The previous code did not work with syscalls that do not return a value -- e.g.,
sysreturn(). In such cases, the kernel reports the exit from the syscall with
orig_eax == -1, which cannot be easily distinguished from a breakpoint.
I have rewritten the syscall checker to use the PTRACE_O_TRACESYSGOOD switch,
which causes the kernel to report syscalls in a slightly different way. Also,
the code now tests whether the syscall number on exit matched the one recorded
on entry (purely as a guard against possible silly bugs in synchronization
of syscall enter/exit reports with the kernel) and it also avoids suppresses
the meaningless return value of the sysreturn-like syscalls.
projects / moe.git / commit