lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 6 Aug 2023 16:28:08 +0200
From:   Nam Cao <namcaov@...il.com>
To:     Masami Hiramatsu <mhiramat@...nel.org>
Cc:     "Naveen N. Rao" <naveen.n.rao@...ux.ibm.com>,
        Anil S Keshavamurthy <anil.s.keshavamurthy@...el.com>,
        "David S. Miller" <davem@...emloft.net>,
        linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: confused about kprobes

On Sun, Aug 06, 2023 at 09:31:50PM +0900, Masami Hiramatsu wrote:
> Hi Nam,
> 
> On Sun, 6 Aug 2023 13:18:28 +0200
> Nam Cao <namcaov@...il.com> wrote:
> 
> > Hello,
> > 
> > I am struggling to understand how kprobes works. It would be very nice if someone
> > can spare the time to explain to me. I'm confused about this function in particular:
> > 
> > /*
> >  * Return an optimized kprobe whose optimizing code replaces
> >  * instructions including 'addr' (exclude breakpoint).
> >  */
> > static struct kprobe *get_optimized_kprobe(kprobe_opcode_t *addr)
> > {
> > 	int i;
> > 	struct kprobe *p = NULL;
> > 	struct optimized_kprobe *op;
> > 
> > 	/* Don't check i == 0, since that is a breakpoint case. */
> > 	for (i = 1; !p && i < MAX_OPTIMIZED_LENGTH / sizeof(kprobe_opcode_t); i++)
> > 		p = get_kprobe(addr - i);
> > 
> > 	if (p && kprobe_optready(p)) {
> > 		op = container_of(p, struct optimized_kprobe, kp);
> > 		if (arch_within_optimized_kprobe(op, addr))
> > 			return p;
> > 	}
> > 
> > 	return NULL;
> > }
> > 
> > The document mentions something about optimizing by replacing trap instructions
> > with jump instructions, so I am assuming this function is part of that.
> 
> Yes, you're right. 
> 
> > But I
> > fail to see what this function is trying to do exactly. The for loop seems to
> > call get_kprobe at addresses immediately before "addr". But what for? What are
> > at addresses before "addr"?
> 
> This is for finding a jump optimized kprobe which will modify the instruction
> pointed by 'addr'. As you may know, on x86, the software-breakpoint
> instruction is 1 byte, but the jump will be 5 bytes. In that case, if we put
> something at instruction including 'addr', it will be ignored or it will break
> the jump instruction. So it is used for finding such optimized kprobe.
> 
> For the kprobe, the jump optimization is optional and hidden from the user. We
> should prioritize adding kprobes at specified locations over optimization.
> Thus if we find such optimized kprobe, it must be unoptimized.

Thank you so much for the detailed answer, it is clear now.

Best regards,
Nam

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ