Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRASH private loader loading FC16 32-bit libc #796

Closed
derekbruening opened this issue Nov 28, 2014 · 2 comments
Closed

CRASH private loader loading FC16 32-bit libc #796

derekbruening opened this issue Nov 28, 2014 · 2 comments

Comments

@derekbruening
Copy link
Contributor

From bruen...@google.com on June 07, 2012 15:29:18

running just about any client-interface test on FC16:

Program received signal SIGSEGV, Segmentation fault.
0x42835540 in ?? ()
(gdb) bt
#0 0x42835540 in ?? ()
#1 0xf7625ac1 in module_relocate_symbol (modbase=0xf6fd5000 "\177ELF\001\001\001\003", rel=0xf6febdd4, pd=0x4fdd9238, is_rela=false)
at /work/dr/build_suite/src/core/linux/module.c:1584
#2 0xf7625c81 in module_relocate_rel (modbase=0xf6fd5000 "\177ELF\001\001\001\003", pd=0x4fdd9238, start=0xf6febdb4, end=0xf6febdf4)
at /work/dr/build_suite/src/core/linux/module.c:1632
#3 0xf7629206 in privload_relocate_mod (mod=0x4fdd9038) at /work/dr/build_suite/src/core/linux/loader.c:843
#4 0xf7628743 in privload_process_imports (mod=0x4fdd9038) at /work/dr/build_suite/src/core/linux/loader.c:556
#5 0xf7569f2e in privload_load_finalize (privmod=0x4fdd9038) at /work/dr/build_suite/src/core/loader_shared.c:516
#6 0xf756990a in privload_load (filename=0xffb20c5c "/lib/libc.so.6", dependent=0x4fdd7038)
at /work/dr/build_suite/src/core/loader_shared.c:420
#7 0xf76288fb in privload_locate_and_load (impname=0xf739156f "libc.so.6", dependent=0x4fdd7038)
at /work/dr/build_suite/src/core/linux/loader.c:628
#8 0xf762870f in privload_process_imports (mod=0x4fdd7038) at /work/dr/build_suite/src/core/linux/loader.c:548
#9 0xf7569f2e in privload_load_finalize (privmod=0x4fdd7038) at /work/dr/build_suite/src/core/loader_shared.c:516
#10 0xf7568e0e in loader_init () at /work/dr/build_suite/src/core/loader_shared.c:125
#11 0xf740ce0a in dynamorio_app_init () at /work/dr/build_suite/src/core/dynamo.c:497

case ELF_R_IRELATIVE:
    res = modbase + (is_rela ? addend : *r_addr);

82ccaa6: 80 7d d4 00 cmpb $0x0,-0x2c(%ebp)
82ccaaa: 74 05 je 82ccab1 <dr_syscall_invoke_another+0x22c34>
82ccaac: 8b 45 f4 mov -0xc(%ebp),%eax
82ccaaf: eb 05 jmp 82ccab6 <dr_syscall_invoke_another+0x22c39>
82ccab1: 8b 45 e8 mov -0x18(%ebp),%eax
82ccab4: 8b 00 mov (%eax),%eax
82ccab6: 03 45 08 add 0x8(%ebp),%eax
82ccab9: 89 45 ec mov %eax,-0x14(%ebp)
r_addr = ((ELF_ADDR () (void)) res) ();
82ccabc: 8b 45 ec mov -0x14(%ebp),%eax
82ccabf: ff d0 call *%eax
82ccac1: 8b 55 e8 mov -0x18(%ebp),%edx
82ccac4: 89 02 mov %eax,(%edx)
break;

(gdb) info reg
eax 0x42835540 1115903296
ecx 0x0 0
edx 0xf7625aa6 -144549210
ebx 0xf76e024c -143785396
esp 0xffb20a9c 0xffb20a9c
ebp 0xffb20af8 0xffb20af8
esi 0xf6febe90 -151077232
edi 0xf7709aec -143615252
eip 0x42835540 0x42835540
eflags 0x10203 CF IF RF info local
r_addr = 0xf717f010
r_type = 42
r_sym = 0
sym = 0xf6fd8e38
res = 0x42835540 <Address 0x42835540 out of bounds>
addend = 0
name = 0xf6fe2158 ""
resolved = true
(gdb) info args
modbase = 0xf6fd5000 "\177ELF\001\001\001\003"
rel = 0xf6febdd4
pd = 0x4fdd9238
is_rela = false

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=796

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on June 07, 2012 14:03:53

(gdb) x/4wx 0xf717f010
0xf717f010: 0x4b860540 0x4b8564e0 0x4b7c7f20 0x4b855900
(gdb) p /x 0xf6fd5000 + 0x4b860540
$1 = 0x42835540
(gdb) x/14i 0x4b860540
0x4b860540 : push %ebx
0x4b860541 <memrchr+1>: call 0x4b90ed63 <__i686.get_pc_thunk.bx>
0x4b860546 <memrchr+6>: add $0x123aae,%ebx
0x4b86054c <memrchr+12>: cmpl $0x0,0x362c(%ebx)
0x4b860553 <memrchr+19>: jne 0x4b86055a <memrchr+26>
0x4b860555 <memrchr+21>: call 0x4b7f39b0 <__init_cpu_features>
0x4b86055a <memrchr+26>: testl $0x4000000,0x3640(%ebx)
0x4b860564 <memrchr+36>: je 0x4b86057a <memrchr+58>
0x4b860566 <memrchr+38>: testl $0x4,0x364c(%ebx)
0x4b860570 <memrchr+48>: je 0x4b860582 <memrchr+66>
0x4b860572 <memrchr+50>: lea -0x5be14(%ebx),%eax
0x4b860578 <memrchr+56>: pop %ebx
0x4b860579 <memrchr+57>: ret

xref r923 :
fixes issue #478 handle irelative
xref r948 :
fixes issue #534 stl_test failure in Linux

#define R_386_IRELATIVE 42 /* Adjust indirectly by program base */
=>
it's the horrible ELF nomenclature of "program base" really meaning
"delta of loaded base from preferred base": should use delta instead of loaded

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on June 08, 2012 13:18:33

This issue was closed by revision r1389 .

Status: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant