[FS#822] busybox (ash) segfaults running shell scripts on ar71xx
LEDE Bugs
lede-bugs at lists.infradead.org
Thu Jun 1 14:38:44 PDT 2017
For full information about what has changed in this task, visit the URL below and click the History tab.
FS#822 - busybox (ash) segfaults running shell scripts on ar71xx
User who did this: Matthias Schiffer (NeoRaider)
Summary: busybox (ash) segfaults running shell scripts -> busybox (ash) segfaults running shell scripts on ar71xx
Task details edited:
-------
I'm often seeing this message in my logs:
[ 2183.499756] do_page_fault(): sending SIGSEGV to dhcpv6.script for invalid read access from 00000000
[ 2183.509195] epc = 0041efe9 in busybox[400000+4b000]
[ 2183.514285] ra = 0041efb1 in busybox[400000+4b000]
The issue might be a new variant of FS#251, which disappeared after a busybox upgrade.
I'm on a recent lede-17.01 version (dfecce60e6e75abf3ea817fe7bf29fd432693f13), with the follow adjustments to busybox:
CONFIG_BUSYBOX_CUSTOM=y
# CONFIG_BUSYBOX_CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
Hardware: TP-Link TL-WR841ND v9 (QCA9533)
My analysis so far:
Registers:
zero at v0 v1 a0 a1 a2 a3
R0 00000000 7fcfd4c8 00000000 0090b7c0 00910df4 00910df9 2f2f2f2f bcd0a2f0
t0 t1 t2 t3 t4 t5 t6 t7
R8 fefefeff 80808080 80083c3c 002f3634 7fcf9698 00000000 00000000 77a6e2c0
s0 s1 s2 s3 s4 s5 s6 s7
R16 0090ccc0 7fcf9900 00000004 0040788d 77a64000 77a64000 77a67518 77a68d8c
t8 t9 k0 k1 gp sp s8 ra
R24 0045b0e8 77a36d44 00000000 00000000 77a6e2c0 7fcf97d0 00000000 0041efb1
sr lo hi bad cause pc
0000f413 00000048 00000013 00000000 00800008 0041efe9
fsr fir
00000000 00000000
Disassembly:
Dump of assembler code for function find_command:
0x0041ef45 : save a0-a3,232,ra,s0-s1
0x0041ef49 : move s1,a1
0x0041ef4b : jal 0x449c61
0x0041ef4f : li a1,47
0x0041ef51 : beqz v0,0x41ef79
0x0041ef53 : li v0,1
0x0041ef55 : neg v0
0x0041ef57 : lw v1,240(sp)
0x0041ef59 : sw v0,4(s1)
0x0041ef5b : li v0,2
0x0041ef5d : and v0,v1
0x0041ef5f : bnez v0,0x41ef65
0x0041ef61 : li v0,0
0x0041ef63 : b 0x41ef75
0x0041ef65 : lw a0,232(sp)
0x0041ef67 : jal 0x44a441
0x0041ef6b : addiu a1,sp,56
0x0041ef6d : slti v0,0
0x0041ef6f : bteqz 0x41ef61
0x0041ef71 : li v0,1
0x0041ef73 : neg v0
0x0041ef75 : sb v0,0(s1)
0x0041ef77 : b 0x41f1af
0x0041ef79 : lw v0,0x41f1b4
0x0041ef7b : lw a0,244(sp)
0x0041ef7d : lw v0,0(v0)
0x0041ef7f : addiu v0,124
0x0041ef81 : lw v0,88(v0)
0x0041ef83 : addiu v0,5
0x0041ef85 : xor v0,a0
0x0041ef87 : sltiu v0,1
0x0041ef89 : move v1,t8
0x0041ef8b : sw v1,40(sp)
0x0041ef8d : beqz v0,0x41efa9
0x0041ef8f : lw v0,240(sp)
0x0041ef91 : li s0,8
0x0041ef93 : lw a1,0x41f1b8
0x0041ef95 : jal 0x449ba1
0x0041ef99 : or s0,v0
0x0041ef9b : beqz v0,0x41efa7
0x0041ef9d : lw v1,240(sp)
0x0041ef9f : li v0,40
0x0041efa1 : or v1,v0
0x0041efa3 : sw v1,240(sp)
0x0041efa5 : b 0x41efa9
0x0041efa7 : sw s0,240(sp)
0x0041efa9 : lw a0,232(sp)
0x0041efab : jal 0x41a75d
0x0041efaf : li a1,0
0x0041efb1 : move s0,v0
0x0041efb3 : beqz v0,0x41efdd
0x0041efb5 : lb v0,8(v0)
0x0041efb7 : cmpi v0,1
0x0041efb9 : bteqz 0x41efc3
0x0041efbb : cmpi v0,2
0x0041efbd : btnez 0x41efc7
0x0041efbf : li v0,32
0x0041efc1 : b 0x41efc9
0x0041efc3 : li v0,4
0x0041efc5 : b 0x41efc9
0x0041efc7 : li v0,8
0x0041efc9 : lw v1,240(sp)
0x0041efcb : and v0,v1
0x0041efcd : bnez v0,0x41efd7
0x0041efcf : lbu v0,9(s0)
0x0041efd1 : beqz v0,0x41f1a3
0x0041efd5 : b 0x41efdd
0x0041efd7 : li v0,0
0x0041efd9 : li s0,0
0x0041efdb : sw v0,40(sp)
0x0041efdd : jal 0x41b025
0x0041efe1 : lw a0,232(sp)
0x0041efe3 : sw v0,44(sp)
0x0041efe5 : beqz v0,0x41f00f
0x0041efe7 : lw v0,0(v0)
=> 0x0041efe9 : lbu v1,0(v0)
0x0041efeb : li v0,2
0x0041efed : and v0,v1
0x0041efef : bnez v0,0x41f177
0x0041eff3 : lw v1,240(sp)
0x0041eff5 : li v0,8
0x0041eff7 : and v0,v1
0x0041eff9 : beqz v0,0x41f005
0x0041effb : li v0,32
0x0041effd : and v0,v1
0x0041efff : beqz v0,0x41f177
0x0041f003 : b 0x41f00f
0x0041f005 : lw v0,0x41f1bc
0x0041f007 : lw v0,0(v0)
...
As in FS#251, the contents of the registers don't really make sense. Unless I'm overlooking something, it should not be possible for $pc to reach 0x0041efe9 with $ra on 0x0041efb1 (return from cmdlookup); rather, $ra should have the value 0x0041efe3 (return from find_builtin). There are no code paths reaching 0x0041efe9 that don't call find_builtin.
-------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=822
More information about the lede-bugs
mailing list