[FS#251] sending SIGSEGV to dnsmasq for invalid read access from 00000000
LEDE Bugs
lede-bugs at lists.infradead.org
Mon Nov 21 06:23:21 PST 2016
The following task has a new comment added:
FS#251 - sending SIGSEGV to dnsmasq for invalid read access from 00000000
User who did this - Matthias Schiffer (NeoRaider)
----------
Further increasing severity, as this doesn't only affect init scripts, but all shell scripts using shell expansion ($() or backticks). While testing, I've experienced several crashs of sysupgrade.
Further results of my investigation:
* errno_location is not returning NULL after all; in fact, errno_location() is not called at all. This seems correct; the branch calling errno_location() is only called when safe_read() fails, and it doesn't look like safe_read() fails before the crash. The value of the ra register still holds the return address from safe_read().
* The whole thing is very fragile; adding a single "nop" instruction before the "jal __errno_location" makes the crash go away.
* The Program Counter somehow ends up at 0x00439ff1; it is unclear how it gets there. The preceeding instructions have not been executed. While a random jump after memory corruption could be a possible cause, the backtrace up to nonblock_immune_read() looks sane
I'm currently looking into possible kernel-side causes for this issue.
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=251#comment908
More information about the lede-bugs
mailing list