[patch] really-ptrace-single-step

[patch] really-ptrace-single-step

[Davide Libenzi]

This patch lets a ptrace process on x86 to "see" the instruction 
following the INT #80h op.



- Davide


arch/i386/kernel/entry.S       |    2 +-
include/asm-i386/thread_info.h |    2 +-
2 files changed, 2 insertions(+), 2 deletions(-)




Index: arch/i386/kernel/entry.S
===================================================================
RCS file: /usr/src/bkcvs/linux-2.5/arch/i386/kernel/entry.S,v
retrieving revision 1.83
diff -u -r1.83 entry.S
--- arch/i386/kernel/entry.S	12 Apr 2004 20:29:12 -0000	1.83
+++ arch/i386/kernel/entry.S	11 May 2004 06:35:29 -0000
@@ -354,7 +354,7 @@
 	# perform syscall exit tracing
 	ALIGN
 syscall_exit_work:
-	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT), %cl
+	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP), %cl
 	jz work_pending
 	sti				# could let do_syscall_trace() call
 					# schedule() instead
Index: include/asm-i386/thread_info.h
===================================================================
RCS file: /usr/src/bkcvs/linux-2.5/include/asm-i386/thread_info.h,v
retrieving revision 1.19
diff -u -r1.19 thread_info.h
--- include/asm-i386/thread_info.h	12 Apr 2004 20:29:12 -0000	1.19
+++ include/asm-i386/thread_info.h	11 May 2004 06:34:47 -0000
@@ -165,7 +165,7 @@
 
 /* work to do on interrupt/exception return */
 #define _TIF_WORK_MASK \
-  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT))
+  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP))
 #define _TIF_ALLWORK_MASK	0x0000FFFF	/* work to do on any return to u-space */
 
 /*

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

Still not getting the desired result.
Which kernel is the patch based on?

On Tue, 2004-05-11 at 14:12, Davide Libenzi wrote:
> This patch lets a ptrace process on x86 to "see" the instruction 
> following the INT #80h op.
> 
> 
> 
> - Davide
> 
> 
> arch/i386/kernel/entry.S       |    2 +-
> include/asm-i386/thread_info.h |    2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> 
> 
> Index: arch/i386/kernel/entry.S
> ===================================================================
> RCS file: /usr/src/bkcvs/linux-2.5/arch/i386/kernel/entry.S,v
> retrieving revision 1.83
> diff -u -r1.83 entry.S
> --- arch/i386/kernel/entry.S	12 Apr 2004 20:29:12 -0000	1.83
> +++ arch/i386/kernel/entry.S	11 May 2004 06:35:29 -0000
> @@ -354,7 +354,7 @@
>  	# perform syscall exit tracing
>  	ALIGN
>  syscall_exit_work:
> -	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT), %cl
> +	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP), %cl
>  	jz work_pending
>  	sti				# could let do_syscall_trace() call
>  					# schedule() instead
> Index: include/asm-i386/thread_info.h
> ===================================================================
> RCS file: /usr/src/bkcvs/linux-2.5/include/asm-i386/thread_info.h,v
> retrieving revision 1.19
> diff -u -r1.19 thread_info.h
> --- include/asm-i386/thread_info.h	12 Apr 2004 20:29:12 -0000	1.19
> +++ include/asm-i386/thread_info.h	11 May 2004 06:34:47 -0000
> @@ -165,7 +165,7 @@
>  
>  /* work to do on interrupt/exception return */
>  #define _TIF_WORK_MASK \
> -  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT))
> +  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP))
>  #define _TIF_ALLWORK_MASK	0x0000FFFF	/* work to do on any return to u-space */
>  
>  /*
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

It would not work against 2.6.5, since

do_syscall_trace()

makes the check

if (!test_thread_flag(TIF_SYSCALL_TRACE))
		return;


Simply removing it would do?



On Tue, 2004-05-11 at 14:12, Davide Libenzi wrote:
> This patch lets a ptrace process on x86 to "see" the instruction 
> following the INT #80h op.
> 
> 
> 
> - Davide
> 
> 
> arch/i386/kernel/entry.S       |    2 +-
> include/asm-i386/thread_info.h |    2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
> 
> 
> 
> 
> Index: arch/i386/kernel/entry.S
> ===================================================================
> RCS file: /usr/src/bkcvs/linux-2.5/arch/i386/kernel/entry.S,v
> retrieving revision 1.83
> diff -u -r1.83 entry.S
> --- arch/i386/kernel/entry.S	12 Apr 2004 20:29:12 -0000	1.83
> +++ arch/i386/kernel/entry.S	11 May 2004 06:35:29 -0000
> @@ -354,7 +354,7 @@
>  	# perform syscall exit tracing
>  	ALIGN
>  syscall_exit_work:
> -	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT), %cl
> +	testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP), %cl
>  	jz work_pending
>  	sti				# could let do_syscall_trace() call
>  					# schedule() instead
> Index: include/asm-i386/thread_info.h
> ===================================================================
> RCS file: /usr/src/bkcvs/linux-2.5/include/asm-i386/thread_info.h,v
> retrieving revision 1.19
> diff -u -r1.19 thread_info.h
> --- include/asm-i386/thread_info.h	12 Apr 2004 20:29:12 -0000	1.19
> +++ include/asm-i386/thread_info.h	11 May 2004 06:34:47 -0000
> @@ -165,7 +165,7 @@
>  
>  /* work to do on interrupt/exception return */
>  #define _TIF_WORK_MASK \
> -  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT))
> +  (0x0000FFFF & ~(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT|_TIF_SINGLESTEP))
>  #define _TIF_ALLWORK_MASK	0x0000FFFF	/* work to do on any return to u-space */
>  
>  /*
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] really-ptrace-single-step

[Davide Libenzi]

On Tue, 11 May 2004, Fabiano Ramos wrote:

> It would not work against 2.6.5, since
> 
> do_syscall_trace()
> 
> makes the check
> 
> if (!test_thread_flag(TIF_SYSCALL_TRACE))
> 		return;
> 
> Simply removing it would do?

No no. You need to OR it with the single-step. Try:

if (!test_thread_flag(TIF_SYSCALL_TRACE) && 
    !test_thread_flag(TIF_SINGLESTEP))
	return;


- Davide

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

On Tue, 2004-05-11 at 14:38, Davide Libenzi wrote:
> On Tue, 11 May 2004, Fabiano Ramos wrote:
> 
> > It would not work against 2.6.5, since
> > 
> > do_syscall_trace()
> > 
> > makes the check
> > 
> > if (!test_thread_flag(TIF_SYSCALL_TRACE))
> > 		return;
> > 
> > Simply removing it would do?
> 
> No no. You need to OR it with the single-step. Try:
> 
> if (!test_thread_flag(TIF_SYSCALL_TRACE) && 
>     !test_thread_flag(TIF_SINGLESTEP))
> 	return;
> 
> 
> - Davide

Still not working. :(
Correct me if I am wrong: is TIF_SINGLESTEP asserted whenever a process
is being singlestepped? I do not see where it is done.

> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] really-ptrace-single-step

[Andrew Morton]

Fabiano Ramos <ramos_fabiano@yahoo.com.br> wrote:
>
> Still not getting the desired result.
> Which kernel is the patch based on?
> 
> On Tue, 2004-05-11 at 14:12, Davide Libenzi wrote:
> > This patch lets a ptrace process on x86 to "see" the instruction 
> > following the INT #80h op.

Please.  Don't edit people out of email headers.  Just do reply-to-all.  I
didn't see your "it doesn't work" email for many hours after having merged
the patch.

Thanks.

Re: [patch] really-ptrace-single-step

[Davide Libenzi]

On Tue, 11 May 2004, Andrew Morton wrote:

> Fabiano Ramos <ramos_fabiano@yahoo.com.br> wrote:
> >
> > Still not getting the desired result.
> > Which kernel is the patch based on?
> > 
> > On Tue, 2004-05-11 at 14:12, Davide Libenzi wrote:
> > > This patch lets a ptrace process on x86 to "see" the instruction 
> > > following the INT #80h op.
> 
> Please.  Don't edit people out of email headers.  Just do reply-to-all.  I
> didn't see your "it doesn't work" email for many hours after having merged
> the patch.

Sorry Andrew, it's my fault. I should have told you when I received the 
message, but today I had about 25000 meetings. Hold about the new patch, 
since I want to see it running a little bit more on my machine. I will 
send you the final ack later.



- Davide

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

On Tue, 2004-05-11 at 21:17, Andrew Morton wrote:
> Fabiano Ramos <ramos_fabiano@yahoo.com.br> wrote:
> >
> > Still not getting the desired result.
> > Which kernel is the patch based on?
> > 
> > On Tue, 2004-05-11 at 14:12, Davide Libenzi wrote:
> > > This patch lets a ptrace process on x86 to "see" the instruction 
> > > following the INT #80h op.
> 
> Please.  Don't edit people out of email headers.  Just do reply-to-all.  I
> didn't see your "it doesn't work" email for many hours after having merged
> the patch.
> 
> Thanks.

Sorry for that.
By the way the email was sent in response to the first
patch, not for the second version.

> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [patch] really-ptrace-single-step

[Davide Libenzi]

On Tue, 11 May 2004, Fabiano Ramos wrote:

> Sorry for that.
> By the way the email was sent in response to the first
> patch, not for the second version.

The second version works for me. Pls give it a spin.


- Davide

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

I am testing it right now.

On Tue, 2004-05-11 at 22:06, Davide Libenzi wrote:
> On Tue, 11 May 2004, Fabiano Ramos wrote:
> 
> > Sorry for that.
> > By the way the email was sent in response to the first
> > patch, not for the second version.
> 
> The second version works for me. Pls give it a spin.
> 
> 
> - Davide

Re: [patch] really-ptrace-single-step

[Fabiano Ramos]

On Tue, 2004-05-11 at 22:06, Davide Libenzi wrote:
> On Tue, 11 May 2004, Fabiano Ramos wrote:
> 
> > Sorry for that.
> > By the way the email was sent in response to the first
> > patch, not for the second version.
> 
> The second version works for me. Pls give it a spin.
> 
> 
> - Davide


Seems to be working just fine on 2.6.5 and 2.6.6. Tracing the following
code (tracer appended) would produce:


 8050cd6:	b8 c7 00 00 00       	mov    $0xc7,%eax
 8050cdb:	cd 80                	int    $0x80
 8050cdd:	3d 00 f0 ff ff       	cmp    $0xfffff000,%eax
 8050ce2:	76 f0                	jbe    8050cd4 <__getuid+0x14>



EIP = 0x08050cd6

EIP = 0x08050cdb

EIP = 0x08050cdd

EIP = 0x08050ce2


--------- TRACER -----------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <linux/user.h>
#include <unistd.h>
#include <errno.h>


extern char **environ;

int main(int argc, char **argv)
{

	struct user_regs_struct regs;

        int wait_val;           /*  child's return value        */
        int pid;                /*  child's process id          */

        long long totalinstr=0;        /* # of intr executed */
        unsigned char opcode;          /* syscall opcode goes in one
byte */


        int i;

       /* printing options */
       printf("\n\nPTRACE: Will execute \"");
       for (i=1; i<argc; i++)
             printf("%s ", argv[i]);

       printf("\". Please wait (it may take long...)\n\n\n");

       printf("***** SIMULATED PROGRAM OUTPUT *****\n\n");

        switch (pid = fork()) {

        case -1:
                perror("fork");
                break;

        case 0: /*  child process starts        */
                if ( ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0)
			perror("\nError in ptrace PTRACE_TRACEME");
		execv(argv[1],&argv[1]);
		break;

        default:/*  parent process starts       */
		if (waitpid(pid,&wait_val,0) < 0)
			perror("\nchild process EXITED");

		if (ptrace(PTRACE_SINGLESTEP,pid,NULL,NULL) < 0)
               		perror("\nError in ptrace PTRACE_SINGLESTEP");

                waitpid(pid,&wait_val,0);

                while (1) {

		      totalinstr++;

			/* get PC */
                      if (ptrace(PTRACE_GETREGS, pid, 0, (int)&regs) ==
-1){
                           perror("ptrace");
                            printf("Exiting on error ... \n");
                      }

		      printf("\nEIP = 0x%08lx\n", regs.eip);

		      // will stop after each instruction
                      if (ptrace(PTRACE_SINGLESTEP, pid, 0, 0) != 0)
                               perror("ptrace");

                      waitpid(pid,&wait_val,0);
		      if ( WIFEXITED(wait_val)) break;

                }

        }
	printf("\n************************************\n\n");
        printf("Number of machine instructions : %lld\n\n\n",
totalinstr);
        return 0;
}