Reputation: 33
Alter kernel execution path using kprobes
Is it possible to alter the execution path with kprobe and terminate kernel function execution? While searching, I came across this post Replace system call in linux kernel 3 AFAIK, one can change the return value using kretprobe, but what i'm looking for is conditionally terminating kernel function execution from within kprobe handler. Has this been tried before? Thanks!
Upvotes: 1
Views: 808
Answers (1)
Reputation: 126165
I found this in the kernel docs, so it seems doable:
Changing Execution Path
Since kprobes can probe into a running kernel code, it can change the register set, including instruction pointer. This operation requires maximum care, such as keeping the stack frame, recovering the execution path etc. Since it operates on a running kernel and needs deep knowledge of computer architecture and concurrent computing, you can easily shoot your foot.
If you change the instruction pointer (and set up other related registers) in pre_handler, you must return !0 so that kprobes stops single stepping and just returns to the given address. This also means post_handler should not be called anymore.
Note that this operation may be harder on some architectures which use TOC (Table of Contents) for function call, since you have to setup a new TOC for your function in your module, and recover the old one after returning from it.
Upvotes: 0
Related Questions
- Change linux kernel installation directory
- Adding compile-time definitions in Kconfig in Linux kernel
- How can I attached a BPF program to a kernel function via a kprobe?
- Editing Kernel command-line arguments inside Kernel
- How to invoke any kernel function?
- How to add kernel args when compiling linux kernel?
- Can i force linux kernel to use particular memory pages for new executable
- Opening/Writing to a file from a Kprobe handler
- How to reconfigure Kconfig settings?
- Changing kernel variables/parameters from a kernel module