Override relative #66
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note the base address that is going into created kernel elf. Seeing the actual address can help determine if something wonky is going on.
Add a switch to override discovery of relative offsets in the kallsyms table. If the binary under analysis has an absolute base in the upper half of the virtual address range, all the addresses appear to be negative numbers. For 64-bit systems a 50-50 split would put kernel addresses at 0x80000000-00000000 and for 32 bit systems with a 3G/1G split, the kernel addresses start at 0xC0000000
When looking for relative addresses, perform heuristic checks for absolute addresses. The original heuristic was just looking for negative numbers to be the offsets. This is insufficient because a kernel virtual address for a kernel loaded at an absolute address will almost certainly be in the top half of the virtual address space which would be a negative number. 2 heuristics have been added. The first is to check the top 3 nybbles are 0xFFF. True negative numbers are unlikely to be *THAT* negative. The kernel will be on the order of a few 10s of MB The second heuristic is to check for zeros in the top byte using the mask 0x3F. This assumes the kernel is loaded near the bottom of the kernel address space and will catch the 3G/1G split. Strictly speaking the second heuristic should never trip if the first one doesn't.
TheBitshifter
force-pushed
the
override-relative
branch
from
c51432f to
3087fd6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When analyzing a kernel recently, this tool was reporting relative offsets in the kallsyms table when actually they were absolute addresses. This pull-request adds a switch to force absolute addresses and also adds some heuristics to suggest when to use that switch.