On Wed, Jan 22, 2014 at 10:42 AM, Dave Anderson <anderson@xxxxxxxxxx> wrote: > > > ----- Original Message ----- >> >> > >> >> > Then, my questions are: >> >> > >> >> > (1) on a live system, how would a root user determine the offset from userspace? >> >> >> >> AFAICT, it can be calculated from /proc/kallsyms. >> > >> > Will /proc/kallsyms contain the relocated addresses? Andy had mentioned that >> > the offset would be in the dmesg buffer but that can be overwritten. >> >> Yeah, kallsyms should show the current actual locations. It should >> only show up in dmesg on a crash. >> >> >> > (2) given a random vmlinux/vmcore pair, how would any user determine the offset? >> >> >> >> It'd be nice for the vmcore to contain offset details. >> > >> > Right -- Andy mentioned that it would be put in a VMCOREINFO item: >> > >> > https://www.redhat.com/archives/crash-utility/2013-October/msg00043.html >> > >> > But I'm presuming that wasn't part of your patchset. >> >> It was not, no. What's needed to get that added? > > Since kASLR is x86 only (right?), I believe it would simply require an > addition to "arch/x86/kernel/machine_kexec_64.c" here: > > void arch_crash_save_vmcoreinfo(void) > { > VMCOREINFO_SYMBOL(phys_base); > VMCOREINFO_SYMBOL(init_level4_pgt); > > #ifdef CONFIG_NUMA > VMCOREINFO_SYMBOL(node_data); > VMCOREINFO_LENGTH(node_data, MAX_NUMNODES); > #endif > } > > Since it's the offset value that we're interested in, something > like this should suffice: > > VMCOREINFO_NUMBER(<name_of_symbol_containing_offset_value>) > > with an appropriate header inclusion that declares the symbol, > and enclosed by whatever "CONFIG_<kASLR>" you've got in place. > > The macro looks like this: > > #define VMCOREINFO_NUMBER(name) \ > vmcoreinfo_append_str("NUMBER(%s)=%ld\n", #name, (long)name) > > Of course that presumes you've got a symbol in place that holds the offset? > > On a related note, the VMCOREINFO_SYMBOL(phys_base) above is completely > useless, and should also have been introduced as VMCOREINFO_NUMBER(phys_base). > The makedumpfile maintainers on this list can confirm it, but I > don't believe that they use it either, but just pass it on to the > crash utility to ignore. Both the crash utility and makedumpfile > jump through hoops to figure out the phys_base value when it could > simply be passed in the vmcoreinfo data. FWIW, the offset reported during a panic to dmesg is: (unsigned long)&_text - __START_KERNEL I think this is what Andrew was looking at for pushing into the vmcore info. -Kees > > Dave > > > > > >> >> > Anyway, looking back at that post, I'll defer adding this patch until >> > Andy updates it, or at least confirms that it might be useful as-is >> > for now. >> >> Okay, cool. I'm happy to help however is needed. :) >> >> Thanks! >> >> -Kees > > -- Kees Cook Chrome OS Security -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility