NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
The following reply was made to PR toolchain/55043; it has been noted by GNATS.
From: Jason Thorpe <thorpej%me.com@localhost>
To: Rin Okuyama <rokuyama.rk%gmail.com@localhost>
Cc: gnats-bugs%netbsd.org@localhost
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Mon, 2 Mar 2020 22:45:00 -0800
(Re-sending to wider audience.)
> On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk%gmail.com@localhost> =
wrote:
>=20
> Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
>=20
> https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
>=20
> sudo still crashes also on mips64.
Maybe not? This is mipsel o32.
cobalt:thorpej 6$ cc -o hello hello.c
cobalt:thorpej 7$ ./hello =
=20
Hello, World!
cobalt:thorpej 8$ cc -Wl,-z,relro -o hello-relro hello.c
cobalt:thorpej 9$ ./hello-relro =
=20
Hello, World!
cobalt:thorpej 10$ sysctl hw.pagesize
hw.pagesize =3D 8192
cobalt:thorpej 11$=20
In my case, 0x7dea4db0 is reported as the faulting PC (in =
libsudo_util.so), and:
(gdb) disas __do_global_ctors_aux
Dump of assembler code for function __do_global_ctors_aux:
0x7dea4d78 <+0>: lui gp,0x2
0x7dea4d7c <+4>: addiu gp,gp,-15336
0x7dea4d80 <+8>: addu gp,gp,t9
0x7dea4d84 <+12>: lw v0,-32740(gp)
0x7dea4d88 <+16>: addiu sp,sp,-40
0x7dea4d8c <+20>: lbu v1,-27615(v0)
0x7dea4d90 <+24>: sw gp,16(sp)
0x7dea4d94 <+28>: sw ra,36(sp)
0x7dea4d98 <+32>: sw s1,32(sp)
0x7dea4d9c <+36>: sw s0,28(sp)
0x7dea4da0 <+40>: bnez v1,0x7dea4e1c =
<__do_global_ctors_aux+164>
0x7dea4da4 <+44>: li a0,1
0x7dea4da8 <+48>: lw v1,-32460(gp)
0x7dea4dac <+52>: nop
=3D> 0x7dea4db0 <+56>: beqz v1,0x7dea4dd4 =
<__do_global_ctors_aux+92>
0x7dea4db4 <+60>: sb a0,-27615(v0)
0x7dea4db8 <+64>: lw a1,-32740(gp)
0x7dea4dbc <+68>: lw t9,-32460(gp)
0x7dea4dc0 <+72>: lw a0,-32736(gp)
0x7dea4dc4 <+76>: jalr t9
As far as I can tell, this is:
if (register_frame_info)
register_frame_info(__EH_FRAME_LIST__, &dwarf_eh_object);
...in crtbegin (note the "sb" in the delay slot of the "beqz" is the =
"__initialized =3D 1;" just above in the function...)
(gdb) print/x $v1
$3 =3D 0x7de6d5ec
(gdb)=20
...which the debugger, at least, does believe is __register_frame_info() =
function (register_frame_info is a weak ref to it):
(gdb) disas 0x7de6d5ec
Dump of assembler code for function __register_frame_info:
0x7de6d5ec <+0>: lui gp,0x2
0x7de6d5f0 <+4>: addiu gp,gp,-20972
0x7de6d5f4 <+8>: addu gp,gp,t9
0x7de6d5f8 <+12>: lw t9,-32596(gp)
0x7de6d5fc <+16>: move a3,zero
0x7de6d600 <+20>: jr t9
0x7de6d604 <+24>: move a2,zero
End of assembler dump.
-- thorpej
Home |
Main Index |
Thread Index |
Old Index