Question about uprobes

Question about uprobes

[W. Michael Petullo]

I am writing some software that monitors a guest VM using virtual-machine
introspection and "hijacks" system calls under certain conditions. For
example, the program might inject an int3/breakpoint into the guest
kernel at the entry point to sys_open. When the breakpoint is hit, the
program might set the guest instruction pointer to the address to which
sys_open would have itself returned and set register RAX to some desired
error-code return value.

The problem I am encountering is that for some reason the process is
triggering a "uprobe ... failed to handle uretprobe" message from the
guest kernel.  I do not yet know enough about uprobes to understand what
might be causing this. Is there something in procedures such as sys_open
which must execute to prevent the error which causes the kernel to print
this message?

-- 
Mike

:wq

Question about uprobes

[Mulyadi Santosa]

On Thursday, April 6, 2017, W. Michael Petullo <mike@flyn.org> wrote:

> I am writing some software that monitors a guest VM using virtual-machine
> introspection and "hijacks" system calls under certain conditions. For
> example, the program might inject an int3/breakpoint into the guest
> kernel at the entry point to sys_open. When the breakpoint is hit, the
> program might set the guest instruction pointer to the address to which
> sys_open would have itself returned and set register RAX to some desired
> error-code return value.
>
> The problem I am encountering is that for some reason the process is
> triggering a "uprobe ... failed to handle uretprobe" message from the
> guest kernel.  I do not yet know enough about uprobes to understand what
> might be causing this. Is there something in procedures such as sys_open
> which must execute to prevent the error which causes the kernel to print
> this message?
>
>
> What vm  hypervisor do you use?

Regards,

Mulyadi


-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170406/b9c6b0de/attachment.html 

Question about uprobes

[W. Michael Petullo]

>> I am writing some software that monitors a guest VM using virtual-machine
>> introspection and "hijacks" system calls under certain conditions. For
>> example, the program might inject an int3/breakpoint into the guest
>> kernel at the entry point to sys_open. When the breakpoint is hit, the
>> program might set the guest instruction pointer to the address to which
>> sys_open would have itself returned and set register RAX to some desired
>> error-code return value.
>>
>> The problem I am encountering is that for some reason the process is
>> triggering a "uprobe ... failed to handle uretprobe" message from the
>> guest kernel.  I do not yet know enough about uprobes to understand what
>> might be causing this. Is there something in procedures such as sys_open
>> which must execute to prevent the error which causes the kernel to print
>> this message?

>> What vm  hypervisor do you use?

We are using Xen + libvmi.

I have continued to read the kernel sources, and as best as I can
understand it the kernel installs uprobe instrumentation if it detects
a software breakpoint. Our program does not reinject the software
breakpoints it services back into the guest, so I am still trying to
figure out why uprobes seems to get triggered.

-- 
Mike

:wq

Question about uprobes

[Mulyadi Santosa]

On Thursday, April 6, 2017, W. Michael Petullo <mike@flyn.org> wrote:

> >> I am writing some software that monitors a guest VM using
> virtual-machine
> >> introspection and "hijacks" system calls under certain conditions. For
> >> example, the program might inject an int3/breakpoint into the guest
> >> kernel at the entry point to sys_open. When the breakpoint is hit, the
> >> program might set the guest instruction pointer to the address to which
> >> sys_open would have itself returned and set register RAX to some desired
> >> error-code return value.
> >>
> >> The problem I am encountering is that for some reason the process is
> >> triggering a "uprobe ... failed to handle uretprobe" message from the
> >> guest kernel.  I do not yet know enough about uprobes to understand what
> >> might be causing this. Is there something in procedures such as sys_open
> >> which must execute to prevent the error which causes the kernel to print
> >> this message?
>
> >> What vm  hypervisor do you use?
>
> We are using Xen + libvmi.
>
> I have continued to read the kernel sources, and as best as I can
> understand it the kernel installs uprobe instrumentation if it detects
> a software breakpoint. Our program does not reinject the software
> breakpoints it services back into the guest, so I am still trying to
> figure out why uprobes seems to get triggered.
>
> --
> Mike
>
> :wq
>

I am not really into xen, but afaik both guest and host xen kernel is
modified in order to facilitate hypercall

Thus, i suggest you study first how hypercall works

Regards,

Mulyadi


-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170407/9478d06c/attachment.html