VMware
VProbes:

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
1 Replies Last post: May 4, 2009 7:18 PM by ecollins  

Fix for linux26-32-process.emt posted: Apr 3, 2009 11:57 AM

Click to view nitingupta's profile Novice
nitingupta
7 posts since
Jun 14, 2008
I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit)

Following patch fixes it:
$ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.emt
--- /tmp/linux26-32-process.emt 2009-04-04 00:03:42.182700000 +0530
+++ vp/linux26-32-process.emt   2009-04-03 23:58:58.436700000 +0530
@@ -45,7 +45,7 @@
       _pidOffset = offatret("sys_getpid");
       _nameOffset = offatstrcpy("get_task_comm");
    }
-   return RSP & 0xffffe000;
+   return RSP & 0xfffff000;
 }

This is because all recent Linux kernels have 4K per-process kernel stack.
$ cat /boot/config-2.6.27.19-170.2.35.fc10.i686 | grep 4KSTACKS
CONFIG_4KSTACKS=y

BTW, where can I find documentation for 'offatret()' and 'offatstrcpy()' used in curthrptr() ?

Thanks,
Nitin

Re: Fix for linux26-32-process.emt

1. May 4, 2009 7:18 PM in response to: nitingupta
Click to view ecollins's profile Lurker
ecollins
5 posts since
Sep 12, 2005
Hi Nitin,

Thanks for the bug fix, checked it into the vprobe toolkit.

Apologies for the limited documetation of offat*, there should be more thorough vp docs in the next release. These functions are used to fish out the offset of a struct member from the guest. e.g. offatret("sys_getpid") resolves the function address for sys_getpid (using the mapping provided by the vprobe.guestSyms vmx option), looks for the last instruction in the function that did a mov to RAX (where the return value is placed) and returns the offset used in the mov. eg in "movslq 0x108(%rax),%rax" it would return 0x108, this is the offset of the member we're looking for (RAX points to the struct and 0x108 is the offset of the member in that struct). We can then read the value of the member by using getguest and using this offset and the pointer to a struct (eg the current thread pointer). The offat* functions work similarly.

Thanks,
Eli

Actions

Developer SDKs & APIs

Developer Resources

Developer Social Media

Communities