RE: Kprobes might be stealing int3

RE: Kprobes might be stealing int3

[Mao, Bibo]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; 	charset="gb2312", Size: 3582 bytes --]

Yes, I agree.
Most time INT 3(CD03) instruction is not generated by gcc assemblers, this opcode is created by direct numeric code or self-modifying code.
And currently kprobe mainly works for kernel part, I have one suggestion, if int3 instruction happens in user mode, just skip it, and let uprobe handler it later.
-               if (kprobe_handler(args->regs))
+               if (!user_mode(args->regs) && kprobe_handler(args->regs))
                        ret = NOTIFY_STOP;
And it is ok for stolen_int/brk.c test case, which jumps into LDT instruction area by lcall instruction and then causes trap. And IA32 considers this condition but x86_64 has not considered this.

thanks
bibo,mao

>-----Original Message-----
>From: Prasanna S Panchamukhi [mailto:prasanna@in.ibm.com]
>Sent: 2006Äê2ÔÂ24ÈÕ 13:19
>To: Mao, Bibo
>Cc: Keshavamurthy, Anil S; systemtap@sources.redhat.com
>Subject: Re: Kprobes might be stealing int3
>
>Bibo,
>
>In fact, Stas earlier had pointed this problem on the lkml and
>I had posted a patch to fix it.
>URL for this patch is below.
>http://lkml.org/lkml/2004/12/9/43
>
>Thanks
>Prasanna
>
>
>
>On Fri, Feb 24, 2006 at 08:56:47AM +0800, Mao, Bibo wrote:
>> Anil,
>> I search the x86 assembly manual, about INT instruction there are three kinds:
>> 	CC 		INT 3 		Interrupt 3¨Dtrap to debugger
>> 	CD ib 	INT imm8 		Interrupt vector number specified by immediate
>byte
>> 	CE 		INTO 		Interrupt 4¨Dif overflow flag is 1
>> So like this test program, the instruction encoding will be 0x03cd, it has
>the same effect with 0xcc encoding.
>> And currently in kprobe BREAK_INSTRUCTION is only defined as 0xcc. Maybe
>another encoding also need be judged.
>>
>> Thanks
>> bibo,mao
>>
>> >-----Original Message-----
>> >From: systemtap-owner@sourceware.org
>[mailto:systemtap-owner@sourceware.org]
>> >On Behalf Of Keshavamurthy, Anil S
>> >Sent: 2006Äê2ÔÂ24ÈÕ 7:34
>> >To: systemtap@sources.redhat.com
>> >Subject: FW: Kprobes might be stealing int3
>> >
>> >I went little further and found why the application is segmentation
>> >fault'ing.
>> >
>> >In the kprobes_handler() code, we are checking
>> >If (*addr != BREAK_INSTRUCTION)  and this is where the
>> >app is crashing since we are trying to dereference this address
>> >which is not a linear address.
>> >
>> >I would be happy to tryout any fix that any one provides.
>> >
>> >Thanks,
>> >Anil
>> >-----Original Message-----
>> >From: Keshavamurthy Anil S [mailto:anil.s.keshavamurthy@intel.com]
>> >Sent: Thursday, February 23, 2006 12:11 PM
>> >To: Systemtap
>> >Cc: Keshavamurthy, Anil S
>> >Subject: Kprobes might be stealing int3
>> >
>> >Hi,
>> >	I tried running the below program on both
>> >x86_64 and i386 and on both architecture,
>> >if the kernel is compiled with CONFIG_KPROBES,
>> >my below application segmentation faults.
>> >
>> >On kernel where CONFIG_KPROBES set to N, the
>> >same test program passes.
>> >
>> >Here goes the test program...
>> >-------------------------
>> >#include <stdlib.h>
>> >#include <signal.h>
>> >
>> >void my_trap(int sig)
>> >{
>> > printf("Test passed, all OK\n");
>> > exit(0);
>> >}
>> >
>> >int main()
>> >{
>> > signal(SIGTRAP, my_trap);
>> > asm volatile (".byte 0xcd,3");
>> > printf("Stolen interrupt, very bad!\n");
>> >}
>> >----------------------------------
>> >
>> >
>> >
>> >
>> >
>> >
>
>--
>Prasanna S Panchamukhi
>Linux Technology Center
>India Software Labs, IBM Bangalore
>Email: prasanna@in.ibm.com
>Ph: 91-80-51776329

Re: Kprobes might be stealing int3

[Prasanna S Panchamukhi]

On Fri, Feb 24, 2006 at 02:39:10PM +0800, Mao, Bibo wrote:
> Yes, I agree.
> Most time INT 3(CD03) instruction is not generated by gcc assemblers, this opcode is created by direct numeric code or self-modifying code.
> And currently kprobe mainly works for kernel part, I have one suggestion, if int3 instruction happens in user mode, just skip it, and let uprobe handler it later.
> -               if (kprobe_handler(args->regs))
> +               if (!user_mode(args->regs) && kprobe_handler(args->regs))
>                         ret = NOTIFY_STOP;

This looks good to me.


Thanks
Prasanna


> And it is ok for stolen_int/brk.c test case, which jumps into LDT instruction area by lcall instruction and then causes trap. And IA32 considers this condition but x86_64 has not considered this.

> 
> thanks
> bibo,mao
> 
> >-----Original Message-----
> >From: Prasanna S Panchamukhi [mailto:prasanna@in.ibm.com]
> >Sent: 2006年2月24日 13:19
> >To: Mao, Bibo
> >Cc: Keshavamurthy, Anil S; systemtap@sources.redhat.com
> >Subject: Re: Kprobes might be stealing int3
> >
> >Bibo,
> >
> >In fact, Stas earlier had pointed this problem on the lkml and
> >I had posted a patch to fix it.
> >URL for this patch is below.
> >http://lkml.org/lkml/2004/12/9/43
> >
> >Thanks
> >Prasanna
> >
> >
> >
> >On Fri, Feb 24, 2006 at 08:56:47AM +0800, Mao, Bibo wrote:
> >> Anil,
> >> I search the x86 assembly manual, about INT instruction there are three kinds:
> >> 	CC 		INT 3 		Interrupt 3?Dtrap to debugger
> >> 	CD ib 	INT imm8 		Interrupt vector number specified by immediate
> >byte
> >> 	CE 		INTO 		Interrupt 4?Dif overflow flag is 1
> >> So like this test program, the instruction encoding will be 0x03cd, it has
> >the same effect with 0xcc encoding.
> >> And currently in kprobe BREAK_INSTRUCTION is only defined as 0xcc. Maybe
> >another encoding also need be judged.
> >>
> >> Thanks
> >> bibo,mao
> >>
> >> >-----Original Message-----
> >> >From: systemtap-owner@sourceware.org
> >[mailto:systemtap-owner@sourceware.org]
> >> >On Behalf Of Keshavamurthy, Anil S
> >> >Sent: 2006年2月24日 7:34
> >> >To: systemtap@sources.redhat.com
> >> >Subject: FW: Kprobes might be stealing int3
> >> >
> >> >I went little further and found why the application is segmentation
> >> >fault'ing.
> >> >
> >> >In the kprobes_handler() code, we are checking
> >> >If (*addr != BREAK_INSTRUCTION)  and this is where the
> >> >app is crashing since we are trying to dereference this address
> >> >which is not a linear address.
> >> >
> >> >I would be happy to tryout any fix that any one provides.
> >> >
> >> >Thanks,
> >> >Anil
> >> >-----Original Message-----
> >> >From: Keshavamurthy Anil S [mailto:anil.s.keshavamurthy@intel.com]
> >> >Sent: Thursday, February 23, 2006 12:11 PM
> >> >To: Systemtap
> >> >Cc: Keshavamurthy, Anil S
> >> >Subject: Kprobes might be stealing int3
> >> >
> >> >Hi,
> >> >	I tried running the below program on both
> >> >x86_64 and i386 and on both architecture,
> >> >if the kernel is compiled with CONFIG_KPROBES,
> >> >my below application segmentation faults.
> >> >
> >> >On kernel where CONFIG_KPROBES set to N, the
> >> >same test program passes.
> >> >
> >> >Here goes the test program...
> >> >-------------------------
> >> >#include <stdlib.h>
> >> >#include <signal.h>
> >> >
> >> >void my_trap(int sig)
> >> >{
> >> > printf("Test passed, all OK\n");
> >> > exit(0);
> >> >}
> >> >
> >> >int main()
> >> >{
> >> > signal(SIGTRAP, my_trap);
> >> > asm volatile (".byte 0xcd,3");
> >> > printf("Stolen interrupt, very bad!\n");
> >> >}
> >> >----------------------------------
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >
> >--
> >Prasanna S Panchamukhi
> >Linux Technology Center
> >India Software Labs, IBM Bangalore
> >Email: prasanna@in.ibm.com
> >Ph: 91-80-51776329

-- 
Prasanna S Panchamukhi
Linux Technology Center
India Software Labs, IBM Bangalore
Email: prasanna@in.ibm.com
Ph: 91-80-51776329

Re: Kprobes might be stealing int3

[Prasanna S Panchamukhi]

Bibo,

In fact, Stas earlier had pointed this problem on the lkml and
I had posted a patch to fix it.
URL for this patch is below.
http://lkml.org/lkml/2004/12/9/43

Thanks
Prasanna



On Fri, Feb 24, 2006 at 08:56:47AM +0800, Mao, Bibo wrote:
> Anil,
> I search the x86 assembly manual, about INT instruction there are three kinds:
> 	CC 		INT 3 		Interrupt 3―trap to debugger
> 	CD ib 	INT imm8 		Interrupt vector number specified by immediate byte
> 	CE 		INTO 		Interrupt 4―if overflow flag is 1
> So like this test program, the instruction encoding will be 0x03cd, it has the same effect with 0xcc encoding. 
> And currently in kprobe BREAK_INSTRUCTION is only defined as 0xcc. Maybe another encoding also need be judged.
> 
> Thanks
> bibo,mao
> 
> >-----Original Message-----
> >From: systemtap-owner@sourceware.org [mailto:systemtap-owner@sourceware.org]
> >On Behalf Of Keshavamurthy, Anil S
> >Sent: 2006年2月24日 7:34
> >To: systemtap@sources.redhat.com
> >Subject: FW: Kprobes might be stealing int3
> >
> >I went little further and found why the application is segmentation
> >fault'ing.
> >
> >In the kprobes_handler() code, we are checking
> >If (*addr != BREAK_INSTRUCTION)  and this is where the
> >app is crashing since we are trying to dereference this address
> >which is not a linear address.
> >
> >I would be happy to tryout any fix that any one provides.
> >
> >Thanks,
> >Anil
> >-----Original Message-----
> >From: Keshavamurthy Anil S [mailto:anil.s.keshavamurthy@intel.com]
> >Sent: Thursday, February 23, 2006 12:11 PM
> >To: Systemtap
> >Cc: Keshavamurthy, Anil S
> >Subject: Kprobes might be stealing int3
> >
> >Hi,
> >	I tried running the below program on both
> >x86_64 and i386 and on both architecture,
> >if the kernel is compiled with CONFIG_KPROBES,
> >my below application segmentation faults.
> >
> >On kernel where CONFIG_KPROBES set to N, the
> >same test program passes.
> >
> >Here goes the test program...
> >-------------------------
> >#include <stdlib.h>
> >#include <signal.h>
> >
> >void my_trap(int sig)
> >{
> > printf("Test passed, all OK\n");
> > exit(0);
> >}
> >
> >int main()
> >{
> > signal(SIGTRAP, my_trap);
> > asm volatile (".byte 0xcd,3");
> > printf("Stolen interrupt, very bad!\n");
> >}
> >----------------------------------
> >
> >
> >
> >
> >
> >

-- 
Prasanna S Panchamukhi
Linux Technology Center
India Software Labs, IBM Bangalore
Email: prasanna@in.ibm.com
Ph: 91-80-51776329

Re: Kprobes might be stealing int3

[Ananth N Mavinakayanahalli]

On Fri, Feb 24, 2006 at 08:56:47AM +0800, Mao, Bibo wrote:
> Anil,
> I search the x86 assembly manual, about INT instruction there are three kinds:
> 	CC 		INT 3 		Interrupt 3―trap to debugger
> 	CD ib 	INT imm8 		Interrupt vector number specified by immediate byte
> 	CE 		INTO 		Interrupt 4―if overflow flag is 1
> So like this test program, the instruction encoding will be 0x03cd, it has the same effect with 0xcc encoding. 
> And currently in kprobe BREAK_INSTRUCTION is only defined as 0xcc. Maybe another encoding also need be judged.

I think you are right. We had a similar problem with PowerPC where you
can potentially have _many_ opcodes for a "TRAP". For a while, GDB on
Power was borken 'cos we weren't taking care of all cases. That resulted
in the IS_TRAP() macro in include/asm-powerpc/kprobes.h. Something of
that sort may be needed for the other archs in question.

In effect, the 
	if (*addr != BREAKPOINT_INSTRUCTION)
must be expanded to consider the other opcode cases and pass on control
to other apps that may be waiting on it (Again check 
arch/powerpc/kernel/kprobes.c for usage of IS_TRAP).

Ananth

> Thanks
> bibo,mao
> 
> >-----Original Message-----
> >From: systemtap-owner@sourceware.org [mailto:systemtap-owner@sourceware.org]
> >On Behalf Of Keshavamurthy, Anil S
> >Sent: 2006年2月24日 7:34
> >To: systemtap@sources.redhat.com
> >Subject: FW: Kprobes might be stealing int3
> >
> >I went little further and found why the application is segmentation
> >fault'ing.
> >
> >In the kprobes_handler() code, we are checking
> >If (*addr != BREAK_INSTRUCTION)  and this is where the
> >app is crashing since we are trying to dereference this address
> >which is not a linear address.
> >
> >I would be happy to tryout any fix that any one provides.
> >
> >Thanks,
> >Anil
> >-----Original Message-----
> >From: Keshavamurthy Anil S [mailto:anil.s.keshavamurthy@intel.com]
> >Sent: Thursday, February 23, 2006 12:11 PM
> >To: Systemtap
> >Cc: Keshavamurthy, Anil S
> >Subject: Kprobes might be stealing int3
> >
> >Hi,
> >	I tried running the below program on both
> >x86_64 and i386 and on both architecture,
> >if the kernel is compiled with CONFIG_KPROBES,
> >my below application segmentation faults.
> >
> >On kernel where CONFIG_KPROBES set to N, the
> >same test program passes.
> >
> >Here goes the test program...
> >-------------------------
> >#include <stdlib.h>
> >#include <signal.h>
> >
> >void my_trap(int sig)
> >{
> > printf("Test passed, all OK\n");
> > exit(0);
> >}
> >
> >int main()
> >{
> > signal(SIGTRAP, my_trap);
> > asm volatile (".byte 0xcd,3");
> > printf("Stolen interrupt, very bad!\n");
> >}
> >----------------------------------
> >
> >
> >
> >
> >
> >

RE: Kprobes might be stealing int3

[Mao, Bibo]

Anil,
I search the x86 assembly manual, about INT instruction there are three kinds:
	CC 		INT 3 		Interrupt 3―trap to debugger
	CD ib 	INT imm8 		Interrupt vector number specified by immediate byte
	CE 		INTO 		Interrupt 4―if overflow flag is 1
So like this test program, the instruction encoding will be 0x03cd, it has the same effect with 0xcc encoding. 
And currently in kprobe BREAK_INSTRUCTION is only defined as 0xcc. Maybe another encoding also need be judged.

Thanks
bibo,mao

>-----Original Message-----
>From: systemtap-owner@sourceware.org [mailto:systemtap-owner@sourceware.org]
>On Behalf Of Keshavamurthy, Anil S
>Sent: 2006年2月24日 7:34
>To: systemtap@sources.redhat.com
>Subject: FW: Kprobes might be stealing int3
>
>I went little further and found why the application is segmentation
>fault'ing.
>
>In the kprobes_handler() code, we are checking
>If (*addr != BREAK_INSTRUCTION)  and this is where the
>app is crashing since we are trying to dereference this address
>which is not a linear address.
>
>I would be happy to tryout any fix that any one provides.
>
>Thanks,
>Anil
>-----Original Message-----
>From: Keshavamurthy Anil S [mailto:anil.s.keshavamurthy@intel.com]
>Sent: Thursday, February 23, 2006 12:11 PM
>To: Systemtap
>Cc: Keshavamurthy, Anil S
>Subject: Kprobes might be stealing int3
>
>Hi,
>	I tried running the below program on both
>x86_64 and i386 and on both architecture,
>if the kernel is compiled with CONFIG_KPROBES,
>my below application segmentation faults.
>
>On kernel where CONFIG_KPROBES set to N, the
>same test program passes.
>
>Here goes the test program...
>-------------------------
>#include <stdlib.h>
>#include <signal.h>
>
>void my_trap(int sig)
>{
> printf("Test passed, all OK\n");
> exit(0);
>}
>
>int main()
>{
> signal(SIGTRAP, my_trap);
> asm volatile (".byte 0xcd,3");
> printf("Stolen interrupt, very bad!\n");
>}
>----------------------------------
>
>
>
>
>
>

Kprobes might be stealing int3

[Keshavamurthy Anil S]

Hi,
	I tried running the below program on both
x86_64 and i386 and on both architecture,
if the kernel is compiled with CONFIG_KPROBES, 
my below application segmentation faults.

On kernel where CONFIG_KPROBES set to N, the 
same test program passes.

Here goes the test program...
-------------------------
#include <stdlib.h>
#include <signal.h>
 
void my_trap(int sig)
{
 printf("Test passed, all OK\n");
 exit(0);
}
 
int main()
{
 signal(SIGTRAP, my_trap);
 asm volatile (".byte 0xcd,3");
 printf("Stolen interrupt, very bad!\n");
}
----------------------------------