-prof_pcs fails on win7: NtCreateProfile returns 0xc000000d #413
Comments
|
From [email protected] on October 27, 2011 11:06:52 they added NtCreateProfileEx in win7: it takes 10 args so 1 extra requires SeSystemProfilePrivilege but running as admin makes no difference, % cd ~/dr/git/build_x86_dbg editrights -a SeSystemProfilePrivilege -u bruening here we go, got something different. so buffer is big enough. bigger shift makes no difference: pass 2 or 19 (ProfileTotalCycles) instead of ProfileTime => 0xc000000d align buffer to 1024: align to 4096: kernel address range: pass 1 for mask => STATUS_PRIVILEGE_NOT_HELD (even if run as admin or w/ so still stumped as to what's wrong |
|
This is causing the prof_pcs tests to fail in the long suite: http://dynamorio.org/CDash/testDetails.php?test=68307&build=7764 |
Fixes missing instruction encodings for some kernel code execution captured using Intel-PT. The root-cause seemed to be that JIT code executed by the kernel, eBPF code in this case, does not have entries in /proc/kallsyms, so our kcore dump logic did not include them. This fix looks for BPF related symbols in /proc/kallsyms and includes them in the copied regions from /proc/kcore. Note that BPF JIT symbols are not included in /proc/kallsyms by default. One needs to set /proc/sys/net/core/bpf_jit_harden and /proc/sys/net/core/bpf_jit_kallsyms appropriately (see https://docs.kernel.org/admin-guide/sysctl/net.html#proc-sys-net-core-network-core-options for more details). Added this suggestion to documentation. Tested PT tracing related tests locally on a machine that supports Intel-PT: $ ctest -R 'drpttracer|drcacheoff.kernel' ... Start 213: code_api|client.drpttracer_SUDO-test [sudo] password for sharmaabhinav: 1/5 Test #213: code_api|client.drpttracer_SUDO-test ..................... Passed 4.29 sec Start 412: code_api|tool.drcacheoff.kernel.simple_SUDO 2/5 Test #412: code_api|tool.drcacheoff.kernel.simple_SUDO .............. Passed 4.66 sec Start 413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO 3/5 Test #413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO .......... Passed 4.71 sec Start 414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO 4/5 Test #414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO ......... Passed 4.59 sec Start 415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO 5/5 Test #415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO ... Passed 5.75 sec 100% tests passed, 0 tests failed out of 5 Issue: #6486
Fixes drmemtrace kernel trace libipt post-processing failures caused by missing instruction encodings for some kernel code execution captured using Intel-PT. The root-cause seems to be that JIT code executed by the kernel, BPF code in this case, does not have entries in `/proc/modules`. So, our kcore dump logic did not include them. This fix looks for BPF related symbols in `/proc/kallsyms` and includes them in the copied regions from `/proc/kcore`. Note that BPF JIT symbols are not included in `/proc/kallsyms` by default. One needs to set `/proc/sys/net/core/bpf_jit_harden` and `/proc/sys/net/core/bpf_jit_kallsyms` appropriately (see https://docs.kernel.org/admin-guide/sysctl/net.html#proc-sys-net-core-network-core-options for more details). Added this suggestion to documentation. It may be better to not automatically make this possibly-too-intrusive change to the user's machine in cmake. This is probably fine because the issue is not widespread (not reproduced on public Linux distributions). Tested PT tracing related tests locally on a machine that supports Intel-PT: ``` $ ctest -R 'drpttracer|drcacheoff.kernel' ... Start 213: code_api|client.drpttracer_SUDO-test [sudo] password for sharmaabhinav: 1/5 Test #213: code_api|client.drpttracer_SUDO-test ..................... Passed 4.29 sec Start 412: code_api|tool.drcacheoff.kernel.simple_SUDO 2/5 Test #412: code_api|tool.drcacheoff.kernel.simple_SUDO .............. Passed 4.66 sec Start 413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO 3/5 Test #413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO .......... Passed 4.71 sec Start 414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO 4/5 Test #414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO ......... Passed 4.59 sec Start 415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO 5/5 Test #415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO ... Passed 5.75 sec 100% tests passed, 0 tests failed out of 5 ``` Unfortunately the decode errors do not go away completely even after this fix, but they have become very less frequent now (tool.kernel.simple in release build failed after 40 successful runs with this fix, which failed every run before). Issue: #6486
Fixes drmemtrace kernel trace libipt post-processing failures caused by missing instruction encodings for some kernel code execution captured using Intel-PT. The root-cause seems to be that JIT code executed by the kernel, BPF code in this case, does not have entries in `/proc/modules`. So, our kcore dump logic did not include them. This fix looks for BPF related symbols in `/proc/kallsyms` and includes them in the copied regions from `/proc/kcore`. Note that BPF JIT symbols are not included in `/proc/kallsyms` by default. One needs to set `/proc/sys/net/core/bpf_jit_harden` and `/proc/sys/net/core/bpf_jit_kallsyms` appropriately (see https://docs.kernel.org/admin-guide/sysctl/net.html#proc-sys-net-core-network-core-options for more details). Added this suggestion to documentation. It may be better to not automatically make this possibly-too-intrusive change to the user's machine in cmake. This is probably fine because the issue is not widespread (not reproduced on public Linux distributions). Tested PT tracing related tests locally on a machine that supports Intel-PT: ``` $ ctest -R 'drpttracer|drcacheoff.kernel' ... Start 213: code_api|client.drpttracer_SUDO-test [sudo] password for sharmaabhinav: 1/5 Test #213: code_api|client.drpttracer_SUDO-test ..................... Passed 4.29 sec Start 412: code_api|tool.drcacheoff.kernel.simple_SUDO 2/5 Test #412: code_api|tool.drcacheoff.kernel.simple_SUDO .............. Passed 4.66 sec Start 413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO 3/5 Test #413: code_api|tool.drcacheoff.kernel.opcode-mix_SUDO .......... Passed 4.71 sec Start 414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO 4/5 Test #414: code_api|tool.drcacheoff.kernel.syscall-mix_SUDO ......... Passed 4.59 sec Start 415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO 5/5 Test #415: code_api|tool.drcacheoff.kernel.invariant-checker_SUDO ... Passed 5.75 sec 100% tests passed, 0 tests failed out of 5 ``` Unfortunately the decode errors do not go away completely even after this fix, but they have become very less frequent now (tool.kernel.simple in release build failed after 40 successful runs with this fix, which failed every run before). Issue: #6486
From [email protected] on March 11, 2011 16:35:49
xref issue #140 on win7 I see:
ChildEBP RetAddr
00 0030f06c 66bcc98c ntdll!NtRaiseHardError+0x12
01 0030f0bc 66b9d024 dynamorio!nt_messagebox+0xec [c:\src\dr\git\src\core\win32\ntdll.c @ 3251]
02 0030f0d0 66a60c72 dynamorio!debugbox+0x54 [c:\src\dr\git\src\core\win32\os.c @ 3421]
03 0030f3e8 66a6101b dynamorio!notify+0x1a2 [c:\src\dr\git\src\core\utils.c @ 1854]
04 0030f45c 66a5cbe6 dynamorio!report_dynamorio_problem+0x34b [c:\src\dr\git\src\core\utils.c @ 2073]
05 0030f594 66bcd049 dynamorio!internal_error+0x116 [c:\src\dr\git\src\core\utils.c @ 191]
06 0030f5b4 66b9bed6 dynamorio!nt_create_profile+0x49 [c:\src\dr\git\src\core\win32\ntdll.c @ 3629]
07 0030f5e4 66b927d1 dynamorio!create_profile+0x1c6 [c:\src\dr\git\src\core\win32\os.c @ 2995]
08 0030f718 66b92489 dynamorio!init_global_profiles+0x2d1 [c:\src\dr\git\src\core\win32\os.c @ 417]
09 0030f750 669d7f6b dynamorio!os_init+0x669 [c:\src\dr\git\src\core\win32\os.c @ 836]
0a 0030f9b8 66b6f247 dynamorio!dynamorio_app_init+0x1bb [c:\src\dr\git\src\core\dynamo.c @ 498]
0b 0030fa04 66981008 dynamorio!auto_setup+0x27 [c:\src\dr\git\src\core\x86\x86_code.c @ 139]
0c 00000000 00000000 dynamorio!dynamo_auto_start+0x8
0:000> .frame 6
06 0030f5b4 66b9bed6 dynamorio!nt_create_profile+0x49 [c:\src\dr\git\src\core\win32\ntdll.c @ 3629]
0:000> dv
process_handle = 0xffffffff
start = 0x00000000
size = 0xffffffff
buffer = 0x1b9b1024
buffer_size = 0x10
shift = 0x1e
prof_handle = 0x00000000
res = -1073741811
0:000> !error @@(res)
Error code: (NTSTATUS) 0xc000000d (3221225485) - An invalid parameter was passed to a service or function.
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=413
The text was updated successfully, but these errors were encountered: