On Wed, Oct 16, 2013 at 12:37 PM, Kees Cook <keescook@xxxxxxxxxx> wrote: > On Wed, Oct 16, 2013 at 9:02 AM, Andrew Honig <ahonig@xxxxxxxxxx> wrote: >> I'm talking about working with a vmlinux/vmcore pair. To get crash >> working with the current version of kASLR that doesn't have the offset >> data specifically in the VMCOREINFO I could use another symbol in the >> VMCOREINFO to calculate the offset. For example _stext is already in >> the VMCOREINFO. I could get the offset of _stext from the VMCOREINFO, >> then get the offset of _stext from the vmlinux and subtract them to >> get the ASLR offset. > > Doing this math seems like a good approach. Are there any downsides to > inferring the kASLR offset this way? I would prefer to write it that way, because it works with existing aslr enabled kernels and kdumps. I can think of a couple of downsides, but neither is a deal breaker: 1) The patch is slightly more complicated and will require two passes over the symbols. The first pass will find the _stext symbol in the vmlinux file and try to determine the aslr offset. The second pass will relocate and store the symbols. 2) It create a non-obvious dependency on _stext being in the vmcoreinfo. -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility