Reload pwndbg after switching page table.

[TornaxO7]

Hello! I'm currently using pwndbg as my debugger for my kernel development.
I'm implementing the kernel for the x86 architecture, so if I move the starting address of my page cable to the CR3 register, then I'm getting the following error message and the beatiful context output is gone :(

Exception occurred: context: monitor info mem output didn't pass a sanity check (<class 'AssertionError'>)
For more info invoke `set exception-verbose on` and rerun the command
or debug it by yourself with `set exception-debugger on`

do you have an idea how I can fix this?

[gsingh93]

Can you try running monitor info mem directly in GDB? It sounds like this assertion is meant to catch some type of page table misconfiguration, so it may be possible that there's a mistake when you're setting up your page tables.

assert end - start == size, "monitor info mem output didn't pass a sanity check"

It seems to be checking that the page start/end match the page size.

[TornaxO7]

Dayum, that was a fast response! Thanks!

Can you tryr running monitor info mem directly in GDB?

So this is the output, if I exculde the script of pwndbg:

(gdb) monitor info mem
                                                                                                                                        
                                                                                                                                        
                                                                                                                                        
                                                                                                                                        
                                                                                                                                        
(gdb)

And this is the output of monitor info mem if I run it in pwndbg:

pwndbg> monitor info mem
0000000000001000-0000000000002000 0000000000001000 -rw
00007fffffff0000-ffff800000000000 0000000000010000 -rw
ffff800000045000-ffff800000082000 000000000003d000 -rw
ffffffff80000000-ffffffff80041000 0000000000041000 -r-
ffffffff80041000-ffffffff80045000 0000000000004000 -rw
pwndbg>

[TornaxO7]

This looks as expected as far as I can tell.

0000000000001000-0000000000002000 0000000000001000 -rw      // here's my heap
00007fffffff0000-ffff800000000000 0000000000010000 -rw      // here's my stack
ffff800000045000-ffff800000082000 000000000003d000 -rw      // my page frame allocator
ffffffff80000000-ffffffff80041000 0000000000041000 -r-      // the read-only stuff of my kernel code (.read_only, .debug(*))
ffffffff80041000-ffffffff80045000 0000000000004000 -rw      // the writeable data sections like .data and so on.

Hm... could it be that the .debug* sections need to be in the writable sections?

[disconnect3d]

Pwndbg should not influence the output of monitor info mem command since this command comes from native GDB and really boils down to getting the data from the gdbstub I think?

[gsingh93]

This line is probably the issue:

00007fffffff0000-ffff800000000000 0000000000010000 -rw

You can see that the size (0000000000010000) is not correct given the end and start addresses (ffff800000000000 - 00007fffffff0000).

Also, I don't think you're allowed to have a mapping that crosses from 0x0000... to 0xffff...., but I may be wrong.

The behavior of pwndbg here is to bail out of showing the page tables because historically we haven't trusted monitor info mem that much. But I do think a better behavior here is to show the page tables but warn that something is wrong.

[gsingh93]

The start and end addresses are, but you're marking everything in between as read/write. That space should remain unmapped.

[TornaxO7]

But the space between is 00007ff..ff0001, 00007ff..ff0002, 00007ff..ff0003 etc. those are still canonical, no?

[gsingh93]

Correct, but you need to create one mapping for 00007ff..ff0000 to 00007ff..ffffff, and then ffff800000000000 and higher would be a separate mapping. You can't combine both into one.

Feel free to join our Discord if you want to chat about it in more detail.

[TornaxO7]

Correct, but you need to create one mapping for 00007ff..ff0000 to 00007ff..ffffff, and then ffff800000000000 and higher would be a separate mapping. You can't combine both into one.

Oh, that sounds reasonable.

Feel free to join our Discord if you want to chat about it in more detail.

I'll look for the discord link :)

[TornaxO7]

Correct, but you need to create one mapping for 00007ff..ff0000 to 00007ff..ffffff, and then ffff800000000000 and higher would be a separate mapping. You can't combine both into one.

Yay! Finally after some stupid issues, I've finally got the following mapping:

pwndbg> monitor info mem
0000000000001000-0000000000002000 0000000000001000 -rw
00007ffffffef000-00007ffffffff000 0000000000010000 -rw
ffff800000045000-ffff800000082000 000000000003d000 -rw
ffffffff80000000-ffffffff80041000 0000000000041000 -r-
ffffffff80041000-ffffffff80045000 0000000000004000 -rw
pwndbg>

and now pwndbg can display the context even after switching the table! Thank you :)