From: Andi K. <ak...@su...> - 2004-11-08 22:53:38
|
On Mon, Nov 08, 2004 at 10:43:13AM -0800, James Keniston wrote: > > > > > > We don't modify our copy of the instruction. Rather, we execute the copy, > and then fix up the RIP as necessary to account for the difference between > the addresses of the original instruction and the copy. We also fix up the > flags word or the just-pushed return address (on a call instruction) as > necessary. See resume_execution() in arch/x86_64/kernel/kprobes.c.* > > i386 also has ip-relative addressing, so we didn't have to invent anything > new for x86_64. i386 doesn't have RIP relative addressing like x86-64. You have call, but not that. I think Will has a point. When the probe hits a global variable reference it will be misexecuted. Actually in user space i386 shared libraries use some hacks to do eip relative addressing (using special stubs to return the current address), but that's of no concern for kprobes because the kernel doesn't do that. Fix would be to extremly complicated - you would need to check for all instructions with memory side effects and fix them up. That's much more complicated than what the current opcode check does. -Andi |