On Thursday, April 6, 2017, W. Michael Petullo <[email protected]> wrote:
> >> I am writing some software that monitors a guest VM using > virtual-machine > >> introspection and "hijacks" system calls under certain conditions. For > >> example, the program might inject an int3/breakpoint into the guest > >> kernel at the entry point to sys_open. When the breakpoint is hit, the > >> program might set the guest instruction pointer to the address to which > >> sys_open would have itself returned and set register RAX to some desired > >> error-code return value. > >> > >> The problem I am encountering is that for some reason the process is > >> triggering a "uprobe ... failed to handle uretprobe" message from the > >> guest kernel. I do not yet know enough about uprobes to understand what > >> might be causing this. Is there something in procedures such as sys_open > >> which must execute to prevent the error which causes the kernel to print > >> this message? > > >> What vm hypervisor do you use? > > We are using Xen + libvmi. > > I have continued to read the kernel sources, and as best as I can > understand it the kernel installs uprobe instrumentation if it detects > a software breakpoint. Our program does not reinject the software > breakpoints it services back into the guest, so I am still trying to > figure out why uprobes seems to get triggered. > > -- > Mike > > :wq > I am not really into xen, but afaik both guest and host xen kernel is modified in order to facilitate hypercall Thus, i suggest you study first how hypercall works Regards, Mulyadi -- regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com
_______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
