[lttng-dev] https://lists.lttng.org/pipermail/lttng-dev/2020-May/029631.html
yashvardhan kukreti
yashvardhankukreti at gmail.com
Sun Mar 26 11:00:10 EDT 2023
>
>
> Hi Mathew,
>
> I have a question about this patch for lttng-modules and the use of
> register_kprobe() to fetch the function ptr.
> The question in this regard is especially from PPC64 ELF_ABI_v1
> perspective.
>
> The functions on PPC64 are accessed via the Function descriptor while what
> register_kprobes returns is the entry point of the function.
> Hence using the return pointer tends to interpret the addr as the address
> of the function descriptor and dereferences the ppc_inst as the function
> entry point and crashes
>
> [ 4145.483594] kernel tried to execute exec-protected page
> (7c0802a6fb81ffe0) - exploit attempt? (uid: 0)
>
> here 7c0802a6 is the mfspr instruction from the code text section of the
> kallsyms_lookup_name()
>
> note for PPC_ELF_ABI_v1 the register_kprobes() searches for the dot
> variant of the symbol and only in case if cannot find the dot variant looks
> for the normal symbol.
> register_kprobe() -> kprobe_addr() -> kprobe_lookup_name() [arch variant
> replaces weak symbol]
> https://elixir.bootlin.com/linux/v5.10.174/C/ident/kprobe_lookup_name
>
> Please let me know if i make sense or that i may have missed something.
>
> I have looked at the code of 2.12.8 as well and 2.12.3 verstion of
> lttng-modules.
>
> Regards,
> Shashank
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.lttng.org/pipermail/lttng-dev/attachments/20230326/7fd78c84/attachment.htm>
More information about the lttng-dev
mailing list