[RFC] Add RIP to scripts/decodecode

[RFC] Add RIP to scripts/decodecode

[Borislav Petkov]

Hi,

how about we add RIP to decodecode output? See below.

I've added the couple of people to Cc who seem to use this thing. The
patch is dirty and needs cleaning still but I think it would be cool to
have the actual addresses in that output so that when you compare with
objdump output in another window, you can find the code very quickly.

You'd need to supply the rIP from the splat, though, as an env var:

$ RIP=0xffffffff8329a927 ./scripts/decodecode < ~/tmp/syz/gfs2.splat
[ 477.379104][T23917] Code: 48 83 ec 28 48 89 3c 24 48 89 54 24 08 e8 c1 b4 4a fe 48 8d bb 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 05 00 00 48 8b 9b 00 01 00 00 48 85 db 0f 84
Cleaned: [48 83 ec 28 48 89 3c 24 48 89 54 24 08 e8 c1 b4 4a fe 48 8d bb 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 05 00 00 48 8b 9b 00 01 00 00 48 85 db 0f 84]
Marker: 127
rIP_sub: 42
adj_vma: 0xffffffff8329a8fd
All code
========
ffffffff8329a8fd:       48 83 ec 28             sub    $0x28,%rsp
ffffffff8329a901:       48 89 3c 24             mov    %rdi,(%rsp)
ffffffff8329a905:       48 89 54 24 08          mov    %rdx,0x8(%rsp)
ffffffff8329a90a:       e8 c1 b4 4a fe          callq  0xffffffff81745dd0
ffffffff8329a90f:       48 8d bb 00 01 00 00    lea    0x100(%rbx),%rdi
ffffffff8329a916:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
ffffffff8329a91d:       fc ff df 
ffffffff8329a920:       48 89 fa                mov    %rdi,%rdx
ffffffff8329a923:       48 c1 ea 03             shr    $0x3,%rdx
ffffffff8329a927:*      80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
ffffffff8329a92b:       0f 85 97 05 00 00       jne    0xffffffff8329aec8
ffffffff8329a931:       48 8b 9b 00 01 00 00    mov    0x100(%rbx),%rbx
ffffffff8329a938:       48 85 db                test   %rbx,%rbx
ffffffff8329a93b:       0f                      .byte 0xf
ffffffff8329a93c:       84                      .byte 0x84

Code starting with the faulting instruction
===========================================
ffffffff8329a8fd:       80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
ffffffff8329a901:       0f 85 97 05 00 00       jne    0xffffffff8329ae9e
ffffffff8329a907:       48 8b 9b 00 01 00 00    mov    0x100(%rbx),%rbx
ffffffff8329a90e:       48 85 db                test   %rbx,%rbx
ffffffff8329a911:       0f                      .byte 0xf
ffffffff8329a912:       84                      .byte 0x84

---

diff --git a/scripts/decodecode b/scripts/decodecode
index fbdb325cdf4f..f6b799e3e51a 100755
--- a/scripts/decodecode
+++ b/scripts/decodecode
@@ -6,6 +6,7 @@
 # options: set env. variable AFLAGS=options to pass options to "as";
 # e.g., to decode an i386 oops on an x86_64 system, use:
 # AFLAGS=--32 decodecode < 386.oops
+# RIP=hex - the rIP the splat points to
 
 cleanup() {
 	rm -f $T $T.s $T.o $T.oo $T.aa $T.dis
@@ -52,6 +53,8 @@ fi
 echo $code
 code=`echo $code | sed -e 's/.*Code: //'`
 
+echo "Cleaned: [$code]"
+
 width=`expr index "$code" ' '`
 width=$((($width-1)/2))
 case $width in
@@ -67,15 +70,19 @@ if [ -z "$ARCH" ]; then
     esac
 fi
 
+# Params: (tmp_file, rip_sub)
 disas() {
-	${CROSS_COMPILE}as $AFLAGS -o $1.o $1.s > /dev/null 2>&1
+	t=$1
+	rip_sub=$2
+
+	${CROSS_COMPILE}as $AFLAGS -o $t.o $t.s > /dev/null 2>&1
 
 	if [ "$ARCH" = "arm" ]; then
 		if [ $width -eq 2 ]; then
 			OBJDUMPFLAGS="-M force-thumb"
 		fi
 
-		${CROSS_COMPILE}strip $1.o
+		${CROSS_COMPILE}strip $t.o
 	fi
 
 	if [ "$ARCH" = "arm64" ]; then
@@ -83,11 +90,19 @@ disas() {
 			type=inst
 		fi
 
-		${CROSS_COMPILE}strip $1.o
+		${CROSS_COMPILE}strip $t.o
+	fi
+
+	if [ $rip_sub -ne 0 ]; then
+		if [ $RIP ]; then
+			adj_vma=$(( $RIP - $rip_sub ))
+			printf "adj_vma: 0x%lx\n" $adj_vma
+			OBJDUMPFLAGS="$OBJDUMPFLAGS --adjust-vma=$adj_vma"
+		fi
 	fi
 
-	${CROSS_COMPILE}objdump $OBJDUMPFLAGS -S $1.o | \
-		grep -v "/tmp\|Disassembly\|\.text\|^$" > $1.dis 2>&1
+	${CROSS_COMPILE}objdump $OBJDUMPFLAGS -S $t.o | \
+		grep -v "/tmp\|Disassembly\|\.text\|^$" > $t.dis 2>&1
 }
 
 marker=`expr index "$code" "\<"`
@@ -95,14 +110,19 @@ if [ $marker -eq 0 ]; then
 	marker=`expr index "$code" "\("`
 fi
 
+
 touch $T.oo
 if [ $marker -ne 0 ]; then
+	echo "Marker: $marker"
+	# 2 opcode bytes and a single space
+	rip_sub=$(( $marker / 3 ))
+	echo "rIP_sub: $rip_sub"
 	echo All code >> $T.oo
 	echo ======== >> $T.oo
 	beforemark=`echo "$code"`
 	echo -n "	.$type 0x" > $T.s
 	echo $beforemark | sed -e 's/ /,0x/g; s/[<>()]//g' >> $T.s
-	disas $T
+	disas $T $rip_sub
 	cat $T.dis >> $T.oo
 	rm -f $T.o $T.s $T.dis
 
@@ -114,7 +134,7 @@ echo =========================================== >> $T.aa
 code=`echo $code | sed -e 's/ [<(]/ /;s/[>)] / /;s/ /,0x/g; s/[>)]$//'`
 echo -n "	.$type 0x" > $T.s
 echo $code >> $T.s
-disas $T
+disas $T 0
 cat $T.dis >> $T.aa
 
 # (lines of whole $T.oo) - (lines of $T.aa, i.e. "Code starting") + 3,

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Re: [RFC] Add RIP to scripts/decodecode

[Marc Zyngier]

Hi,

[dropping these ARM people I never heard of...]

On 2020-09-29 12:32, Borislav Petkov wrote:
> Hi,
> 
> how about we add RIP to decodecode output? See below.
> 
> I've added the couple of people to Cc who seem to use this thing. The
> patch is dirty and needs cleaning still but I think it would be cool to
> have the actual addresses in that output so that when you compare with
> objdump output in another window, you can find the code very quickly.
> 
> You'd need to supply the rIP from the splat, though, as an env var:
> 
> $ RIP=0xffffffff8329a927 ./scripts/decodecode < ~/tmp/syz/gfs2.splat
> [ 477.379104][T23917] Code: 48 83 ec 28 48 89 3c 24 48 89 54 24 08 e8
> c1 b4 4a fe 48 8d bb 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89
> fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 05 00 00 48 8b 9b 00 01 00 00 48
> 85 db 0f 84
> Cleaned: [48 83 ec 28 48 89 3c 24 48 89 54 24 08 e8 c1 b4 4a fe 48 8d
> bb 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
> 3c 02 00 0f 85 97 05 00 00 48 8b 9b 00 01 00 00 48 85 db 0f 84]
> Marker: 127
> rIP_sub: 42
> adj_vma: 0xffffffff8329a8fd
> All code
> ========
> ffffffff8329a8fd:       48 83 ec 28             sub    $0x28,%rsp
> ffffffff8329a901:       48 89 3c 24             mov    %rdi,(%rsp)
> ffffffff8329a905:       48 89 54 24 08          mov    %rdx,0x8(%rsp)
> ffffffff8329a90a:       e8 c1 b4 4a fe          callq  
> 0xffffffff81745dd0
> ffffffff8329a90f:       48 8d bb 00 01 00 00    lea    0x100(%rbx),%rdi
> ffffffff8329a916:       48 b8 00 00 00 00 00    movabs 
> $0xdffffc0000000000,%rax
> ffffffff8329a91d:       fc ff df
> ffffffff8329a920:       48 89 fa                mov    %rdi,%rdx
> ffffffff8329a923:       48 c1 ea 03             shr    $0x3,%rdx
> ffffffff8329a927:*      80 3c 02 00             cmpb
> $0x0,(%rdx,%rax,1)               <-- trapping instruction
> ffffffff8329a92b:       0f 85 97 05 00 00       jne    
> 0xffffffff8329aec8
> ffffffff8329a931:       48 8b 9b 00 01 00 00    mov    0x100(%rbx),%rbx
> ffffffff8329a938:       48 85 db                test   %rbx,%rbx
> ffffffff8329a93b:       0f                      .byte 0xf
> ffffffff8329a93c:       84                      .byte 0x84
> 
> Code starting with the faulting instruction
> ===========================================
> ffffffff8329a8fd:       80 3c 02 00             cmpb   
> $0x0,(%rdx,%rax,1)
> ffffffff8329a901:       0f 85 97 05 00 00       jne    
> 0xffffffff8329ae9e
> ffffffff8329a907:       48 8b 9b 00 01 00 00    mov    0x100(%rbx),%rbx
> ffffffff8329a90e:       48 85 db                test   %rbx,%rbx
> ffffffff8329a911:       0f                      .byte 0xf
> ffffffff8329a912:       84                      .byte 0x84
> 

Looks neat. Only objection is that RIP is pretty tainted from an
architecture perspective. How about PC instead, which most people
understand immediately?

Bonus points if you can convince decodecode to grok something such
as "do_undefinstr+0x2e0/0x2f0" as the PC! ;-)

Thanks,

         M.
-- 
Who you jivin' with that Cosmik Debris?

Re: [RFC] Add RIP to scripts/decodecode

[Borislav Petkov]

On Tue, Sep 29, 2020 at 01:40:03PM +0100, Marc Zyngier wrote:
> Hi,
> 
> [dropping these ARM people I never heard of...]

Yeah, I completely forgot that those ARM folks are not there anymore,
thx! :-)

> Looks neat. Only objection is that RIP is pretty tainted from an
> architecture perspective. How about PC instead, which most people
> understand immediately?

Sure.

> Bonus points if you can convince decodecode to grok something such
> as "do_undefinstr+0x2e0/0x2f0" as the PC! ;-)

Well, I thought about it. And I don't know how the splats look on ARM
but on x86 we're not dumping the actual PC contents anymore:

[  477.366747][T23917] KASAN: null-ptr-deref in range [0x0000000000000100-0x0000000000000107]
[  477.374897][T23917] CPU: 1 PID: 23917 Comm: syz-executor.0 Not tainted 5.9.0-rc7+ #1
[  477.376375][T23917] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014
[  477.378098][T23917] RIP: 0010:gfs2_rgrp_dump+0x37/0x660
			^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

so I could make the splat code dump PC again, but in brackets:

[  477.378098][T23917] RIP: 0010:gfs2_rgrp_dump+0x37/0x660 (0xffffffff8329a927)

or I would have to somehow have access to vmlinux or symbols which would
give me the function address. But that is not always the case - most of
the time you see a splat somewhere and that's all.

Unless you have a better idea...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

[PATCH] scripts/decodecode: Add the capability to supply the program counter

[Borislav Petkov]

From: Borislav Petkov <bp@suse.de>
Date: Tue, 29 Sep 2020 18:45:56 +0200

... so that comparing with objdump output from vmlinux can ease
pinpointing where the trapping instruction actually is. An example is
better than a thousand words:

  $ PC=0xffffffff8329a927 ./scripts/decodecode < ~/tmp/syz/gfs2.splat
  [ 477.379104][T23917] Code: 48 83 ec 28 48 89 3c 24 48 89 54 24 08 e8 c1 b4 4a fe 48 8d bb 00 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 97 05 00 00 48 8b 9b 00 01 00 00 48 85 db 0f 84
  All code
  ========
  ffffffff8329a8fd:       48 83 ec 28             sub    $0x28,%rsp
  ffffffff8329a901:       48 89 3c 24             mov    %rdi,(%rsp)
  ffffffff8329a905:       48 89 54 24 08          mov    %rdx,0x8(%rsp)
  ffffffff8329a90a:       e8 c1 b4 4a fe          callq  0xffffffff81745dd0
  ffffffff8329a90f:       48 8d bb 00 01 00 00    lea    0x100(%rbx),%rdi
  ffffffff8329a916:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  ffffffff8329a91d:       fc ff df
  ffffffff8329a920:       48 89 fa                mov    %rdi,%rdx
  ffffffff8329a923:       48 c1 ea 03             shr    $0x3,%rdx
  ffffffff8329a927:*      80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
  ffffffff8329a92b:       0f 85 97 05 00 00       jne    0xffffffff8329aec8
  ffffffff8329a931:       48 8b 9b 00 01 00 00    mov    0x100(%rbx),%rbx
  ffffffff8329a938:       48 85 db                test   %rbx,%rbx
  ffffffff8329a93b:       0f                      .byte 0xf
  ffffffff8329a93c:       84                      .byte 0x84

Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20200929113238.GC21110@zn.tnic
---
 scripts/decodecode | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/scripts/decodecode b/scripts/decodecode
index fbdb325cdf4f..31d884e35f2f 100755
--- a/scripts/decodecode
+++ b/scripts/decodecode
@@ -6,6 +6,7 @@
 # options: set env. variable AFLAGS=options to pass options to "as";
 # e.g., to decode an i386 oops on an x86_64 system, use:
 # AFLAGS=--32 decodecode < 386.oops
+# PC=hex - the PC (program counter) the oops points to
 
 cleanup() {
 	rm -f $T $T.s $T.o $T.oo $T.aa $T.dis
@@ -67,15 +68,19 @@ if [ -z "$ARCH" ]; then
     esac
 fi
 
+# Params: (tmp_file, pc_sub)
 disas() {
-	${CROSS_COMPILE}as $AFLAGS -o $1.o $1.s > /dev/null 2>&1
+	t=$1
+	pc_sub=$2
+
+	${CROSS_COMPILE}as $AFLAGS -o $t.o $t.s > /dev/null 2>&1
 
 	if [ "$ARCH" = "arm" ]; then
 		if [ $width -eq 2 ]; then
 			OBJDUMPFLAGS="-M force-thumb"
 		fi
 
-		${CROSS_COMPILE}strip $1.o
+		${CROSS_COMPILE}strip $t.o
 	fi
 
 	if [ "$ARCH" = "arm64" ]; then
@@ -83,11 +88,18 @@ disas() {
 			type=inst
 		fi
 
-		${CROSS_COMPILE}strip $1.o
+		${CROSS_COMPILE}strip $t.o
 	fi
 
-	${CROSS_COMPILE}objdump $OBJDUMPFLAGS -S $1.o | \
-		grep -v "/tmp\|Disassembly\|\.text\|^$" > $1.dis 2>&1
+	if [ $pc_sub -ne 0 ]; then
+		if [ $PC ]; then
+			adj_vma=$(( $PC - $pc_sub ))
+			OBJDUMPFLAGS="$OBJDUMPFLAGS --adjust-vma=$adj_vma"
+		fi
+	fi
+
+	${CROSS_COMPILE}objdump $OBJDUMPFLAGS -S $t.o | \
+		grep -v "/tmp\|Disassembly\|\.text\|^$" > $t.dis 2>&1
 }
 
 marker=`expr index "$code" "\<"`
@@ -95,14 +107,17 @@ if [ $marker -eq 0 ]; then
 	marker=`expr index "$code" "\("`
 fi
 
+
 touch $T.oo
 if [ $marker -ne 0 ]; then
+	# 2 opcode bytes and a single space
+	pc_sub=$(( $marker / 3 ))
 	echo All code >> $T.oo
 	echo ======== >> $T.oo
 	beforemark=`echo "$code"`
 	echo -n "	.$type 0x" > $T.s
 	echo $beforemark | sed -e 's/ /,0x/g; s/[<>()]//g' >> $T.s
-	disas $T
+	disas $T $pc_sub
 	cat $T.dis >> $T.oo
 	rm -f $T.o $T.s $T.dis
 
@@ -114,7 +129,7 @@ echo =========================================== >> $T.aa
 code=`echo $code | sed -e 's/ [<(]/ /;s/[>)] / /;s/ /,0x/g; s/[>)]$//'`
 echo -n "	.$type 0x" > $T.s
 echo $code >> $T.s
-disas $T
+disas $T 0
 cat $T.dis >> $T.aa
 
 # (lines of whole $T.oo) - (lines of $T.aa, i.e. "Code starting") + 3,
-- 
2.21.0

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette