Geek Answers Handbook

On Linux, when entering a sys call, what is the value in% eax? (not orig_eax)

When syscall returns, I get the syscall return value in% eax, however when I write, I get -38, which is 0xFFFFFFDA in hexadecimal format. This is for writing and reading. What is this number? Can it be used to safely differentiate output records?

+6
x86 linux system-calls
source share
2 answers

-38 in eax in the syscall entry, apparently ENOSYS (the function is not implemented) and is placed there syscall_trace_entry in arch / x86 / kernel / entry_32.S. I believe it is safe to assume that it will always be present on an entry in syscall, however it may also be present on syscall if syscall returns ENOSYS.

Personally, I always just kept track of whether I had syscall in the record or output when using ptrace, although I saw some code based on ENOSYS. (I assume you are using ptrace). I believe that this will not work if the process happens inside a system call when connected to it, but I was lucky not to encounter this problem.

I quickly looked at the sources of strace, and I think it monitors the state, as there is a comment saying: "We are joining an already running process. Try to find out the state of the process in syscalls to handle the first event well." and a little after that, he said: "The process falls asleep in the middle of a system call. Fake a write event in syscall."

In short, a value cannot be safely used to differentiate an output record. However, I'm not sure if tracking it manually is the best way, since I actually don't have a source that will definitely tell you to use this technique, sorry. :)

+6
source share

I still don't get it when you get -38 in eax, but when doing syscall eax contains a number that defines syscall (in kernel 2.6 you can take a look at arch / x86 / include / asm / unistd_64. H to see the numbers for every call).

So the sequence is as follows:

  • Your program
  • set eax to syscall (cancel the call, as well as some other regs)
  • init syscall (via int 0x80)
  • syscall result in eax
  • your program again

Perhaps your question is not formulated that way, but if you are not writing kernel code / driver, the easiest way is to say that you are before entering syscall or after syscall: TRUE when you are in your code ;-). The input / output itself happens (more or less) instantly in one instruction, so either you are in syscall (then you know, because it must be some kernel code or a blocking call), or you do not (almost every time you debug your code).

0
source share

More articles:


All Articles