Address Collision using i386 4G/4G Memory Split
Alexander Lochmann
alexander.lochmann at tu-dortmund.de
Tue Dec 18 10:37:15 UTC 2018
On 18.12.18 11:32, Konstantin Belousov wrote:
> On Tue, Dec 18, 2018 at 11:22:53AM +0100, Alexander Lochmann wrote:
>>
>>>> Some context: We are doing VM-based tracing in the FreeBSD kernel. For
>>>> that, we observe parts of the kernel memory (allocations, accesses,...).
>>>> Before 12.0 we simply knew that kernel addresses that we logged were
>>>> unique. Moreover, when a memory access to a region of interest happened
>>>> we knew that could only be kernel memory.
>>>> We know have to ensure that we only record memory accesses that happen
>>>> within the kernel.
>>>> Our approach is to record the kernels value for the CR3 register, and
>>>> record memory accesses if the CR3 registers holds the aforementioned value.
>>> You must use CPL to see if the current operation mode is user or kernel.
>>> If user, nothing should be done (this would avoid vm86). If kernel, you
>>> need to compare current %cr3 with IdlePTD (IdlePTDP for PAE case).
>>>
>> Thanks for the advice! We'll include that in our toolchain.
>> Do you use PLs other than 0(=kernel) and 3(=user)?
> No, only 0 and 3. But be careful with vm86 (I am not sure how your VM
> reports it to your instrumentation).
>
Ok. Thx!
- Alex
--
Technische Universität Dortmund
Alexander Lochmann PGP key: 0xBC3EF6FD
Otto-Hahn-Str. 16 phone: +49.231.7556141
D-44227 Dortmund fax: +49.231.7556116
http://ess.cs.tu-dortmund.de/Staff/al
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20181218/eb5918f4/attachment.sig>
More information about the freebsd-stable
mailing list