On Mon, May 6, 2019 at 2:45 PM Steven Rostedt rostedt@goodmis.org wrote:
To do that we would need to rewrite the logic to update each of those 40,000 calls one at a time, or group them together to what gets changed.
Stephen, YOU ARE NOT LISTENING.
You are already fixing the value of the call in the instruction as part of the instruction rewriting.
When you do things like this:
unsigned long ip = (unsigned long)(&ftrace_call); unsigned char *new; int ret;
new = ftrace_call_replace(ip, (unsigned long)func); ret = update_ftrace_func(ip, new);
you have already decided to rewrite the instruction with one single fixed call target: "func".
I'm just saying that you should ALWAYS use the same call target in the int3 emulation.
Instead, you hardcode something else than what you are AT THE SAME TIME rewriting the instruction with.
See what I'm saying?
You already save off the "ip" of the instruction you modify in update_ftrace_func(). I'm just saying that you should *also* save off the actual target of the call, and use *THAT*.
So that the int3 emulation and the instruction rewriting *match*.
What you do now makes no sense. You're modifing the code with one thing (the "func" argument in update_ftrace_func), so if your modification completed, that's what you'll actually *run*. But you're then _emulating_ doing somethiing completely different, not using "func" at all there.
So let me say one more time: how can it *possibly* make sense to emulate something else than you are changing the instruction to read?
Are you finally understanding what craziness I'm talking about?
Stop with the "there could be thousands of targets" arguyment. The "call" instruction THAT YOU ARE REWRITING has exactly one target. There aren't 40,000 of them. x86 does not have that kind of "call" instruction that randomly calls 40k different functions. You are replacing FIVE BYTES of memory, and the emulation you do should emulate those FIVE BYTES.
See?
Why are you emulating something different than what you are rewriting?
Linus