adb's search command at workThere is another trick that might be worth trying. We can ask adb to search for a value. We'll demonstrate this by searching for a known value first, then for the address of the clobbered instruction. We start our searches at scb , which is where we find the first page of the kernel. Hiya... adb -k unix.0 vmcore.0 physmem 3e15 rootdir/X rootdir: (The pointer to the root directory's vnode) rootdir: fc190208 scb/L fc190208 (Starting at scbthe system control blocklocate value fc190208) p0+0x2d0 (A match was found here, which we can confirm) ./X p0+0x2d0: fc190208 +/L fc190208 (Advance adb pointer and continue search) rootdir (Another match) ./X rootdir: rootdir: fc190208 (Press Return to advance adb pointer) clock_lock: clock_lock: 0 ./L fc190208 (Continue search from here) clock_lock (No more matches were found, so we stayed here) ipcaccess+18/X ipcaccess+0x18: 0 (We want to search for or locate any memory) .=X ( location that contains the address of the ) fc69d458 (clobbered ipcaccess instruction.) scb/L fc69d458 scb $q Hiya... As we can see from this session, nowhere within the kernel was the address of the clobbered instruction, ipcaccess+18 , stored as a variable. Masked searches within adbStaying with this train of thought, the only other possibility is that the address of ipcaccess+18 was built by a sethi / store combination of instructions. To search for the sethi instruction, which sets a register value to contain the high-order 22 bits of value 0xfc69d458, we would need to know the actual instruction operation code (opcode) of the command to search for. And, since there are 32 registers available to the sethi instruction, we would need to search 32 combinations of opcodes at that! Fortunately, the L command within adb happens to have a mask feature. Using it, we can tell adb to search for anything that matches some of the value we specify, instead of the whole value. The first thing we need to know, in order to search for a specific instruction, is the actual opcode. For this type of information, you'll usually need to refer to the chip manual, in our case, the SPARC Version 8 Reference Manual. Alternatively, you could try to disassemble several sethi instructions until you figure out the opcode. Here is the sethi opcode layout. Figure 31-1. sethi opcode layout
When we place the high-order 22 bits of the address fc69d458 into this layout, the last six nibbles will contain 3f1a75. The destination register is the unknown quantity. Any one of 32 registers could be specified in the sethi instruction we seek. Therefore, during our search, we want to mask for everything except the destination register field. The bits we want to match exactly during the search must be masked with a 1 bit. To match perfectly on all bits, our mask would be ffffffff (the default if no mask is specified). We want to match on all but the five destination register bits; therefore, our mask will be c1ffffff. Let's return to adb and try the search command using a mask. First, we will search for something we know exists. Digging around, we found that the panic_setup() routine contained a cluster of sethi instructions, so we will use it for our example. setup_panic+18,a/X4-i setup_panic+0x18: 113c060d sethi %hi(0xf0183400), %o0 7ffffe2c call mutex_enter 901222e0 or %o0, 0x2e0, %o0 173c0549 sethi %hi(0xf0152400), %o3 d602e264 ld [%o3 + 0x264], %o3 ! panicstr 8090000b orcc %g0, %o3, %g0 22800007 be,a setup_panic + 0x4c 1f3c0556 sethi %hi(0xf0155800), %o7 193c0549 sethi %hi(0xf0152400), %o4 1b3c05a2 sethi %hi(0xf0168800), %o5 setup_panic/L 013c0556 c1ffffff setup_panic+0x34 ./i setup_panic+0x34: sethi %hi(0xf0155800), %o7 +/L 013c0556 c1ffffff mlsetup+0x70 ./i mlsetup+0x70: sethi %hi(0xf0155800), %o1 scb/L 013f1a75 c1ffffff scb During our practice search, we matched on two variations of the sethi instruction. Each referenced a different destination register. Sadly, the search for the high-order 22 bits of the address of the ipcaccess() routine didn't result in any matches. Still, the effort was a good one! |