lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F338135.5090407@hitachi.com>
Date:	Thu, 09 Feb 2012 17:17:57 +0900
From:	Masami Hiramatsu <masami.hiramatsu.pt@...achi.com>
To:	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
Cc:	Denys Vlasenko <vda.linux@...glemail.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>, Ingo Molnar <mingo@...e.hu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Linux-mm <linux-mm@...ck.org>, Andi Kleen <andi@...stfloor.org>,
	Christoph Hellwig <hch@...radead.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	Roland McGrath <roland@...k.frob.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Arnaldo Carvalho de Melo <acme@...radead.org>,
	Anton Arapov <anton@...hat.com>,
	Ananth N Mavinakayanahalli <ananth@...ibm.com>,
	Jim Keniston <jkenisto@...ux.vnet.ibm.com>,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	yrl.pp-manager.tt@...achi.com
Subject: Re: [PATCH v10 3.3-rc2 1/9] uprobes: Install and remove breakpoints.

(2012/02/09 15:37), Srikar Dronamraju wrote:
>>
>> No, that is a meaningless operation.
>> As I originally said,
>>
>>> insn_get_length(insn);
>>> if (insn->rex_prefix.nbytes) {
>>> 	cursor = uprobe->insn + insn_offset_rex_prefix(insn);
>>> 	*cursor &= 0xfe;	/* Clearing REX.B bit */
>>> }
>>
> 
> I am confused by why we need to call insn_get_length(insn) before
> checking insn->rex_prefix.nbytes? Is it needed.

Ah, certainly, no, if the insn is already decoded.

> Denys and Masami, can you please confirm if below is fine.
> 
> 
> #ifdef CONFIG_X86_64
> /*
>  * If uprobe->insn doesn't use rip-relative addressing, return
>  * immediately.  Otherwise, rewrite the instruction so that it accesses
>  * its memory operand indirectly through a scratch register.  Set
>  * uprobe->arch_info.fixups and uprobe->arch_info.rip_rela_target_address
>  * accordingly.  (The contents of the scratch register will be saved
>  * before we single-step the modified instruction, and restored
>  * afterward.)
>  *
>  * We do this because a rip-relative instruction can access only a
>  * relatively small area (+/- 2 GB from the instruction), and the XOL
>  * area typically lies beyond that area.  At least for instructions
>  * that store to memory, we can't execute the original instruction
>  * and "fix things up" later, because the misdirected store could be
>  * disastrous.
>  *
>  * Some useful facts about rip-relative instructions:
>  * - There's always a modrm byte.
>  * - There's never a SIB byte.
>  * - The displacement is always 4 bytes.
>  */
> static void handle_riprel_insn(struct mm_struct *mm, struct uprobe *uprobe,
> 							struct insn *insn)
> {

> 	u8 *cursor;
> 	u8 reg;
> 
> 	if (mm->context.ia32_compat)
> 		return;
> 
> 	uprobe->arch_info.rip_rela_target_address = 0x0;
> 	if (!insn_rip_relative(insn))
> 		return;

Here, I think it is better to add a comment that
insn_rip_relative() decodes until modrm. :)

> 
> 	/* Clear REX.b bit (extension of MODRM.rm field):
> 	 * we want to encode rax/rcx, not r8/r9.
> 	 */
> 	if (insn->rex_prefix.nbytes) {
> 		cursor = uprobe->insn + insn_offset_rex_prefix(insn);
> 		*cursor &= 0xfe;
> 	}
> 
> 	/*
> 	 * Point cursor at the modrm byte.  The next 4 bytes are the
> 	 * displacement.  Beyond the displacement, for some instructions,
> 	 * is the immediate operand.
> 	 */
> 	cursor = uprobe->insn + insn_offset_modrm(insn);
> 	insn_get_length(insn);
> 
> 	/*
> 	 * Convert from rip-relative addressing to indirect addressing
> 	 * via a scratch register.  Change the r/m field from 0x5 (%rip)
> 	 * to 0x0 (%rax) or 0x1 (%rcx), and squeeze out the offset field.
> 	 */
> 	reg = MODRM_REG(insn);
> 	if (reg == 0) {
> 		/*
> 		 * The register operand (if any) is either the A register
> 		 * (%rax, %eax, etc.) or (if the 0x4 bit is set in the
> 		 * REX prefix) %r8.  In any case, we know the C register
> 		 * is NOT the register operand, so we use %rcx (register
> 		 * #1) for the scratch register.
> 		 */
> 		uprobe->arch_info.fixups = UPROBES_FIX_RIP_CX;
> 		/* Change modrm from 00 000 101 to 00 000 001. */
> 		*cursor = 0x1;
> 	} else {
> 		/* Use %rax (register #0) for the scratch register. */
> 		uprobe->arch_info.fixups = UPROBES_FIX_RIP_AX;
> 		/* Change modrm from 00 xxx 101 to 00 xxx 000 */
> 		*cursor = (reg << 3);
> 	}
> 
> 	/* Target address = address of next instruction + (signed) offset */
> 	uprobe->arch_info.rip_rela_target_address = (long)insn->length
> 					+ insn->displacement.value;
> 	/* Displacement field is gone; slide immediate field (if any) over. */
> 	if (insn->immediate.nbytes) {
> 		cursor++;
> 		memmove(cursor, cursor + insn->displacement.nbytes,
> 						insn->immediate.nbytes);
> 	}
> 	return;
> }

Confirmed, this looks good to me ;)

Thanks!


-- 
Masami HIRAMATSU
Software Platform Research Dept. Linux Technology Center
Hitachi, Ltd., Yokohama Research Laboratory
E-mail: masami.hiramatsu.pt@...achi.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ