kGraft — live kernel patching from SUSE

Posted Feb 3, 2014 20:16 UTC (Mon) by oshepherd (guest, #90163)
In reply to: kGraft — live kernel patching from SUSE by SEJeff
Parent article: kGraft — live kernel patching from SUSE

It is little known, but Windows Server 2003 contains hotpatching support. Functions in the kernel and core system DLLs is compiled with a special prologue, so as to avoid the need to determine whether the existing code is in use. Space for a "long" jump is placed immediately before the function header (5 bytes on i386, JMP + 4 byte immediate), and the first instruction of the function is a "mov edi, edi" 2 byte NOP in order to permit a 2 byte short jump backwards to be atomically inserted (Jumping backwards to the start of that aforementioned long jump)

Safe hot patching is done by first setting up the long jump, then doing an atomic replacement of the 2 byte NOP with the backwards jump. No need to detect if the code is in use; anybody already executing the old code will successfully continue to do so.

This would require compiling the kernel with such prologues. The need to insert a 2 byte NOP can be obviated in cases where the first instruction is already >=2 bytes long.

On the one hand, this would permit working around the Oracle patents. On the other hand, there is a need to watch out for Microsoft patents..

kGraft — live kernel patching from SUSE

Posted Feb 3, 2014 20:34 UTC (Mon) by amacater (subscriber, #790) [Link]

Both SUSE and Oracle are part of the OIN patent pool. SUSE may also remain covered by the Novell-Microsoft patent agreements - unlikely that a full-on spat with Oracle will ensue.

kGraft — live kernel patching from SUSE

Posted Feb 3, 2014 22:16 UTC (Mon) by SEJeff (guest, #51588) [Link]

I was indeed ignorant of this functionality. That is outstanding. Any idea what uses this functionality?

kGraft — live kernel patching from SUSE

Posted Feb 4, 2014 1:02 UTC (Tue) by stressinduktion (subscriber, #46452) [Link]

Linux kernel is also compiled with -pg since some time when CONFIG_DYNAMIC_FTRACE is enabled which leaves some bytes (actually a call to mcount) free on the function prologue. ftrace hooks up there and can redirect the function. I guess all those patching could also be achieved by just writing a rather small script in systemtap with embedded-c.