0

While debugging a process with lldb I get to this assembly instruction:

->  0x7ffff79c5187 <+7>:   movq   %fs:(%r14), %r14

Or in intel syntax:

->  0x7ffff79c5187 <+7>:   mov    r14, qword ptr fs:[r14]

Contents of the registers:

(lldb) register read fs
      fs = 0x0000000000000000
(lldb) register read r14
     r14 = 0xffffffffffffff08

I don't know how to calculate what address is being accessed here (just reading 0xffffffffffffff08 fails), so I would like to use the same addressing mode in order to get the address that is accessed here (then set a watchpoint).

I tried many address expressions, but they are all apparently invalid. Here are some of the ways I tried to read that memory:

x "$fs:($r14)"
x "%fs:(%r14)"
x "fs:(r14)"
x $rs
x $fs
memory read %fs:(%r14)
memory read 'qword ptr $fs:[$r14]'
memory read '%fs:(%r14)'
memory read '$fs:($r14)'
memory read '*(int **)$fs:($r14)'
memory read '*(int **)$fs:($r14)'
memory read '*(int *)$fs:($r14)'

But I always get

error: invalid start address expression.
error: address expression <my address expression> evaluation failed
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
talz
  • 1,004
  • 9
  • 22
  • Can you ask `lldb` for the FS base address? That's what you want, not the value of FS itself (which is probably going to be `0`, not even a selector index into the GDT, as the kernel will have set the FS base via `wrmsr` or `wrfsbase` in 64-bit mode.) – Peter Cordes Nov 02 '22 at 10:12
  • Thanks for your comment! Sure, any tips on how to do that? I'm googling it but haven't found a way yet. – talz Nov 02 '22 at 10:19
  • I don't know if there's an LLDB command for it; I haven't used it. I seem to recall a recent Q&A about GDB getting segment bases. But the keyword to search for is "fs base". – Peter Cordes Nov 02 '22 at 10:44

0 Answers0