Accessing only specific words in guest memory

Andrew_Baumann · June 21, 2018, 6:20pm

Hi,

I’m trying to use lldb 6.0 on Linux to debug a process that has an SGX enclave inside it. One of the data structures there (the “TCS”) only permits access to certain fields. The problem is that when I try to access those fields in LLDB, it tries to read an entire page of memory from the guest, even if I only wanted to read one word. It then fails the operation when access to later parts of the page fails.

e.g., this LLDB command:

(lldb) x/1g 0x200005000

error: memory read failed for 0x200005000

Triggered this series of failures in the lldb-server process:

read(7, “$x200005000,200#ed”, 8192) = 18

gettid() = 18169

process_vm_readv(18174, [{iov_base=0x556a00151cf0, iov_len=512}], 1, [{iov_base=0x200005000, iov_len=512}], 1, 0) = -1 EFAULT (Bad address)

ptrace(PTRACE_PEEKDATA, 18174, 0x200005000, [NULL]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005008, [NULL]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005010, [0xd000]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005018, [0x300000001]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005020, [0x1d950]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005028, [0x3fffc00be750]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005030, [0xa000]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005038, [0xb000]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005040, [0xffffffffffffffff]) = 0

ptrace(PTRACE_PEEKDATA, 18174, 0x200005048, 0x7ffc96125858) = -1 EIO (Input/output error)

write(7, “$E08#ad”, 7) = 7

How can I convince lldb to access just the words I asked it for?

Thanks,

Andrew

jingham · June 21, 2018, 6:32pm

By default, lldb uses a memory cache to avoid making lots of tiny memory requests, which tends to be inefficient especially when talking to a remote device. You can turn this off with the "target.process.disable-memory-cache" setting.

You can also adjust the cache page size with "target.process.memory-cache-line-size".

We don't yet have a memory map command to tell us what regions to read and not to read. So if you try to actually print the structure (with "frame var" or "expr") we will grab the whole thing. But turning off the cache should allow you to avoid the disallowed regions manually.

Jim

Andrew_Baumann · June 21, 2018, 6:51pm

Thanks! Disabling the cache worked.

Curiously, setting the line size seems to have no effect – it defaults to 512 (words, bytes, …?), and still tries to read a page of guest memory regardless of how small I set it.

Andrew

jingham · June 21, 2018, 8:47pm

A quick scan of the code looks like this should be hooked up, but you are right, it doesn't seem to actually limit the cache page size. There's only one test for this and that one just checks that the setting has some particular value for android. Can you file a bug for this with bugs.llvm.org?

Jim

jingham · June 21, 2018, 8:51pm

Ah, I see. It looks like you have to set this before you create the process. If I put this setting in my .lldbinit, or on the command line before I do "run" it does limit the read size. But apparently once we've created the memory cache we don't replace it when this value changes.

That's still worth a bug either to fix it or to make the help string for this setting tell you how to use it.

Jim