pgoodman
commented
9 years ago So I'm not sure if the module notifier is picking up on the code of interest or not, but here's some extra info:
#0 granary_unreachable () at /home/pag/Code/granary2/granary/breakpoint.cc:11
#1 0xffffffffa0350330 in granary::BlockFactory::MaterializeIndirectEntryBlock (this=0xffff88007a3afec8, meta=0xffffffffa0accb00) at /home/pag/Code/granary2/granary/cfg/factory.cc:484
#2 0xffffffffa030cb7c in granary::BinaryInstrumenter::InstrumentIndirect (this=0xffff88007a3afea8) at /home/pag/Code/granary2/granary/instrument.cc:54
#3 0xffffffffa0303811 in granary::Translate (context=0xffffffffa15e1dc0, edge=0xffffffffa0562b78, target_app_pc=0xffffffffa0133082) at /home/pag/Code/granary2/granary/translate.cc:96
#4 0xffffffffa034b5e5 in granary_enter_indirect_edge (edge=0xffffffffa0562b78, context=0xffffffffa15e1dc0, target_app_pc=0xffffffffa0133082) at /home/pag/Code/granary2/granary/entry.cc:86
#5 0xffffffffa038a5ff in granary_arch_enter_indirect_edge ()Here, is a bit of code at the target address (0xffffffffa0133082):
0xffffffffa0133082: push rbp
0xffffffffa0133083: mov rbp,rsp
0xffffffffa0133086: push rbx
0xffffffffa0133087: call 0xffffffffa0133000
0xffffffffa013308c: test eax,eax
0xffffffffa013308e: mov ebx,eax
0xffffffffa0133090: jne 0xffffffffa0133116
0xffffffffa0133096: cmp QWORD PTR [rip+0x12e272],0x0 # 0xffffffffa0261310
0xffffffffa013309e: je 0xffffffffa01330a2
0xffffffffa01330a0: ud2
0xffffffffa01330a2: xor r8d,r8d
0xffffffffa01330a5: xor edx,edx
0xffffffffa01330a7: mov ecx,0x20000
0xffffffffa01330ac: mov esi,0x70
0xffffffffa01330b1: mov rdi,0xffffffffa025f8fb
0xffffffffa01330b8: call 0xffffffff811303c0 <kmem_cache_create>
0xffffffffa01330bd: test rax,rax
0xffffffffa01330c0: mov QWORD PTR [rip+0x12e249],rax # 0xffffffffa0261310Here are the loaded modules that Granary is aware of:
(gdb) print-kernel-modules
kernel:
Core: 0xffffffff80000000 - 0xffffffffa0000000
Init: 0 - 0
granary:
Core: 0xffffffffa02ff000 - 0xffffffffa042f000
Init: 0 - 0
ppdev:
Core: 0xffffffffa012d000 - 0xffffffffa012f000
Init: 0 - 0
kvm_intel:
Core: 0xffffffffa02dd000 - 0xffffffffa02e9000
Init: 0 - 0
kvm:
Core: 0xffffffffa0145000 - 0xffffffffa0175000
Init: 0 - 0
crct10dif_pclmul:
Core: 0xffffffffa0122000 - 0xffffffffa0123000
Init: 0 - 0
crc32_pclmul:
Core: 0xffffffffa013b000 - 0xffffffffa013c000
Init: 0 - 0
ghash_clmulni_intel:
Core: 0xffffffffa0103000 - 0xffffffffa0104000
Init: 0 - 0
aesni_intel:
Core: 0xffffffffa0113000 - 0xffffffffa011c000
Init: 0 - 0
aes_x86_64:
Core: 0xffffffffa010d000 - 0xffffffffa010f000
Init: 0 - 0
lrw:
Core: 0xffffffffa00ea000 - 0xffffffffa00eb000
Init: 0 - 0
gf128mul:
Core: 0xffffffffa0108000 - 0xffffffffa0109000
Init: 0 - 0
glue_helper:
Core: 0xffffffffa00f3000 - 0xffffffffa00f4000
Init: 0 - 0
ablk_helper:
Core: 0xffffffffa005d000 - 0xffffffffa005e000
Init: 0 - 0
cryptd:
Core: 0xffffffffa00d7000 - 0xffffffffa00d8000
Init: 0 - 0
cirrus:
Core: 0xffffffffa00fb000 - 0xffffffffa00fe000
Init: 0 - 0
serio_raw:
Core: 0xffffffffa0046000 - 0xffffffffa0047000
Init: 0 - 0
ttm:
Core: 0xffffffffa00c1000 - 0xffffffffa00cc000
Init: 0 - 0
drm_kms_helper:
Core: 0xffffffffa00dc000 - 0xffffffffa00e2000
Init: 0 - 0
drm:
Core: 0xffffffffa0079000 - 0xffffffffa0098000
Init: 0 - 0
syscopyarea:
Core: 0xffffffffa0074000 - 0xffffffffa0075000
Init: 0 - 0
sysfillrect:
Core: 0xffffffffa006f000 - 0xffffffffa0070000
Init: 0 - 0
sysimgblt:
Core: 0xffffffffa006a000 - 0xffffffffa006b000
Init: 0 - 0
i2c_piix4:
Core: 0xffffffffa0063000 - 0xffffffffa0065000
Init: 0 - 0
parport_pc:
Core: 0xffffffffa0054000 - 0xffffffffa0058000
Init: 0 - 0
mac_hid:
Core: 0xffffffffa004c000 - 0xffffffffa004d000
Init: 0 - 0
binfmt_misc:
Core: 0xffffffffa0040000 - 0xffffffffa0042000
Init: 0 - 0
lp:
Core: 0xffffffffa0012000 - 0xffffffffa0014000
Init: 0 - 0
parport:
Core: 0xffffffffa0034000 - 0xffffffffa0039000
Init: 0 - 0
psmouse:
Core: 0xffffffffa0019000 - 0xffffffffa0029000
Init: 0 - 0
floppy:
Core: 0xffffffffa0000000 - 0xffffffffa0008000
Init: 0 - 0
jbd:
Core: 0xffffffffa0257000 - 0xffffffffa025f000
Init: 0xffffffffa0134000 - 0xffffffffa0134000What is notable is the absence of ext3 from this list. This is probably explained by the memory for jbds initialization code remaining mapped. Curiosly, the init section for jbd appears to have a zero size (this might be an artifact of all other modules being compiled in, and jbds init size being shrinked). It's not clear if ext3 is actually loaded or partially loaded at this point, and if so, some investigation (e.g. by putting a breakpoint into Granary'd module load notifier) would help figure out a more precise order of events.
With a kernel compiled with
ext3as a loadable kernel module (LKM) and not built-in, there's a bug when mounting anext3filesystem using the following script: