login
Search
All code is on a Ubuntu 2.6.24-19-generic kernel
Here's the setup:
I'm currently working on a project that requires a bit of system call foo. We're using qemu and hooking system calls as they come across the cpu. Everything works great on the front end, I'm catching int 0x80s and sysenters just fine. The problem comes on the back end when I try to match up system calls with their return values. What I'm doing now is setting up a per-process table and when I get a system call I store the EIP after the call instruction and the syscall number in the table. Then when I get to an IRET or SysExit, I check the PID in the table and see if the stored EIP matches the EIP that we're returning to. If it matches I grab EAX and match it up with the previous call.
Here's the problem:
There are some instances when a process makes a system call, then at the end of the syscall when switching from ring 0->3 it checks to see if another process needs to be scheduled, and switches that that process. When it returns to the original process (somehow?) it never seems to return back to the EIP after the call, at least not via an IRET or SysExit, so I never see the return, and another system call gets called violating our one pending system call per process assumption.
My question is:
What is the mechanism that the kernel uses to return to the original process, and is there a good reason why it wouldn't return to the instruction after the syscall?
Thanks a ton!
interrupts can do it
A device interrupt handler can cause the kernel to switch to a different process. You may have to hook more than just int 0x80.
preemption
unix is a preemptive multitasking system and doesn't only switch processes in syscalls but schedules to another process if the time slice has run out. one of the device interrupts to watch is the timer interrupt. there are multiple time sources.
good reason