Comments (11)
@deyixtan Could you record the processor trace buffer using kfx --ptcov --debug
mode instead of using xen-vmtrace
? I tried the following on several boxes and the resulting buffer was correct:
echo -n -e '\xCC' > cc
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <guest domain id> --read <base of __x64_sys_setuid> --file backup --limit 1
xxd backup
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <guest domain id> --write <base of __x64_sys_setuid> --file cc --limit 1
sudo ./kernel-fuzzer-for-xen-project/kfx --domid <guest domain id> --setup --harness breakpoint --start-byte <byte from backup>
sudo ./forkvm <guest domain id>
sudo ./stepper --domid <fork id> --limit 10
sudo ./forkvm <guest domain id>
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <fork 2 id> --write <ip shown for step 10 in stepper output> --file cc --limit 1
sudo ./rwmem --domid 1 --list-pages | tail -n1
sudo ./kernel-fuzzer-for-xen-project/kfx --domid <fork 2 id> --json ubuntu.json --address <address from rwmem output> --input /dev/zero --input-limit 1 --harness breakpoint --start-byte <byte from backup> --ptcov --debug
from libipt.
Hello Deyi,
A missing PSBEND is indeed a trace collection issue. What causes this I cannot say. I am not aware of a scenario where PSBEND would not be generated. But it may get overwritten later due to other issues. Does the rest of the trace decode (using ptxed or a similar tool) without error?
The trace seems to consist of multiple chunks and each chunk starts with that same issue. Is this file the concatenation of multiple trace buffers?
There is an erratum [ICL082, TGL052] affecting the processors you listed that may cause very weird-looking traces. This should already be fixed in the OS by forcing ToPA on those processors but it's still worth checking. Would you be able to check whether PT output is configured to ToPA or to single-range when you're seeing those issues? This is configured in IA32_RTIT_CTL[8].
from libipt.
Hello Markus, apologies for the late reply.
What do you mean by concatenation of multiple trace buffers?
Anyways, IA32_RTIT_CTL[8] is set to 0, so I believe the PT output was configured to single-range.
Is that the reason why I am seeing such a weird looking trace? Are there other ways I might be able resolve this issue with single-range scheme?
Also may I know where can I find more info about this erratum [ICL082, TGL052]? Thanks!
from libipt.
The trace file contained trace at regular offsets with nothing (i.e. all zeroes) in between. Each section starts with the same issue. This looked to me like multiple traces were concatenated into a single file.
Errata are documented in specification updates; you can find them here: https://www.intel.com/content/www/us/en/products/docs/processors/core/core-technical-resources.html.
Could you try with ToPA instead of single-range?
from libipt.
Unfortunately I am not able to try ToPA instead of single-range.
I am currently generating traces for Xen domUs and it currently does not support ToPA configuration.
Based on the erratum workaround, I tried to configure single-range output to be < 4KB, and it is still generating corrupted trace.
For a simpler example, I am trying to trace a __x64_sys_setuid
linux syscall, from 0xffffffff810be736
to 0xffffffff810be743
.
I've attached a raw trace + dump file that was generated with the corresponding disassembly.
Dump of assembler code for function __x64_sys_setuid:
0xffffffff810be730 <+0>: nopl 0x0(%rax,%rax,1)
0xffffffff810be735 <+5>: push %rbp
0xffffffff810be736 <+6>: mov 0x70(%rdi),%rdi
0xffffffff810be73a <+10>: mov %rsp,%rbp
0xffffffff810be73d <+13>: callq 0xffffffff810be620 <__sys_setuid>
0xffffffff810be742 <+18>: pop %rbp
0xffffffff810be743 <+19>: retq
End of assembler dump.
By any chance this issue stemming from something else?
from libipt.
OK, that rules out this erratum.
The raw trace file is only 1.1KB; I expected 4KB. Do you know if recording wrapped around in the small buffer? If possible, please send the full buffer that was configured to the hardware as-is. Let's see if the PSBEND is there or not.
from libipt.
I had configured vmtrace_buf_kb=2048
in my domU config. I am using a modified version of kfx to start/stop VM execution at specific address by configuring a software breakpoint harness. I set up my start and end harness at 0xffffffff810be736
and 0xffffffff810be743
respectively, before I proceed with my VM trace generation. As such, I don't think the recording was big enough such that it was wrapped around in a small buffer.
I have attached a archive file containing the egenerated trace with the ptdump and some commands I used for your reference.
from libipt.
Could you describe how I would reproduce this step by step? The more detailed, the better.
from libipt.
The fork of intel/kernel-fuzzer-for-xen-project was set up in a fresh installation of Ubuntu 20.04 by following their respective documentations.
I wanted to generate a simple trace of the setuid
syscall. As such, I used KF/x to pause the VM at entry of the syscall with its harness capability. Then I can generate a trace from that entry point onward.
toy.c
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
unsigned int convert(char *st) {
char *x;
for (x = st ; *x ; x++) {
if (!isdigit(*x))
return 0L;
}
return (strtoul(st, 0L, 10));
}
int main(int argc, char** argv) {
if (argc != 2) {
printf("usage: ./setuid <new uid>\n");
return 1;
}
int result = setuid(convert(argv[1]));
printf("Result: %d\nNew UID: %d\n", result, getuid());
return 0;
}
Compile toy.c
in guest VM.
From host VM, run the following commands to generate the trace supposedly between __x64_sys_setuid + 0xA
and __x64_sys_setuid + 0x13
:
echo -n -e '\xCC' > cc
echo -n -e '\xC3' > c3
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <guest domain id> --write <base of __x64_sys_setuid + 0xA> --file cc --limit 1
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <guest domain id> --write <__x64_sys_setuid + 0x0C> --file cc --limit 1
sudo ./kernel-fuzzer-for-xen-project/kfx --domid <guest domain id> --json ubuntu.json --setup -c --harness breakpoint --start-byte 0x48
sudo ./kernel-fuzzer-for-xen-project/rwmem --domid <guest domain id> --write <__x64_sys_setuid + 0x0C> --file c3 --limit 1
The address of __x64_sys_setuid
can be found with sudo cat /proc/kallsyms | grep "__x64_sys_setuid"
. A sample of the disassembly can be found from previous comments in this thread.
After executing the set of commands should generate a buf
file which can be fed into ptdump.
./vmtaint/libipt/build/bin/ptdump buf > dump.log
from libipt.
@deyixtan were you able to try out @tklengyel's suggestion?
from libipt.
@markus-metzger @tklengyel Thank you, it works! My apologies, missed out on your earlier messages.
from libipt.
Related Issues (20)
- Question: How to use libipt in GDB on Windows? HOT 7
- 2.1: LTO exposes `[-Werror=maybe-uninitialized]` warnings HOT 4
- Possible discrepancy between Intel manual and implementation WRT compressed return logic. HOT 4
- `pte_bad_query` for user-space tracing across a syscall immediately followed by `ret` HOT 1
- Docs: clarify the kind of error HOT 5
- Comparisons between types of different widths in a loop condition can cause the loop to behave unexpectedly. HOT 5
- build ptxed HOT 2
- About synchronization HOT 2
- about pt record HOT 2
- ‘ptic_error’ undeclared when running "make user"
- about `--pevent:time-zero` HOT 2
- about parallel HOT 2
- How to use ptxed with the buffers generated by the perf_event_open system call? HOT 10
- Decoder out of sync and not enough recorded data. HOT 6
- Decoding errors when XED is not initialised correctly HOT 28
- questions about TIP.PGD with IP HOT 3
- Decoding trace in reverse execution order HOT 7
- new tag/release? HOT 5
- cmake builds/installs liblibipt on MSYS2 HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libipt.