lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 6 Aug 2023 21:31:50 +0900
From:   Masami Hiramatsu (Google) <mhiramat@...nel.org>
To:     Nam Cao <namcaov@...il.com>
Cc:     "Naveen N. Rao" <naveen.n.rao@...ux.ibm.com>,
        Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
        "David S. Miller" <davem@...emloft.net>,
        linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: confused about kprobes

Hi Nam,

On Sun, 6 Aug 2023 13:18:28 +0200
Nam Cao <namcaov@...il.com> wrote:

> Hello,
> 
> I am struggling to understand how kprobes works. It would be very nice if someone
> can spare the time to explain to me. I'm confused about this function in particular:
> 
> /*
>  * Return an optimized kprobe whose optimizing code replaces
>  * instructions including 'addr' (exclude breakpoint).
>  */
> static struct kprobe *get_optimized_kprobe(kprobe_opcode_t *addr)
> {
> 	int i;
> 	struct kprobe *p = NULL;
> 	struct optimized_kprobe *op;
> 
> 	/* Don't check i == 0, since that is a breakpoint case. */
> 	for (i = 1; !p && i < MAX_OPTIMIZED_LENGTH / sizeof(kprobe_opcode_t); i++)
> 		p = get_kprobe(addr - i);
> 
> 	if (p && kprobe_optready(p)) {
> 		op = container_of(p, struct optimized_kprobe, kp);
> 		if (arch_within_optimized_kprobe(op, addr))
> 			return p;
> 	}
> 
> 	return NULL;
> }
> 
> The document mentions something about optimizing by replacing trap instructions
> with jump instructions, so I am assuming this function is part of that.

Yes, you're right. 

> But I
> fail to see what this function is trying to do exactly. The for loop seems to
> call get_kprobe at addresses immediately before "addr". But what for? What are
> at addresses before "addr"?

This is for finding a jump optimized kprobe which will modify the instruction
pointed by 'addr'. As you may know, on x86, the software-breakpoint
instruction is 1 byte, but the jump will be 5 bytes. In that case, if we put
something at instruction including 'addr', it will be ignored or it will break
the jump instruction. So it is used for finding such optimized kprobe.

For the kprobe, the jump optimization is optional and hidden from the user. We
should prioritize adding kprobes at specified locations over optimization.
Thus if we find such optimized kprobe, it must be unoptimized.

> 
> Can someone be so kind to give me a line-by-line explanation of this function?

> 	/* Don't check i == 0, since that is a breakpoint case. */
> 	for (i = 1; !p && i < MAX_OPTIMIZED_LENGTH / sizeof(kprobe_opcode_t); i++)
> 		p = get_kprobe(addr - i);

This tries to find any kprobe before the given addr whcih is possible to be
optimized.

> 
> 	if (p && kprobe_optready(p)) {

If there is a kprobe and that is ready for optimizing (including optimized)

> 		op = container_of(p, struct optimized_kprobe, kp);

convert the kprobe to optimized-kprobe and,

> 		if (arch_within_optimized_kprobe(op, addr))

check whether the optimized kprobe jump modification area is including 'addr'.

> 			return p;

If so, return the found kprobe.

> 	}

Thank you,


> 
> Thanks!
> 
> Nam


-- 
Masami Hiramatsu (Google) <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ