libnl segmentation fault
Borja Ruiz-Castro
bruiz at alienvault.com
Sat Apr 21 10:57:44 EDT 2012
Hi!
I think a just found a bug using lorcon + linbl (segmentation fault)
The problem is *genl_unregister():*
(gdb) disass 0x00007ffff77afb8d
Dump of assembler code for function genl_unregister:
=> 0x00007ffff77afb80 <+0>: push %rbx
0x00007ffff77afb81 <+1>: mov %rdi,%rbx
0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0
<nl_cache_mngt_unregister at plt>
0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
* 0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx*
0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
0x00007ffff77afba0 <+32>: pop %rbx
0x00007ffff77afba1 <+33>: retq
End of assembler dump.
A segmentation fault occurs when trying to copy %rdx into (%rax)+0x28,
because the content's of %eax is 0x00!
I attach the debug log file!
Regards!
Borja Ruiz.
--
Borja Ruiz-Castro
Senior Security Consultant
QA testing engineer
*AlienVault Europe* C/Cronos 63, Planta 2a, Oficina 6
CP: 28037 Madrid, Spain Tlf +34 91 515-1344
Fax +34 91 413-5968
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/libnl/attachments/20120421/da961a4e/attachment.html>
-------------- next part --------------
borja at arch:~/lorcon $ ldd uno
linux-vdso.so.1 => (0x00007fffd0dff000)
/usr/lib/libswmhack.so.0.0 (0x00007f242af5d000)
liborcon-2.0.0.so => /usr/local/lib/liborcon-2.0.0.so (0x00007f242ad4f000)
libnl.so.1 => /usr/lib/libnl.so.1 (0x00007f242aafd000)
libpcap.so.1 => /usr/lib/libpcap.so.1 (0x00007f242a8bf000)
libc.so.6 => /lib/libc.so.6 (0x00007f242a51e000)
libX11.so.6 => /usr/lib/libX11.so.6 (0x00007f242a1e4000)
libXrandr.so.2 => /usr/lib/libXrandr.so.2 (0x00007f2429fdb000)
libXtst.so.6 => /usr/lib/libXtst.so.6 (0x00007f2429dd4000)
libm.so.6 => /lib/libm.so.6 (0x00007f2429adf000)
libnl-genl-3.so.200 => /usr/lib/libnl-genl-3.so.200 (0x00007f24298da000)
libnl-3.so.200 => /usr/lib/libnl-3.so.200 (0x00007f24296c1000)
/lib/ld-linux-x86-64.so.2 (0x00007f242b15f000)
libxcb.so.1 => /usr/lib/libxcb.so.1 (0x00007f24294a3000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f242929f000)
libXext.so.6 => /usr/lib/libXext.so.6 (0x00007f242908c000)
libXrender.so.1 => /usr/lib/libXrender.so.1 (0x00007f2428e81000)
libXi.so.6 => /usr/lib/libXi.so.6 (0x00007f2428c73000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f2428a57000)
libXau.so.6 => /usr/lib/libXau.so.6 (0x00007f2428853000)
libXdmcp.so.6 => /usr/lib/libXdmcp.so.6 (0x00007f242864d000)
borja at arch:~/lorcon $ gdb ./uno
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/borja/lorcon/uno...done.
(gdb) r
Starting program: /home/borja/lorcon/uno
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
argc: 1
Uso: /home/borja/lorcon/uno <opcion>
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
(gdb) bt
#0 0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
#1 0x00007ffff7de9f3f in _dl_fini () from /lib/ld-linux-x86-64.so.2
#2 0x00007ffff71d17c1 in __run_exit_handlers () from /lib/libc.so.6
#3 0x00007ffff71d1845 in exit () from /lib/libc.so.6
#4 0x0000000000400d7e in main (argc=1, argv=0x7fffffffe8f8) at uno.c:40
(gdb) backtrace
#0 0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
#1 0x00007ffff7de9f3f in _dl_fini () from /lib/ld-linux-x86-64.so.2
#2 0x00007ffff71d17c1 in __run_exit_handlers () from /lib/libc.so.6
#3 0x00007ffff71d1845 in exit () from /lib/libc.so.6
#4 0x0000000000400d7e in main (argc=1, argv=0x7fffffffe8f8) at uno.c:40
(gdb)
#0 0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
#1 0x00007ffff7de9f3f in _dl_fini () from /lib/ld-linux-x86-64.so.2
#2 0x00007ffff71d17c1 in __run_exit_handlers () from /lib/libc.so.6
#3 0x00007ffff71d1845 in exit () from /lib/libc.so.6
#4 0x0000000000400d7e in main (argc=1, argv=0x7fffffffe8f8) at uno.c:40
(gdb) q
A debugging session is active.
Inferior 1 [process 25370] will be killed.
Quit anyway? (y or n) y
borja at arch:~/lorcon $ cat Makefile
#
#
#
INCLUDE_DIR = /usr/local/src/lorcon/
FLAGS = -ggdb
nodebug:
gcc -I$(INCLUDE_DIR) -o uno.o -c uno.c
gcc -o uno uno.o -lorcon -lnl -lpcap
debug:
gcc -I$(INCLUDE_DIR) -o uno.o -c uno.c -ggdb
gcc -o uno uno.o -lorcon -lnl -lpcap
clean:
rm uno.o uno
borja at arch:~/lorcon $ gdb ./uno
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/borja/lorcon/uno...done.
(gdb) break _dl_fini
Function "_dl_fini" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (_dl_fini) pending.
(gdb) r
Starting program: /home/borja/lorcon/uno
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
argc: 1
Uso: /home/borja/lorcon/uno <opcion>
Breakpoint 1, 0x00007ffff7de9d64 in _dl_fini () from /lib/ld-linux-x86-64.so.2
(gdb) step
Single stepping until exit from function _dl_fini,
which has no line number information.
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
(gdb) bt
#0 0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
#1 0x00007ffff7de9f3f in _dl_fini () from /lib/ld-linux-x86-64.so.2
#2 0x00007ffff71d17c1 in __run_exit_handlers () from /lib/libc.so.6
#3 0x00007ffff71d1845 in exit () from /lib/libc.so.6
#4 0x0000000000400d7e in main (argc=1, argv=0x7fffffffe8f8) at uno.c:40
(gdb) i r
rax 0x0 0
rbx 0x7ffff675a260 140737328292448
rcx 0x0 0
rdx 0x7ffff7535630 140737342821936
rsi 0xffffffff 4294967295
rdi 0x7ffff7535620 140737342821920
rbp 0x7fffffffe770 0x7fffffffe770
rsp 0x7fffffffe640 0x7fffffffe640
r8 0x1 1
r9 0x7ffff77b56f8 140737345443576
r10 0x7ffff77b56f7 140737345443575
r11 0x0 0
r12 0x7ffff6759d30 140737328291120
r13 0x7fffffffe690 140737488348816
r14 0x7fffffffe700 140737488348928
r15 0x1 1
rip 0x7ffff77afb8d 0x7ffff77afb8d <genl_unregister+13>
eflags 0x10293 [ CF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) break genl_unregister
Breakpoint 2 at 0x7ffff77afb80 (2 locations)
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/borja/lorcon/uno
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
argc: 1
Uso: /home/borja/lorcon/uno <opcion>
Breakpoint 1, 0x00007ffff7de9d64 in _dl_fini () from /lib/ld-linux-x86-64.so.2
(gdb) n
Single stepping until exit from function _dl_fini,
which has no line number information.
Breakpoint 2, 0x00007ffff77afb80 in genl_unregister () from /usr/lib/libnl.so.1
(gdb) i r
rax 0x0 0
rbx 0x7ffff7fd2000 140737353949184
rcx 0x0 0
rdx 0x16 22
rsi 0x0 0
rdi 0x7ffff79ca460 140737347626080
rbp 0x7fffffffe770 0x7fffffffe770
rsp 0x7fffffffe648 0x7fffffffe648
r8 0x7fffffffe650 140737488348752
r9 0x7ffff7bd8600 140737349780992
r10 0x7fffffffe3f0 140737488348144
r11 0x7ffff77afb80 140737345420160
r12 0x7ffff79c6100 140737347608832
r13 0x7fffffffe670 140737488348784
r14 0x7fffffffe700 140737488348928
r15 0x16 22
rip 0x7ffff77afb80 0x7ffff77afb80 <genl_unregister>
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/x 0x00007ffff77afb8d
0x7ffff77afb8d <genl_unregister+13>: 0x28508b48
(gdb) x/s 0x00007ffff77afb8d
0x7ffff77afb8d <genl_unregister+13>: "H\213P(H\213H0H\211J\bH\213 at 0H\211\020[\303fffff.\017\037\204"
(gdb) dissas 0x00007ffff77afb8d
Undefined command: "dissas". Try "help".
(gdb) disass 0x00007ffff77afb8d
Dump of assembler code for function genl_unregister:
=> 0x00007ffff77afb80 <+0>: push %rbx
0x00007ffff77afb81 <+1>: mov %rdi,%rbx
0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0 <nl_cache_mngt_unregister at plt>
0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx
0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
0x00007ffff77afba0 <+32>: pop %rbx
0x00007ffff77afba1 <+33>: retq
End of assembler dump.
(gdb) step
Single stepping until exit from function genl_unregister,
which has no line number information.
0x00007ffff77b3ca8 in _fini () from /usr/lib/libnl.so.1
(gdb) disass 0x00007ffff77afb8d
Dump of assembler code for function genl_unregister:
0x00007ffff77afb80 <+0>: push %rbx
0x00007ffff77afb81 <+1>: mov %rdi,%rbx
0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0 <nl_cache_mngt_unregister at plt>
0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx
0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
0x00007ffff77afba0 <+32>: pop %rbx
0x00007ffff77afba1 <+33>: retq
End of assembler dump.
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff77afb80 in genl_unregister () from /usr/lib/libnl.so.1
(gdb) disass 0x00007ffff77afb80
Dump of assembler code for function genl_unregister:
=> 0x00007ffff77afb80 <+0>: push %rbx
0x00007ffff77afb81 <+1>: mov %rdi,%rbx
0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0 <nl_cache_mngt_unregister at plt>
0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx
0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
0x00007ffff77afba0 <+32>: pop %rbx
0x00007ffff77afba1 <+33>: retq
End of assembler dump.
(gdb) disass 0x00007ffff77afb8d
Dump of assembler code for function genl_unregister:
=> 0x00007ffff77afb80 <+0>: push %rbx
0x00007ffff77afb81 <+1>: mov %rdi,%rbx
0x00007ffff77afb84 <+4>: callq 0x7ffff778dbf0 <nl_cache_mngt_unregister at plt>
0x00007ffff77afb89 <+9>: mov 0x40(%rbx),%rax
0x00007ffff77afb8d <+13>: mov 0x28(%rax),%rdx
0x00007ffff77afb91 <+17>: mov 0x30(%rax),%rcx
0x00007ffff77afb95 <+21>: mov %rcx,0x8(%rdx)
0x00007ffff77afb99 <+25>: mov 0x30(%rax),%rax
0x00007ffff77afb9d <+29>: mov %rdx,(%rax)
0x00007ffff77afba0 <+32>: pop %rbx
0x00007ffff77afba1 <+33>: retq
End of assembler dump.
(gdb) break 0x00007ffff77afb8d
Function "0x00007ffff77afb8d" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 3 (0x00007ffff77afb8d) pending.
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff77afb8d in genl_unregister () from /usr/lib/libnl.so.1
(gdb) i r
rax 0x0 0
rbx 0x7ffff675a260 140737328292448
rcx 0x0 0
rdx 0x7ffff7535630 140737342821936
rsi 0xffffffff 4294967295
rdi 0x7ffff7535620 140737342821920
rbp 0x7fffffffe770 0x7fffffffe770
rsp 0x7fffffffe640 0x7fffffffe640
r8 0x1 1
r9 0x7ffff77b56f8 140737345443576
r10 0x7ffff77b56f7 140737345443575
r11 0x0 0
r12 0x7ffff6759d30 140737328291120
r13 0x7fffffffe690 140737488348816
r14 0x7fffffffe700 140737488348928
r15 0x1 1
rip 0x7ffff77afb8d 0x7ffff77afb8d <genl_unregister+13>
eflags 0x10293 [ CF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/x 0x7ffff675a260+40
0x7ffff675a288: 0x00
(gdb) x/x $rax+28
0x1c: Cannot access memory at address 0x1c
(gdb) q
A debugging session is active.
Inferior 1 [process 25388] will be killed.
Quit anyway? (y or n) y
More information about the libnl
mailing list