directly via putting &return_to_handler into it, otherwise, we
> search the "s{d,w} ra, offset(sp)" instruction to get the stack offset,
> and then the stack address. we use the above copy_process() as an
> example, we at last find "ffbf00a8", 0xa8 is the stack offset, we plus
> it with s8(fp), that is the stack address, we hijack the content via
> writing the &return_to_handler in.
>
> If with -mlong-calls, since there are two more instructions above "move
> at, ra", so, we can move the pointer to the position above "lui v1,
> hi16bit_of_mcount".
>
> Signed-off-by: Wu Zhangjin <wuzhangjin@...il.com>
Queued for 2.6.33 but due to patch 3/3 I won't propagate this series
immediately to linux-next.
Thanks!
Ralf
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists