Re: Ftrace, KASLR and gdb

From: alexandre.ferrieux@orange.com
To: Steven Rostedt <rostedt@goodmis.org>
Cc: linux-trace-users@vger.kernel.org
Subject: Re: Ftrace, KASLR and gdb
Date: Sun, 12 May 2024 00:44:27 +0200	[thread overview]
Message-ID: <738bfcbf-3f46-4ef4-8f10-057000bf07f6@orange.com> (raw)
In-Reply-To: <20240510141229.5518eb2b@rorschach.local.home>

On 10/05/2024 20:12, Steven Rostedt wrote:
> 

Hi Steven. Honoured to be talking to the creator of my preferred toy !

>> Ftrace is a jewel to dig into the kernel, be it for troubleshooting, perf tuning 
>> or just understanding.
>> But when one needs to disassemble the running kernel (eg to move kprobes around 
>> in a function, in order to understand a given code path), KASLR makes it 
>> impossible for gdb to get useful symbol addresses, even with a debug image.
> 
> Really? Can't you just use a function name plus offset? For instance, I
> do this all the time:

Yes, on the ftrace side, obviously name+offset are sufficient. I use them all 
the time, and am delighted with fetchargs.

The problem is rather, on the gdb side, with a production kernel (not the one 
you've just compiled), on a random machine you have a passing access to. First, 
the kernel itself is compressed (vmlinuz), and in many cases getting the vmlinux 
is a pain. So, what ELF binary do you pass to gdb ?

In my case:

   sym2elf /proc/kallsyms > /tmp/kallsyms.elf
   gdb /tmp/kallsyms.elf /proc/kcore
   (gdb) disass vfs_write
   ...

As an added bonus, I see (a snapshot of) globals:

   (gdb) p *(int *)jiffies
   $1 = 92299928

And also I see ftrace's surgical changes if by accident I disassemble a function 
I currently am sniffing ;-)

    echo "p:kprobe_tpacket_rcv tpacket_rcv+26 skb=%di:x64" >> kprobe_events
    (gdb) disass tcpaket_rcv
    Dump of assembler code for function tpacket_rcv:
      0xffffffffb9d79e10 <+0>:     endbr64
      ...
      0xffffffffb9d79e2a <+26>:    jmp    0xffffffffc1389000 <kprobe_optinsn_page>

Of course the latter only serves my curiosity; but it shows I'm looking at the 
"live" code. It matters in other cases of dynamic code, like static branches.

So, is there currently another method to reach the same effect ?

-Alex
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.