Dear all,
We are working on developing a dynamic binary translator for the kernel. Towards this, we wanted to confirm if the interrupted PC value pushed on stack by an interrupt/exception is used by the interrupt/exception handlers? For example, is the PC value compared against a fixed address to determine the handler behaviour (like Linux's page fault handler compares the faulting PC against an exception table, to allow functions like copy_from_user to fault).
Basically, we are wondering if it is safe to replace the pushed PC value on stack by another value. This would be safe if the PC value is only used for returning from interrupt, or for reading contents at that PC address (e.g., to decode the instruction at current PC). It would be unsafe if the value of the address itself is meaningful to the handler.
We found that in FreeBSD segment-not-present exception handler checks the trapped PC value against some fixed kernel PC by looking at the code, except that it is only used for debugging purposes. It would be nice if somebody could also confirm this.
Thanks, Piyus
Dear All,
In addition to previous mail we found that L4-microkernel checks the PC value on stack against some kernel PC in page fault handler by looking at the source code. Does anybody knows if there is more such cases?
Thanks, Piyus
On Fri, Aug 2, 2013 at 7:10 PM, Piyus Kedia piyuskedia@gmail.com wrote:
Dear all,
We are working on developing a dynamic binary translator for the kernel. Towards this, we wanted to confirm if the interrupted PC value pushed on stack by an interrupt/exception is used by the interrupt/exception handlers? For example, is the PC value compared against a fixed address to determine the handler behaviour (like Linux's page fault handler compares the faulting PC against an exception table, to allow functions like copy_from_user to fault).
Basically, we are wondering if it is safe to replace the pushed PC value on stack by another value. This would be safe if the PC value is only used for returning from interrupt, or for reading contents at that PC address (e.g., to decode the instruction at current PC). It would be unsafe if the value of the address itself is meaningful to the handler.
We found that in FreeBSD segment-not-present exception handler checks the trapped PC value against some fixed kernel PC by looking at the code, except that it is only used for debugging purposes. It would be nice if somebody could also confirm this.
Thanks, Piyus
On Fri Aug 02, 2013 at 19:15:51 +0900, Piyus Kedia wrote:
In addition to previous mail we found that L4-microkernel checks the PC value on stack against some kernel PC in page fault handler by looking at the source code. Does anybody knows if there is more such cases?
Which check did you find?
There are so-called continuations which let the user-context resume at a different code location. You could check for those and constructs such as regs()->ip(X) setters and xx->ip = yy; statements. Now I'm not sure this is even relevant to you since those are exchanges of values and no check against some fixed address.
On Fri, Aug 2, 2013 at 7:10 PM, Piyus Kedia piyuskedia@gmail.com wrote:
Dear all,
We are working on developing a dynamic binary translator for the kernel. Towards this, we wanted to confirm if the interrupted PC value pushed on stack by an interrupt/exception is used by the interrupt/exception handlers? For example, is the PC value compared against a fixed address to determine the handler behaviour (like Linux's page fault handler compares the faulting PC against an exception table, to allow functions like copy_from_user to fault).
Basically, we are wondering if it is safe to replace the pushed PC value on stack by another value. This would be safe if the PC value is only used for returning from interrupt, or for reading contents at that PC address (e.g., to decode the instruction at current PC). It would be unsafe if the value of the address itself is meaningful to the handler.
We found that in FreeBSD segment-not-present exception handler checks the trapped PC value against some fixed kernel PC by looking at the code, except that it is only used for debugging purposes. It would be nice if somebody could also confirm this.
Adam
l4-hackers@os.inf.tu-dresden.de