[FS#822] busybox (ash) segfaults running shell scripts on ar71xx

LEDE Bugs lede-bugs at lists.infradead.org
Thu Jun 1 14:38:44 PDT 2017


For full information about what has changed in this task, visit the URL below and click the History tab.

FS#822 - busybox (ash) segfaults running shell scripts on ar71xx
User who did this: Matthias Schiffer (NeoRaider)
Summary: busybox (ash) segfaults running shell scripts -> busybox (ash) segfaults running shell scripts on ar71xx
Task details edited:
-------
I'm often seeing this message in my logs:


[ 2183.499756] do_page_fault(): sending SIGSEGV to dhcpv6.script for invalid read access from 00000000    
[ 2183.509195] epc = 0041efe9 in busybox[400000+4b000]                                                    
[ 2183.514285] ra  = 0041efb1 in busybox[400000+4b000]                                                    


The issue might be a new variant of FS#251, which disappeared after a busybox upgrade.

I'm on a recent lede-17.01 version (dfecce60e6e75abf3ea817fe7bf29fd432693f13), with the follow adjustments to busybox:

CONFIG_BUSYBOX_CUSTOM=y
# CONFIG_BUSYBOX_CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set


Hardware: TP-Link TL-WR841ND v9 (QCA9533)

My analysis so far:

Registers:

          zero       at       v0       v1       a0       a1       a2       a3
 R0   00000000 7fcfd4c8 00000000 0090b7c0 00910df4 00910df9 2f2f2f2f bcd0a2f0 
            t0       t1       t2       t3       t4       t5       t6       t7
 R8   fefefeff 80808080 80083c3c 002f3634 7fcf9698 00000000 00000000 77a6e2c0 
            s0       s1       s2       s3       s4       s5       s6       s7
 R16  0090ccc0 7fcf9900 00000004 0040788d 77a64000 77a64000 77a67518 77a68d8c 
            t8       t9       k0       k1       gp       sp       s8       ra
 R24  0045b0e8 77a36d44 00000000 00000000 77a6e2c0 7fcf97d0 00000000 0041efb1 
            sr       lo       hi      bad    cause       pc
      0000f413 00000048 00000013 00000000 00800008 0041efe9 
           fsr      fir
      00000000 00000000 


Disassembly:

Dump of assembler code for function find_command:                                                         
   0x0041ef45 :     save    a0-a3,232,ra,s0-s1                                                        
   0x0041ef49 :     move    s1,a1                                                                     
   0x0041ef4b :     jal     0x449c61                                                
   0x0041ef4f :    li      a1,47
   0x0041ef51 :    beqz    v0,0x41ef79 
   0x0041ef53 :    li      v0,1
   0x0041ef55 :    neg     v0
   0x0041ef57 :    lw      v1,240(sp)
   0x0041ef59 :    sw      v0,4(s1)
   0x0041ef5b :    li      v0,2
   0x0041ef5d :    and     v0,v1
   0x0041ef5f :    bnez    v0,0x41ef65 
   0x0041ef61 :    li      v0,0
   0x0041ef63 :    b       0x41ef75 
   0x0041ef65 :    lw      a0,232(sp)
   0x0041ef67 :    jal     0x44a441 
   0x0041ef6b :    addiu   a1,sp,56
   0x0041ef6d :    slti    v0,0
   0x0041ef6f :    bteqz   0x41ef61 
   0x0041ef71 :    li      v0,1
   0x0041ef73 :    neg     v0
   0x0041ef75 :    sb      v0,0(s1)
   0x0041ef77 :    b       0x41f1af 
   0x0041ef79 :    lw      v0,0x41f1b4 
   0x0041ef7b :    lw      a0,244(sp)
   0x0041ef7d :    lw      v0,0(v0)
   0x0041ef7f :    addiu   v0,124
   0x0041ef81 :    lw      v0,88(v0)
   0x0041ef83 :    addiu   v0,5
   0x0041ef85 :    xor     v0,a0
   0x0041ef87 :    sltiu   v0,1
   0x0041ef89 :    move    v1,t8
   0x0041ef8b :    sw      v1,40(sp)
   0x0041ef8d :    beqz    v0,0x41efa9 
   0x0041ef8f :    lw      v0,240(sp)
   0x0041ef91 :    li      s0,8
   0x0041ef93 :    lw      a1,0x41f1b8 
   0x0041ef95 :    jal     0x449ba1 
   0x0041ef99 :    or      s0,v0
   0x0041ef9b :    beqz    v0,0x41efa7 
   0x0041ef9d :    lw      v1,240(sp)
   0x0041ef9f :    li      v0,40
   0x0041efa1 :    or      v1,v0
   0x0041efa3 :    sw      v1,240(sp)
   0x0041efa5 :    b       0x41efa9 
   0x0041efa7 :    sw      s0,240(sp)
   0x0041efa9 :   lw      a0,232(sp)
   0x0041efab :   jal     0x41a75d 
   0x0041efaf :   li      a1,0
   0x0041efb1 :   move    s0,v0
   0x0041efb3 :   beqz    v0,0x41efdd 
   0x0041efb5 :   lb      v0,8(v0)
   0x0041efb7 :   cmpi    v0,1
   0x0041efb9 :   bteqz   0x41efc3 
   0x0041efbb :   cmpi    v0,2
   0x0041efbd :   btnez   0x41efc7 
   0x0041efbf :   li      v0,32
   0x0041efc1 :   b       0x41efc9 
   0x0041efc3 :   li      v0,4
   0x0041efc5 :   b       0x41efc9 
   0x0041efc7 :   li      v0,8
   0x0041efc9 :   lw      v1,240(sp)
   0x0041efcb :   and     v0,v1
   0x0041efcd :   bnez    v0,0x41efd7 
   0x0041efcf :   lbu     v0,9(s0)
   0x0041efd1 :   beqz    v0,0x41f1a3 
   0x0041efd5 :   b       0x41efdd 
   0x0041efd7 :   li      v0,0
   0x0041efd9 :   li      s0,0
   0x0041efdb :   sw      v0,40(sp)
   0x0041efdd :   jal     0x41b025 
   0x0041efe1 :   lw      a0,232(sp)
   0x0041efe3 :   sw      v0,44(sp)
   0x0041efe5 :   beqz    v0,0x41f00f 
   0x0041efe7 :   lw      v0,0(v0)
=> 0x0041efe9 :   lbu     v1,0(v0)
   0x0041efeb :   li      v0,2
   0x0041efed :   and     v0,v1
   0x0041efef :   bnez    v0,0x41f177 
   0x0041eff3 :   lw      v1,240(sp)
   0x0041eff5 :   li      v0,8
   0x0041eff7 :   and     v0,v1
   0x0041eff9 :   beqz    v0,0x41f005 
   0x0041effb :   li      v0,32
   0x0041effd :   and     v0,v1
   0x0041efff :   beqz    v0,0x41f177 
   0x0041f003 :   b       0x41f00f 
   0x0041f005 :   lw      v0,0x41f1bc 
   0x0041f007 :   lw      v0,0(v0)
...


As in FS#251, the contents of the registers don't really make sense. Unless I'm overlooking something, it should not be possible for $pc to reach 0x0041efe9 with $ra on 0x0041efb1 (return from cmdlookup); rather, $ra should have the value 0x0041efe3 (return from find_builtin). There are no code paths reaching 0x0041efe9 that don't call find_builtin.
-------

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=822



More information about the lede-bugs mailing list