Address Collision using i386 4G/4G Memory Split

Alexander Lochmann alexander.lochmann at
Tue Dec 18 10:37:15 UTC 2018

On 18.12.18 11:32, Konstantin Belousov wrote:
> On Tue, Dec 18, 2018 at 11:22:53AM +0100, Alexander Lochmann wrote:
>>>> Some context: We are doing VM-based tracing in the FreeBSD kernel. For
>>>> that, we observe parts of the kernel memory (allocations, accesses,...).
>>>> Before 12.0 we simply knew that kernel addresses that we logged were
>>>> unique. Moreover, when a memory access to a region of interest happened
>>>> we knew that could only be kernel memory.
>>>> We know have to ensure that we only record memory accesses that happen
>>>> within the kernel.
>>>> Our approach is to record the kernels value for the CR3 register, and
>>>> record memory accesses if the CR3 registers holds the aforementioned value.
>>> You must use CPL to see if the current operation mode is user or kernel.
>>> If user, nothing should be done (this would avoid vm86). If kernel, you
>>> need to compare current %cr3 with IdlePTD (IdlePTDP for PAE case).
>> Thanks for the advice!  We'll include that in our toolchain.
>> Do you use PLs other than 0(=kernel) and 3(=user)?
> No, only 0 and 3.  But be careful with vm86 (I am not sure how your VM
> reports it to your instrumentation).
Ok. Thx!

- Alex

Technische Universität Dortmund
Alexander Lochmann                PGP key: 0xBC3EF6FD
Otto-Hahn-Str. 16                 phone:  +49.231.7556141
D-44227 Dortmund                  fax:    +49.231.7556116

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-stable mailing list