Re: ptrace in 2.6.5
From: OGAWA Hirofumi
Date: Mon May 10 2004 - 16:51:35 EST
Fabiano Ramos <ramos_fabiano@xxxxxxxxxxxx> writes:
> > > Is ptrace(), in singlestep mode, required to stop after a int 0x80?
> > > When tracing a sequence like
> > >
> > > mov ...
> > > int 0x80
> > > mov ....
> > >
> > > ptrace would notify the tracer after the two movs, but not after the
> > > int 0x80. I want to know if it is a bug or the expected behaviour.
> > What happens is that after the int 0x80 the CPU is in ring 0 (you
> > don't get an trace event in that mode unless you use a kernel debugger).
> > Then when the kernel returns the last instruction executed before it is an
> > IRET. But the IRET is also executed still in ring 0 and you should not get
> > an event for it (you can not even access its code from user space).
> I got it. But I need it to stop after the instruction. I am a newbie,
> so is it trivial to patch the kernel so that it STOPS after the int
> 0x80? Can you give me some light on it?
This is the behavior of CPU, not kernel. "iret" after "int 0x80",
it restores the eip to "mov ...".
<---- exception here (eip = "next insn")
So single-step exception happen *after* executed the "mov ...".
Probably you need to use the breakpoint instead of single-step.
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/