Re: [RFC][PATCH 1/2] x86: Allow breakpoints to emulate call functions

From: Linus Torvalds
Date: Mon May 06 2019 - 18:13:39 EST

Next message: Kees Cook: "Re: [RFC PATCH v2 3/4] Fix twofish crypto functions prototype casts"
Previous message: Victor Bravo: "[PATCH RFC v3] brcmfmac: sanitize DMI strings"
In reply to: Steven Rostedt: "Re: [RFC][PATCH 1/2] x86: Allow breakpoints to emulate call functions"
Next in thread: Linus Torvalds: "Re: [RFC][PATCH 1/2] x86: Allow breakpoints to emulate call functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, May 6, 2019 at 2:45 PM Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
>
> To do that we would need to rewrite the logic to update each of those
> 40,000 calls one at a time, or group them together to what gets
> changed.

Stephen, YOU ARE NOT LISTENING.

You are already fixing the value of the call in the instruction as
part of the instruction rewriting.

When you do things like this:

unsigned long ip = (unsigned long)(&ftrace_call);
unsigned char *new;
int ret;

new = ftrace_call_replace(ip, (unsigned long)func);
ret = update_ftrace_func(ip, new);

you have already decided to rewrite the instruction with one single
fixed call target: "func".

I'm just saying that you should ALWAYS use the same call target in the
int3 emulation.

Instead, you hardcode something else than what you are AT THE SAME
TIME rewriting the instruction with.

See what I'm saying?

You already save off the "ip" of the instruction you modify in
update_ftrace_func(). I'm just saying that you should *also* save off
the actual target of the call, and use *THAT*.

So that the int3 emulation and the instruction rewriting *match*.

What you do now makes no sense. You're modifing the code with one
thing (the "func" argument in update_ftrace_func), so if your
modification completed, that's what you'll actually *run*. But you're
then _emulating_ doing somethiing completely different, not using
"func" at all there.

So let me say one more time: how can it *possibly* make sense to
emulate something else than you are changing the instruction to read?

Are you finally understanding what craziness I'm talking about?

Stop with the "there could be thousands of targets" arguyment. The
"call" instruction THAT YOU ARE REWRITING has exactly one target.
There aren't 40,000 of them. x86 does not have that kind of "call"
instruction that randomly calls 40k different functions. You are
replacing FIVE BYTES of memory, and the emulation you do should
emulate those FIVE BYTES.

See?

Why are you emulating something different than what you are rewriting?

Linus

Next message: Kees Cook: "Re: [RFC PATCH v2 3/4] Fix twofish crypto functions prototype casts"
Previous message: Victor Bravo: "[PATCH RFC v3] brcmfmac: sanitize DMI strings"
In reply to: Steven Rostedt: "Re: [RFC][PATCH 1/2] x86: Allow breakpoints to emulate call functions"
Next in thread: Linus Torvalds: "Re: [RFC][PATCH 1/2] x86: Allow breakpoints to emulate call functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]