adb s search command at work

Previous page
Table of content
Next page

adb's search command at work

There is another trick that might be worth trying. We can ask adb to search for a value. We'll demonstrate this by searching for a known value first, then for the address of the clobbered instruction. We start our searches at scb , which is where we find the first page of the kernel. 

 Hiya...  adb -k unix.0 vmcore.0  physmem 3e15  rootdir/X  rootdir:  (The pointer to the root directory's vnode)  rootdir:        fc190208  scb/L fc190208   (Starting at scbthe system control blocklocate value fc190208)  p0+0x2d0  (A match was found here, which we can confirm)   ./X  p0+0x2d0:       fc190208  +/L fc190208   (Advance adb pointer and continue search)  rootdir  (Another match)   ./X  rootdir:  rootdir:        fc190208  (Press Return to advance adb pointer)  clock_lock:  clock_lock:     0  ./L fc190208   (Continue search from here)  clock_lock  (No more matches were found, so we stayed here)   ipcaccess+18/X  ipcaccess+0x18: 0  (We want to search for or locate any memory)   .=X                         (   location that contains the address of the   )  fc69d458  (clobbered ipcaccess instruction.)   scb/L fc69d458  scb  $q  Hiya...

As we can see from this session, nowhere within the kernel was the address of the clobbered instruction, ipcaccess+18 , stored as a variable.

Masked searches within adb

Staying with this train of thought, the only other possibility is that the address of ipcaccess+18 was built by a sethi / store combination of instructions. To search for the sethi instruction, which sets a register value to contain the high-order 22 bits of value 0xfc69d458, we would need to know the actual instruction operation code (opcode) of the command to search for. And, since there are 32 registers available to the sethi instruction, we would need to search 32 combinations of opcodes at that!

Fortunately, the L command within adb happens to have a mask feature. Using it, we can tell adb to search for anything that matches some of the value we specify, instead of the whole value.

The first thing we need to know, in order to search for a specific instruction, is the actual opcode. For this type of information, you'll usually need to refer to the chip manual, in our case, the SPARC Version 8 Reference Manual. Alternatively, you could try to disassemble several sethi instructions until you figure out the opcode.

Here is the sethi opcode layout.

Figure 31-1. sethi opcode layout

graphics/31fig01.gif

When we place the high-order 22 bits of the address fc69d458 into this layout, the last six nibbles will contain 3f1a75.

The destination register is the unknown quantity. Any one of 32 registers could be specified in the sethi instruction we seek. Therefore, during our search, we want to mask for everything except the destination register field.

The bits we want to match exactly during the search must be masked with a 1 bit. To match perfectly on all bits, our mask would be ffffffff (the default if no mask is specified). We want to match on all but the five destination register bits; therefore, our mask will be c1ffffff.

Let's return to adb and try the search command using a mask. First, we will search for something we know exists. Digging around, we found that the panic_setup() routine contained a cluster of sethi instructions, so we will use it for our example. 

  setup_panic+18,a/X4-i  setup_panic+0x18:               113c060d        sethi   %hi(0xf0183400), %o0                  7ffffe2c        call    mutex_enter                  901222e0        or      %o0, 0x2e0, %o0                  173c0549        sethi   %hi(0xf0152400), %o3                  d602e264        ld      [%o3 + 0x264], %o3       ! panicstr                  8090000b        orcc    %g0, %o3, %g0                  22800007        be,a    setup_panic + 0x4c                  1f3c0556        sethi   %hi(0xf0155800), %o7                  193c0549        sethi   %hi(0xf0152400), %o4                  1b3c05a2        sethi   %hi(0xf0168800), %o5  setup_panic/L 013c0556 c1ffffff  setup_panic+0x34  ./i  setup_panic+0x34:              sethi   %hi(0xf0155800), %o7  +/L 013c0556 c1ffffff  mlsetup+0x70  ./i  mlsetup+0x70:   sethi   %hi(0xf0155800), %o1  scb/L 013f1a75 c1ffffff  scb

During our practice search, we matched on two variations of the sethi instruction. Each referenced a different destination register. Sadly, the search for the high-order 22 bits of the address of the ipcaccess() routine didn't result in any matches. Still, the effort was a good one!


Previous page
Table of content
Next page
PANIC. UNIX System Crash Dump Analysis Handbook
PANIC! UNIX System Crash Dump Analysis Handbook (Bk/CD-ROM)
ISBN: 0131493868
EAN: 2147483647
Year: 1994
Pages: 289
Authors: Chris Drake
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Twisted Network Programming Essentials
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy