前言
比如 我们之前调试的 glibc 相关的库函数
glibc 相关是属于用户程序, 调用 操作系统的系统调用的时候, 会是 怎么样的一个情况呢?
系统调用 会有对应的系统栈帧来处理 系统调用的相关函数调用的堆栈支持
测试用例
我们这里主要是以 printf 中会分配缓冲区调用 malloc 库函数
malloc 库函数 会调用 brk 系统调用, 我们主要是 大致看一下 这个情况
#include "stdio.h"
int main(int argc, char** argv) {
int x = 4;
int y = 3;
int z = x + y;
printf(" x + y = %d\n ", z);
}elf 的信息如下
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400430
Start of program headers: 64 (bytes into file)
Start of section headers: 7480 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 36
Section header string table index: 33
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000400238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000000400254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] .note.gnu.build-i NOTE 0000000000400274 00000274
0000000000000024 0000000000000000 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000000400298 00000298
000000000000001c 0000000000000000 A 5 0 8
[ 5] .dynsym DYNSYM 00000000004002b8 000002b8
0000000000000060 0000000000000018 A 6 1 8
[ 6] .dynstr STRTAB 0000000000400318 00000318
000000000000003f 0000000000000000 A 0 0 1
[ 7] .gnu.version VERSYM 0000000000400358 00000358
0000000000000008 0000000000000002 A 5 0 2
[ 8] .gnu.version_r VERNEED 0000000000400360 00000360
0000000000000020 0000000000000000 A 6 1 8
[ 9] .rela.dyn RELA 0000000000400380 00000380
0000000000000018 0000000000000018 A 5 0 8
[10] .rela.plt RELA 0000000000400398 00000398
0000000000000030 0000000000000018 AI 5 24 8
[11] .init PROGBITS 00000000004003c8 000003c8
000000000000001a 0000000000000000 AX 0 0 4
[12] .plt PROGBITS 00000000004003f0 000003f0
0000000000000030 0000000000000010 AX 0 0 16
[13] .plt.got PROGBITS 0000000000400420 00000420
0000000000000008 0000000000000000 AX 0 0 8
[14] .text PROGBITS 0000000000400430 00000430
00000000000001b2 0000000000000000 AX 0 0 16
[15] .fini PROGBITS 00000000004005e4 000005e4
0000000000000009 0000000000000000 AX 0 0 4
[16] .rodata PROGBITS 00000000004005f0 000005f0
0000000000000012 0000000000000000 A 0 0 4
[17] .eh_frame_hdr PROGBITS 0000000000400604 00000604
0000000000000034 0000000000000000 A 0 0 4
[18] .eh_frame PROGBITS 0000000000400638 00000638
00000000000000f4 0000000000000000 A 0 0 8
[19] .init_array INIT_ARRAY 0000000000600e10 00000e10
0000000000000008 0000000000000000 WA 0 0 8
[20] .fini_array FINI_ARRAY 0000000000600e18 00000e18
0000000000000008 0000000000000000 WA 0 0 8
[21] .jcr PROGBITS 0000000000600e20 00000e20
0000000000000008 0000000000000000 WA 0 0 8
[22] .dynamic DYNAMIC 0000000000600e28 00000e28
00000000000001d0 0000000000000010 WA 6 0 8
[23] .got PROGBITS 0000000000600ff8 00000ff8
0000000000000008 0000000000000008 WA 0 0 8
[24] .got.plt PROGBITS 0000000000601000 00001000
0000000000000028 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000601028 00001028
0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000601038 00001038
0000000000000008 0000000000000000 WA 0 0 1
[27] .comment PROGBITS 0000000000000000 00001038
0000000000000035 0000000000000001 MS 0 0 1
[28] .debug_aranges PROGBITS 0000000000000000 0000106d
0000000000000030 0000000000000000 0 0 1
[29] .debug_info PROGBITS 0000000000000000 0000109d
00000000000000e2 0000000000000000 0 0 1
[30] .debug_abbrev PROGBITS 0000000000000000 0000117f
000000000000006d 0000000000000000 0 0 1
[31] .debug_line PROGBITS 0000000000000000 000011ec
0000000000000043 0000000000000000 0 0 1
[32] .debug_str PROGBITS 0000000000000000 0000122f
00000000000000e0 0000000000000001 MS 0 0 1
[33] .shstrtab STRTAB 0000000000000000 00001bea
000000000000014c 0000000000000000 0 0 1
[34] .symtab SYMTAB 0000000000000000 00001310
00000000000006c0 0000000000000018 35 52 8
[35] .strtab STRTAB 0000000000000000 000019d0
000000000000021a 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), l (large)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000400040 0x0000000000400040
0x00000000000001f8 0x00000000000001f8 R E 8
INTERP 0x0000000000000238 0x0000000000400238 0x0000000000400238
0x000000000000001c 0x000000000000001c R 1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000
0x000000000000072c 0x000000000000072c R E 200000
LOAD 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x0000000000000228 0x0000000000000230 RW 200000
DYNAMIC 0x0000000000000e28 0x0000000000600e28 0x0000000000600e28
0x00000000000001d0 0x00000000000001d0 RW 8
NOTE 0x0000000000000254 0x0000000000400254 0x0000000000400254
0x0000000000000044 0x0000000000000044 R 4
GNU_EH_FRAME 0x0000000000000604 0x0000000000400604 0x0000000000400604
0x0000000000000034 0x0000000000000034 R 4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 10
GNU_RELRO 0x0000000000000e10 0x0000000000600e10 0x0000000000600e10
0x00000000000001f0 0x00000000000001f0 R 1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag .note.gnu.build-id
06 .eh_frame_hdr
07
08 .init_array .fini_array .jcr .dynamic .got
Dynamic section at offset 0xe28 contains 24 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x4003c8
0x000000000000000d (FINI) 0x4005e4
0x0000000000000019 (INIT_ARRAY) 0x600e10
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x600e18
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x400298
0x0000000000000005 (STRTAB) 0x400318
0x0000000000000006 (SYMTAB) 0x4002b8
0x000000000000000a (STRSZ) 63 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x601000
0x0000000000000002 (PLTRELSZ) 48 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x400398
0x0000000000000007 (RELA) 0x400380
0x0000000000000008 (RELASZ) 24 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffe (VERNEED) 0x400360
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x400358
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x380 contains 1 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000600ff8 000300000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0
Relocation section '.rela.plt' at offset 0x398 contains 2 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000601018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 printf@GLIBC_2.2.5 + 0
000000601020 000200000007 R_X86_64_JUMP_SLO 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0
The decoding of unwind sections for machine type Advanced Micro Devices X86-64 is not currently supported.
Symbol table '.dynsym' contains 4 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
3: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
Symbol table '.symtab' contains 72 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000400238 0 SECTION LOCAL DEFAULT 1
2: 0000000000400254 0 SECTION LOCAL DEFAULT 2
3: 0000000000400274 0 SECTION LOCAL DEFAULT 3
4: 0000000000400298 0 SECTION LOCAL DEFAULT 4
5: 00000000004002b8 0 SECTION LOCAL DEFAULT 5
6: 0000000000400318 0 SECTION LOCAL DEFAULT 6
7: 0000000000400358 0 SECTION LOCAL DEFAULT 7
8: 0000000000400360 0 SECTION LOCAL DEFAULT 8
9: 0000000000400380 0 SECTION LOCAL DEFAULT 9
10: 0000000000400398 0 SECTION LOCAL DEFAULT 10
11: 00000000004003c8 0 SECTION LOCAL DEFAULT 11
12: 00000000004003f0 0 SECTION LOCAL DEFAULT 12
13: 0000000000400420 0 SECTION LOCAL DEFAULT 13
14: 0000000000400430 0 SECTION LOCAL DEFAULT 14
15: 00000000004005e4 0 SECTION LOCAL DEFAULT 15
16: 00000000004005f0 0 SECTION LOCAL DEFAULT 16
17: 0000000000400604 0 SECTION LOCAL DEFAULT 17
18: 0000000000400638 0 SECTION LOCAL DEFAULT 18
19: 0000000000600e10 0 SECTION LOCAL DEFAULT 19
20: 0000000000600e18 0 SECTION LOCAL DEFAULT 20
21: 0000000000600e20 0 SECTION LOCAL DEFAULT 21
22: 0000000000600e28 0 SECTION LOCAL DEFAULT 22
23: 0000000000600ff8 0 SECTION LOCAL DEFAULT 23
24: 0000000000601000 0 SECTION LOCAL DEFAULT 24
25: 0000000000601028 0 SECTION LOCAL DEFAULT 25
26: 0000000000601038 0 SECTION LOCAL DEFAULT 26
27: 0000000000000000 0 SECTION LOCAL DEFAULT 27
28: 0000000000000000 0 SECTION LOCAL DEFAULT 28
29: 0000000000000000 0 SECTION LOCAL DEFAULT 29
30: 0000000000000000 0 SECTION LOCAL DEFAULT 30
31: 0000000000000000 0 SECTION LOCAL DEFAULT 31
32: 0000000000000000 0 SECTION LOCAL DEFAULT 32
33: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
34: 0000000000600e20 0 OBJECT LOCAL DEFAULT 21 __JCR_LIST__
35: 0000000000400460 0 FUNC LOCAL DEFAULT 14 deregister_tm_clones
36: 00000000004004a0 0 FUNC LOCAL DEFAULT 14 register_tm_clones
37: 00000000004004e0 0 FUNC LOCAL DEFAULT 14 __do_global_dtors_aux
38: 0000000000601038 1 OBJECT LOCAL DEFAULT 26 completed.7594
39: 0000000000600e18 0 OBJECT LOCAL DEFAULT 20 __do_global_dtors_aux_fin
40: 0000000000400500 0 FUNC LOCAL DEFAULT 14 frame_dummy
41: 0000000000600e10 0 OBJECT LOCAL DEFAULT 19 __frame_dummy_init_array_
42: 0000000000000000 0 FILE LOCAL DEFAULT ABS Test01Sum.c
43: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
44: 0000000000400728 0 OBJECT LOCAL DEFAULT 18 __FRAME_END__
45: 0000000000600e20 0 OBJECT LOCAL DEFAULT 21 __JCR_END__
46: 0000000000000000 0 FILE LOCAL DEFAULT ABS
47: 0000000000600e18 0 NOTYPE LOCAL DEFAULT 19 __init_array_end
48: 0000000000600e28 0 OBJECT LOCAL DEFAULT 22 _DYNAMIC
49: 0000000000600e10 0 NOTYPE LOCAL DEFAULT 19 __init_array_start
50: 0000000000400604 0 NOTYPE LOCAL DEFAULT 17 __GNU_EH_FRAME_HDR
51: 0000000000601000 0 OBJECT LOCAL DEFAULT 24 _GLOBAL_OFFSET_TABLE_
52: 00000000004005e0 2 FUNC GLOBAL DEFAULT 14 __libc_csu_fini
53: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
54: 0000000000601028 0 NOTYPE WEAK DEFAULT 25 data_start
55: 0000000000601038 0 NOTYPE GLOBAL DEFAULT 25 _edata
56: 00000000004005e4 0 FUNC GLOBAL DEFAULT 15 _fini
57: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.2.5
58: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_
59: 0000000000601028 0 NOTYPE GLOBAL DEFAULT 25 __data_start
60: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
61: 0000000000601030 0 OBJECT GLOBAL HIDDEN 25 __dso_handle
62: 00000000004005f0 4 OBJECT GLOBAL DEFAULT 16 _IO_stdin_used
63: 0000000000400570 101 FUNC GLOBAL DEFAULT 14 __libc_csu_init
64: 0000000000601040 0 NOTYPE GLOBAL DEFAULT 26 _end
65: 0000000000400430 42 FUNC GLOBAL DEFAULT 14 _start
66: 0000000000601038 0 NOTYPE GLOBAL DEFAULT 26 __bss_start
67: 0000000000400526 67 FUNC GLOBAL DEFAULT 14 main
68: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
69: 0000000000601038 0 OBJECT GLOBAL HIDDEN 25 __TMC_END__
70: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
71: 00000000004003c8 0 FUNC GLOBAL DEFAULT 11 _init
Version symbols section '.gnu.version' contains 4 entries:
Addr: 0000000000400358 Offset: 0x000358 Link: 5 (.dynsym)
000: 0 (*local*) 2 (GLIBC_2.2.5) 2 (GLIBC_2.2.5) 0 (*local*)
Version needs section '.gnu.version_r' contains 1 entries:
Addr: 0x0000000000400360 Offset: 0x000360 Link: 6 (.dynstr)
000000: Version: 1 File: libc.so.6 Cnt: 1
0x0010: Name: GLIBC_2.2.5 Flags: none Version: 2
Displaying notes found at file offset 0x00000254 with length 0x00000020:
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 2.6.32
Displaying notes found at file offset 0x00000274 with length 0x00000024:
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)我们这里主要是以 如下流程 来看一下 这个过程
我们这里 核心关注 内核栈帧相关
系统调用堆栈信息如下
内核栈帧 高地址有一个值为 0x00007ffeb8fe14a8
这个对应的就是 用户栈帧 中的相关需要保存的寄存器, 存储在了 内核栈帧
以下 内核栈帧数据分析来自于函数 entry_SYSCALL_64, SYSC_brk, do_brk
然后 系统调用完成之后, 根据 存储的 用户栈帧 信息, 恢复用户栈帧 相关寄存器信息
另外可以看到的一个问题就是 clion 中对于函数调用栈的分析描述, 上面实际上是有问题的, caller 应该是 glibc 中的 brk.c 中的 brk 系统调用的地方, 不是这里的 0x4005fd, 这个 0x4005fd 仅仅是 entry_SYSCALL_64 中的一个局部变量
-- main
(gdb) info registers
rax 0x0 0
rbx 0x615000 6377472
rcx 0xffff88007f5b4f80 -131939258642560
rdx 0xffff88007f5b4f80 -131939258642560
rsi 0x22000 139264
rdi 0x615000 6377472
rbp 0x22000 0x22000
rsp 0xffffc900005dbf60 0xffffc900005dbf60
rip 0x4005fd 0x4005fd
-- SYSCALL, push 0x00000000004005fd
(gdb) info registers
rax 0x0 0
rbx 0x615000 6377472
rcx 0xffff88007f5b4f80 -131939258642560
rdx 0xffff88007f5b4f80 -131939258642560
rsi 0x22000 139264
rdi 0x615000 6377472
rbp 0x22000 0x22000
rsp 0xffffc900005dbf58 0xffffc900005dbf58
rip 0xffffffff8185c7bb 0xffffffff8185c7bb <entry_SYSCALL_64+107>
- SYS_brk
(gdb) info registers
rax 0x0 0
rbx 0x637000 6516736
rcx 0xffff88007f5b4f80 -131939258642560
rdx 0xffff88007f5b4f80 -131939258642560
rsi 0x22000 139264
rdi 0x615000 6377472
rbp 0xffffc900005dbf48 0xffffc900005dbf48
rsp 0xffffc900005dbf18 0xffffc900005dbf18
rip 0xffffffff811dd3b0 0xffffffff811dd3b0 <SyS_brk+351>
-- SYSC_brk
(gdb) info registers
rax 0x0 0
rbx 0x1a21000 27398144
rcx 0xffff88007f5b4f80 -131939258642560
rdx 0xffff88007f5b4f80 -131939258642560
rsi 0x22000 139264
rdi 0x19ff000 27258880
rbp 0xffffc900005dbf48 0xffffc900005dbf48
rsp 0xffffc900005dbf18 0xffffc900005dbf18
rip 0xffffffff811dd3b0 0xffffffff811dd3b0 <SyS_brk+351>
-- do_brk
(gdb) info registers
rax 0x0 0
rbx 0x22000 139264
rcx 0xffff88007f5b4f80 -131939258642560
rdx 0xffff88007f5b4f80 -131939258642560
rsi 0x22000 139264
rdi 0x19ff000 27258880
rbp 0xffffc900005dbf08 0xffffc900005dbf08
rsp 0xffffc900005dbe88 0xffffc900005dbe88
rip 0xffffffff811dceea 0xffffffff811dceea <do_brk+60>
-- 内核栈帧
(gdb) x /100gx 0xffffc900005dbe88
0xffffc900005dbe88: 0xffffc900005dbec8 0xffffffff8150aaa9 do_brk_locals
0xffffc900005dbe98: 0x00000000b8fe1680 0x0000000000000000 do_brk_locals
0xffffc900005dbea8: 0x00007ffeb8fe15f0 0xffff88007fb0e700 do_brk_locals
0xffffc900005dbeb8: 0x0000000000000001 0xffffc900005dbee0 do_brk_locals
0xffffc900005dbec8: 0xffffffff811cc774 0x00000000019ff000 do_brk_locals
0xffffc900005dbed8: 0x00000000f42e5e76 0x0000000001a21000 do_brk_locals, rbx
0xffffc900005dbee8: 0xffff88007f7d4800 0xffff88007f7d4868 r12, r13
0xffffc900005dbef8: 0x0000000001a21000 0x00000000019ff000 r14, r15
0xffffc900005dbf08: 0xffffc900005dbf48 0xffffffff811dd3b0 rbp, SYSC_brk's returnAddress
0xffffc900005dbf18: 0x0000000001a22000 0x00000000019ff000 SYSC_brk_locals, rbx
0xffffc900005dbf28: 0x00007f0d0e0c4f58 0x00007f0d0e0c2b78 r12, r13
0xffffc900005dbf38: 0x0000000000022000 0x0000000000022000 r14, r15
0xffffc900005dbf48: 0x0000000000022000 0xffffffff8185c7bb rbp, entry_SYSCALL_64_locals's returnAddress
0xffffc900005dbf58: 0x00000000004005fd 0x0000000000000000 entry_SYSCALL_64_locals
0xffffc900005dbf68: 0x00000000004005f4 0x0000000000000009 entry_SYSCALL_64_locals
0xffffc900005dbf78: 0x00007f0d0e0c3620 0x00007f0d0e0c3620 entry_SYSCALL_64_locals
0xffffc900005dbf88: 0x0000000000000246 0x00007f0d0e0c2b78 r11, r10
0xffffc900005dbf98: 0x000000000000000d 0x00007f0d0ddaa9b0 r9, r8
0xffffc900005dbfa8: 0xffffffffffffffda 0x00007f0d0ddfaf19 ax, cx
0xffffc900005dbfb8: 0x00000000019ff000 0x00007f0d0e0c2b20 dx, si
0xffffc900005dbfc8: 0x0000000001a21000 0x000000000000000c di, orig_ax
0xffffc900005dbfd8: 0x00007f0d0ddfaf19 0x0000000000000033 ip, cs
0xffffc900005dbfe8: 0x0000000000000246 0x00007ffeb8fe14a8 flags, sp
0xffffc900005dbff8: 0x000000000000002b Cannot access memory at address 0xffffc900005dc000 ss
-- 用户栈帧
(gdb) x /400gx 0x00007ffeb8fe14a8
0x7ffeb8fe14a8: 0x00007f0d0ddfaff9 0x00007f0d0e0c2b20
0x7ffeb8fe14b8: 0x0000000000001010 0x0000000000000000
0x7ffeb8fe14c8: 0x00007f0d0dd85949 0x0000000000000000
0x7ffeb8fe14d8: 0x00007f0d0dd7f645 0x0000000000000000
0x7ffeb8fe14e8: 0x0000000000001030 0x0000000000000fff
0x7ffeb8fe14f8: 0xfffffffffffff000 0x00007f0d0e0c2b78
0x7ffeb8fe1508: 0x0000000000002000 0x0000000000000000
0x7ffeb8fe1518: 0x0000000000000000 0x00007ffeb8fe1340
0x7ffeb8fe1528: 0x00007f0d0dd148af 0x0000000000000000
0x7ffeb8fe1538: 0x00007f0d0e0d0a9d 0x00000001b8fe16e0
0x7ffeb8fe1548: 0x00007f0d0e0c2b20 0x0000000000001010
0x7ffeb8fe1558: 0x0000000000002710 0x00007f0d0e0c2b78
0x7ffeb8fe1568: 0x00007f0d0e0c2b78 0x00000000004005fd
0x7ffeb8fe1578: 0x00007f0d0dd80763 0x00007f0d00000063
0x7ffeb8fe1588: 0x0000000000001000 0x00007ffeb8fe1600
0x7ffeb8fe1598: 0x00007f0d0de4148b 0x0000000000000000
0x7ffeb8fe15a8: 0x00007ffeb8fe1608 0xffff80014701ea01
0x7ffeb8fe15b8: 0x00007ffeb8fe15ff 0x0000000000000040
0x7ffeb8fe15c8: 0x0000007000000101 0x0000000000000008
0x7ffeb8fe15d8: 0x0000000000000001 0x0000006f00000063
0x7ffeb8fe15e8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe15f8: 0x0000007c00000077 0x010004157f1c0300
0x7ffeb8fe1608: 0x00007f0d0e2eb000 0x00007f0d0e2efd60
0x7ffeb8fe1618: 0x00007f0d0dcfe000 0x0000000000000000
0x7ffeb8fe1628: 0x00007f0d0e0c2b20 0x0000000000001000
0x7ffeb8fe1638: 0x0000000000000000 0x00000000004005f4
0x7ffeb8fe1648: 0x0000000000000000 0x00000000004005fd
0x7ffeb8fe1658: 0x00007f0d0dd83908 0x0000000db8fe1600
0x7ffeb8fe1668: 0x0000000000001000 0x00007f0d0e0c3620
0x7ffeb8fe1678: 0x00007f0d0dd6b1e5 0x0000000000000006
0x7ffeb8fe1688: 0x0000000000001cef 0x0000000000000001
0x7ffeb8fe1698: 0x0000000000002180 0x0000000000000000
0x7ffeb8fe16a8: 0x0000000000000501 0x0000000000000000
0x7ffeb8fe16b8: 0x0000000000001000 0x0000000000000000
0x7ffeb8fe16c8: 0x00000000638af0e8 0x0000000011d151ee
0x7ffeb8fe16d8: 0x00000000638af0e8 0x0000000011d151ee
0x7ffeb8fe16e8: 0x00000000638af073 0x0000000011d151ee
0x7ffeb8fe16f8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1708: 0x0000000000000000 0x00007f0d0e0c3620
0x7ffeb8fe1718: 0x00000000ffffffff 0x0000000000000009
0x7ffeb8fe1728: 0x00007f0d0dd795a4 0x00007f0d0e0c3620
0x7ffeb8fe1738: 0x00000000ffffffff 0x0000000000000009
0x7ffeb8fe1748: 0x00007f0d0dd78908 0x00007f0d0e0c3620
0x7ffeb8fe1758: 0x0000000000000009 0x0000000000000009
0x7ffeb8fe1768: 0x00007f0d0dd7729d 0x0000000000196760
0x7ffeb8fe1778: 0x00007f0d0e0c3620 0x00007ffeb8fe1d20
0x7ffeb8fe1788: 0x00000000004005f4 0x00007ffeb8fe1d38
0x7ffeb8fe1798: 0x0000000000000000 0x00000000004005fd
0x7ffeb8fe17a8: 0x00007f0d0dd4b251 0x0000000000000000
0x7ffeb8fe17b8: 0x00000000001bfbe8 0x00000000001bfbe8
0x7ffeb8fe17c8: 0x0000000000200000 0x0000000600000001
0x7ffeb8fe17d8: 0x00000000001c07c0 0x00000000003c07c0
0x7ffeb8fe17e8: 0x00000000003c07c0 0x0000000000004f60
0x7ffeb8fe17f8: 0x00000000000091e0 0x0000000000200000
0x7ffeb8fe1808: 0x0000000600000002 0x00000000001c3ba0
0x7ffeb8fe1818: 0x00000000003c3ba0 0x00000000003c3ba0
0x7ffeb8fe1828: 0x00000000000001e0 0x00000000000001e0
0x7ffeb8fe1838: 0x0000000000000008 0x0000000400000004
0x7ffeb8fe1848: 0x0000000000000270 0x0000000000000270
0x7ffeb8fe1858: 0x0000000000000270 0x0000000000000044
0x7ffeb8fe1868: 0x0000000000000044 0x0000000000000009
0x7ffeb8fe1878: 0x0000000000000007 0x00000000001c07c0
0x7ffeb8fe1888: 0x00000000004005fd 0x00000000003c07c0
0x7ffeb8fe1898: 0x0000000000000010 0x0000000000000078
0x7ffeb8fe18a8: 0x0000000000000008 0x000000046474e550
0x7ffeb8fe18b8: 0x000000000019677c 0x000000000019677c
0x7ffeb8fe18c8: 0x0000003000000008 0x00007ffeb8fe1e10
0x7ffeb8fe18d8: 0x00007ffeb8fe1d50 0x00007f0d0dd69490
0x7ffeb8fe18e8: 0x00007f0d0e0c3620 0x0000000000000000
0x7ffeb8fe18f8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1908: 0x00007ffeb8fe1cc0 0x00007ffeb8fe1d20
0x7ffeb8fe1918: 0x00007f0d0e0d1e44 0x00007f0d0e2eb000
0x7ffeb8fe1928: 0x000000000000025b 0x00007f0d0e2eb000
0x7ffeb8fe1938: 0x00007f0d0dd01d80 0x00007f0d0dd0eff8
0x7ffeb8fe1948: 0x00007f0d0e0d267b 0x000000000000025b
0x7ffeb8fe1958: 0x00007f0d0dd0eff8 0x00007f0d0e2eb000
0x7ffeb8fe1968: 0x00007ffeb8fe1a08 0x00007ffeb8fe1a04
0x7ffeb8fe1978: 0x00007f0d0e0d2011 0x00007f0d0e0d5bb0
0x7ffeb8fe1988: 0x0000000000400323 0x00000000004002d0
0x7ffeb8fe1998: 0x00007ffeb8fe1a08 0x00000000156b2bb8
0x7ffeb8fe19a8: 0x000000000055acae 0x00007f0d00000038
0x7ffeb8fe19b8: 0x00007ffeb8fe1ae0 0x00007f0d0dd0eff8
0x7ffeb8fe19c8: 0x00007f0d0dd01d80 0x00007ffeb8fe1a04
0x7ffeb8fe19d8: 0x00007ffeb8fe1ad0 0x00007f0d0e2eb508
0x7ffeb8fe19e8: 0x00007f0d00000000 0x0000000000000003
0x7ffeb8fe19f8: 0x00007f0d0e0c8758 0x000000000e0c8450
0x7ffeb8fe1a08: 0x0000000000000000 0x000000003de00ec7
0x7ffeb8fe1a18: 0x00007f0d0e2ef4c0 0x00007ffeb8fe1b70
0x7ffeb8fe1a28: 0x00007f0d0e2eb550 0x0000000000000000
0x7ffeb8fe1a38: 0x00007f0d0e2ef168 0x00007ffeb8fe1b98
0x7ffeb8fe1a48: 0x00007f0d0e0d2b4f 0x0000000000000001
0x7ffeb8fe1a58: 0x00007f0d0e2eb550 0x0000000000000001
0x7ffeb8fe1a68: 0x0000000000000000 0x0000000000000001
0x7ffeb8fe1a78: 0x00007f0d0e2ef168 0x00000000004002e8
0x7ffeb8fe1a88: 0x00007ffeb8fe1af8 0x00000000f63d4e2e
0x7ffeb8fe1a98: 0x0000000000000000 0x00007f0d0e2ef4c0
0x7ffeb8fe1aa8: 0x00007ffeb8fe1ae0 0x000000010dd0eff8
0x7ffeb8fe1ab8: 0x00007ffeb8fe1ad0 0x00000000156b2bb8
0x7ffeb8fe1ac8: 0x0000000000400323 0x00000000ffffffff
0x7ffeb8fe1ad8: 0x0000000000000000 0x00007f0d0dd05608
0x7ffeb8fe1ae8: 0x00007f0d0e2eb000 0x0000000000000000
0x7ffeb8fe1af8: 0x0000000000000000 0x0000000000600e28
0x7ffeb8fe1b08: 0x00007f0d0e2ef4c0 0x00007ffeb8fe1c60
0x7ffeb8fe1b18: 0x00007f0d0e2eb550 0x0000000000000000
0x7ffeb8fe1b28: 0x00007f0d0e2ef168 0x00007ffeb8fe1c88
0x7ffeb8fe1b38: 0x00007f0d0e0d2b4f 0x0000000000000001
0x7ffeb8fe1b48: 0x0000000000601018 0x0000000000400430
0x7ffeb8fe1b58: 0x00007ffeb8fe1f10 0x0000000000000000
0x7ffeb8fe1b68: 0x0000000000000000 0x00007ffeb8fe1e30
0x7ffeb8fe1b78: 0x00007f0d0e0d7b06 0x0000000000000001
0x7ffeb8fe1b88: 0x0000000000000000 0x00007f0d0e2ef4c0
0x7ffeb8fe1b98: 0x00007f0d0dd05608 0x00007ffeb8fe1df0
0x7ffeb8fe1ba8: 0x00007f0d0e0dfe03 0x0000000000000000
0x7ffeb8fe1bb8: 0x0000000000000000 0x0000000000000002
0x7ffeb8fe1bc8: 0x0000000000000005 0x00000000004005f4
0x7ffeb8fe1bd8: 0x00000000004005e0 0x00007f0d0e0d8af0
0x7ffeb8fe1be8: 0x00007ffeb8fe1c88 0x000000000000037f
0x7ffeb8fe1bf8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1c08: 0x0000ffff00001f80 0x0000000000000000
0x7ffeb8fe1c18: 0x00007ffeb8fe0000 0x0000000000000000
0x7ffeb8fe1c28: 0x0000000001950000 0x0000000000000000
0x7ffeb8fe1c38: 0x0000000000600000 0x0000000000000000
0x7ffeb8fe1c48: 0x00007ffeb8fe0000 0x0000000000000000
0x7ffeb8fe1c58: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1c68: 0x00007f0d0e0d0000 0x0000000000000000
0x7ffeb8fe1c78: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1c88: 0x00007f0d0dd00000 0x000000000000ff00
0x7ffeb8fe1c98: 0x0000000000000000 0x2f2f2f2f2f2f2f2f
0x7ffeb8fe1ca8: 0x2f2f2f2f2f2f2f2f 0x0000000000000000
0x7ffeb8fe1cb8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1cc8: 0x00000000ff000000 0x5f5f00656d697474
0x7ffeb8fe1cd8: 0x7465675f6f736476 0x0000000000000000
0x7ffeb8fe1ce8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1cf8: 0x0000000000000000 0x0000000000400430
0x7ffeb8fe1d08: 0x00007ffeb8fe1f10 0x0000000000000000
0x7ffeb8fe1d18: 0x0000000000000000 0x00007ffeb8fe1e30
0x7ffeb8fe1d28: 0x00007f0d0dd538a9 0x0000000000000000
0x7ffeb8fe1d38: 0x0000003000000008 0x00007ffeb8fe1e10
0x7ffeb8fe1d48: 0x00007ffeb8fe1d50 0x0000000000000000
0x7ffeb8fe1d58: 0x0000000000000005 0x0000000000000002
0x7ffeb8fe1d68: 0x0000000000000000 0x00000000004005e0
0x7ffeb8fe1d78: 0x00007f0d0e0d8af0 0x0000000000000000
0x7ffeb8fe1d88: 0x0000000000000000 0x2f2f2f2f2f2f2f2f
0x7ffeb8fe1d98: 0x2f2f2f2f2f2f2f2f 0x0000000000000000
0x7ffeb8fe1da8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1db8: 0x00000000ff000000 0x5f5f00656d697474
0x7ffeb8fe1dc8: 0x7465675f6f736476 0x0000000000000000
0x7ffeb8fe1dd8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1de8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1df8: 0x00007f0d0e2ef168 0x0000000000000000
0x7ffeb8fe1e08: 0x0000000000400562 0x00007ffeb8fe1f18
0x7ffeb8fe1e18: 0x0000000100400430 0x00000002b8fe1f10
0x7ffeb8fe1e28: 0x0000000500000003 0x0000000000400570
0x7ffeb8fe1e38: 0x00007f0d0dd1e840 0x0000000000000000
0x7ffeb8fe1e48: 0x00007ffeb8fe1f18 0x0000000100000000
0x7ffeb8fe1e58: 0x0000000000400526 0x0000000000000000
0x7ffeb8fe1e68: 0xe3660fab9d01d4e3 0x0000000000400430
0x7ffeb8fe1e78: 0x00007ffeb8fe1f10 0x0000000000000000
0x7ffeb8fe1e88: 0x0000000000000000 0x1c9b7ed7ab61d4e3
0x7ffeb8fe1e98: 0x1d7c14885811d4e3 0x0000000000000000
0x7ffeb8fe1ea8: 0x0000000000000000 0x0000000000000000
0x7ffeb8fe1eb8: 0x00007ffeb8fe1f28 0x00007f0d0e2ef168
0x7ffeb8fe1ec8: 0x00007f0d0e0d880b 0x0000000000000000
0x7ffeb8fe1ed8: 0x0000000000000000 0x0000000000400430
0x7ffeb8fe1ee8: 0x00007ffeb8fe1f10 0x0000000000000000
0x7ffeb8fe1ef8: 0x0000000000400459 0x00007ffeb8fe1f08
0x7ffeb8fe1f08: 0x000000000000001c 0x0000000000000001
0x7ffeb8fe1f18: 0x00007ffeb8fe2e07 0x0000000000000000关于上面内核栈帧 我们需要关注的主要有 orig_ax, 为该系统调用的系统调用号
比如我们这里 的 brk 系统调用, 系统调用号为 12, 0x000c
-- 内核栈帧
(gdb) x /100gx 0xffffc900005dbe88
0xffffc900005dbe88: 0xffffc900005dbec8 0xffffffff8150aaa9 do_brk_locals
0xffffc900005dbe98: 0x00000000b8fe1680 0x0000000000000000 do_brk_locals
0xffffc900005dbea8: 0x00007ffeb8fe15f0 0xffff88007fb0e700 do_brk_locals
0xffffc900005dbeb8: 0x0000000000000001 0xffffc900005dbee0 do_brk_locals
0xffffc900005dbec8: 0xffffffff811cc774 0x00000000019ff000 do_brk_locals
0xffffc900005dbed8: 0x00000000f42e5e76 0x0000000001a21000 do_brk_locals, rbx
0xffffc900005dbee8: 0xffff88007f7d4800 0xffff88007f7d4868 r12, r13
0xffffc900005dbef8: 0x0000000001a21000 0x00000000019ff000 r14, r15
0xffffc900005dbf08: 0xffffc900005dbf48 0xffffffff811dd3b0 rbp, SYSC_brk's returnAddress
0xffffc900005dbf18: 0x0000000001a22000 0x00000000019ff000 SYSC_brk_locals, rbx
0xffffc900005dbf28: 0x00007f0d0e0c4f58 0x00007f0d0e0c2b78 r12, r13
0xffffc900005dbf38: 0x0000000000022000 0x0000000000022000 r14, r15
0xffffc900005dbf48: 0x0000000000022000 0xffffffff8185c7bb rbp, entry_SYSCALL_64_locals's returnAddress
0xffffc900005dbf58: 0x00000000004005fd 0x0000000000000000 entry_SYSCALL_64_locals
0xffffc900005dbf68: 0x00000000004005f4 0x0000000000000009 entry_SYSCALL_64_locals
0xffffc900005dbf78: 0x00007f0d0e0c3620 0x00007f0d0e0c3620 entry_SYSCALL_64_locals
0xffffc900005dbf88: 0x0000000000000246 0x00007f0d0e0c2b78 r11, r10
0xffffc900005dbf98: 0x000000000000000d 0x00007f0d0ddaa9b0 r9, r8
0xffffc900005dbfa8: 0xffffffffffffffda 0x00007f0d0ddfaf19 ax, cx
0xffffc900005dbfb8: 0x00000000019ff000 0x00007f0d0e0c2b20 dx, si
0xffffc900005dbfc8: 0x0000000001a21000 0x000000000000000c di, orig_ax
0xffffc900005dbfd8: 0x00007f0d0ddfaf19 0x0000000000000033 ip, cs
0xffffc900005dbfe8: 0x0000000000000246 0x00007ffeb8fe14a8 flags, sp
0xffffc900005dbff8: 0x000000000000002b Cannot access memory at address 0xffffc900005dc000 ss假设是 socket 系统调用, 调用号为 41, 0x29
(gdb) x /100gx 0xffffc90000713f28
0xffffc90000713f28: 0xffffc90000713f48 0x00000000ed729985
0xffffc90000713f38: 0x0000000000000000 0x0000000000400790
0xffffc90000713f48: 0x00007fff66f1dfc0 0xffffffff8185c7bb
0xffffc90000713f58: 0x00007fff66f1db86 0x00007fff66f1dae0
0xffffc90000713f68: 0x00007fff66f1dae2 0x00007fff66f1dae8
0xffffc90000713f78: 0x00000000ffffffff 0x00007fff66f1dae3
0xffffc90000713f88: 0x0000000000000206 0x000000000000002d
0xffffc90000713f98: 0x0000000000000000 0x1fffffffffffffff
0xffffc90000713fa8: 0xffffffffffffffda 0x00007f490b5346a7
0xffffc90000713fb8: 0x0000000000000000 0x0000000000000001
0xffffc90000713fc8: 0x0000000000000002 0x0000000000000029 di, orig_ax
0xffffc90000713fd8: 0x00007f490b5346a7 0x0000000000000033
0xffffc90000713fe8: 0x0000000000000206 0x00007fff66f1db28
0xffffc90000713ff8: 0x000000000000002b Cannot access memory at address 0xffffc90000714000
完
