• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Breakpointing the commpage crashes kernel: vm_protect, submaps, ...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Breakpointing the commpage crashes kernel: vm_protect, submaps, ...

  • Subject: Breakpointing the commpage crashes kernel: vm_protect, submaps, ...
  • From: Chandra Khan <email@hidden>
  • Date: Fri, 5 Nov 2004 16:52:30 -0800
Hi

I have a need to momentarily modify instructions [from within a
process's context in kernel space] in that process's address space.
gdb does similar things when setting up breakpoints in
gdb/src/gdb/macosx/macosx-nat-mutils.c:mach_xfer_memory()

In my experiment, writing bytes in the 0xffff8000-0xffffefff
(commpage) range ostensibly works, except that the vm maps of *other*
processes somehow seems affected after my experiment. The symptom is
that ntpd crashes the kernel, soon after I run my experiment, trying
to update some timer value which resides in the commpage. Disabling
ntpd allows me to run my experiment and do a vmmap on a boring
unrelated pid, such as the login shell. Here are the results:

Submap   ffff8000-ffffefff              r--/r-- process-only submap
                         ffff8000 [   4K]   r--/r-- SM=COW commpage
                         ffff9000 [   4K]   r--/r-- SM=SHM commpage

I don't understand this -- using gdb to set up breakpoints on a PID X
doesn't change the vmmap on some other PID Y. Why does doing it from
the kernel have different effects?

The calls I use from the process's kernel context are:

vm_region(..., &info, ...)

vm_protect(current_map(),
                  user_addr,
                  size,
                  FALSE, // change "current", not "max" protection
                  VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY)

followed by a copyout(), a pmap_sync_caches_phys(), and then a
protection restoration:

vm_protect(current_map(),
                 user_addr,
                 size,
                 FALSE, // change "current", not "max" protection
                 info.protection)

In my effort at debugging this, I got lost trying to understand some
submap nesting code. Oh, and I'm new to the whole Mach/Darwin/Xnu
game. Any help is appreciated,

Thanks,
Chandra
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: why sometimes can't I find the panic.log file when kernel panic occurred?
  • Next by Date: sysctlbyname returns 1
  • Previous by thread: Re: why sometimes can't I find the panic.log file when kernel panic occurred?
  • Next by thread: sysctlbyname returns 1
  • Index(es):
    • Date
    • Thread