Early versions of kASLR that we've been using do not have the offset
explicitly in the VMCOREINO section, although I completely agree it
should be in the version that lands upstream. We have some other
tooling in our development environment that makes it easy for us to
get offset data without the vmcore file, which is why the --kaslr
option to crash would work for us. I understand your point that this
wouldn't necessarily be helpful in other deployment scenarios.
/proc/kallsyms does reflect the relocated symbol values for the most
part. There may be a few special symbols which are not correct. I
haven't tried running crash on a live system with aslr enabled, but I
will try that.
On Wed, Oct 16, 2013 at 8:16 AM, Dave Anderson <anderson(a)redhat.com> wrote:
----- Original Message -----
> On Tue, Oct 15, 2013 at 11:36 AM, Dave Anderson <anderson(a)redhat.com> wrote:
> >
> >
> > ----- Original Message -----
> >> I'm trying to add crash support for kdumps from kASLR'd kernels.
I've
> >> got it working with a few small changes and I wanted to solicit
> >> comments before sending a patch.
> >
> > Excellent!
> >
> >> 1) The --reloc flag appears to specify an offset to be subtracted from
> >> the loaded address, when the aslr offset is added. It's annoying to
> >> try to specify negative numbers on the command line, so I'd like to
> >> add another argument --aslr which is the same as --reloc but negates
> >> the value.
> >
> > Not a problem. In fact, since they really are different concepts, I'd
> > prefer it. But can you make it --kalsr?
> >
> > A couple questions -- how would the user know what the offset is?
> >
>
> The offset is output in the dmesg buffer. I don't really know how
> crashes are analyzed elsewhere, but this fits in well with our
> debugging workflow. Is this a problem for the usual workflow?
OK, so for dumpfiles, it would be displayed somewhere in the panic message
stream at the end of the kernel log buffer. But to access that information,
the kalsr offset would be required to read the buffer contents from the dumpfile.
Given just a vmlinux and vmcore, how would a user know what the offset
would be?
If it's in the VMCOREINFO notes section, then it can be read by simply
parsing the ELF header contents in an uncompressed ELF vmcore (/proc/vmcore copy),
or parsing the VMCOREINFO data that makedumpfile copies from /proc/vmcore to the
compressed kdump's header.
Also -- for running crash on the live system, does /proc/kallsyms reflect the
relocated symbol values?
Dave
--
Crash-utility mailing list
Crash-utility(a)redhat.com
https://www.redhat.com/mailman/listinfo/crash-utility