Re: perf_fuzzer compiled for x32 causes reboot

From: Vince Weaver
Date: Sun Feb 23 2014 - 09:03:27 EST

Next message: Gene Heskett: "Re: It BOOTS! 3.13.5 that is."
Previous message: Olof Johansson: "Re: [PATCH v2] MAINTAINERS: add additional ARM BCM281xx/BCM11xxx maintainer"
In reply to: H. Peter Anvin: "Re: perf_fuzzer compiled for x32 causes reboot"
Next in thread: Vince Weaver: "Re: perf_fuzzer compiled for x32 causes reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 22 Feb 2014, H. Peter Anvin wrote:

> I'd be interested in how rbp gets set, too. It might just be a
> coincidence and the value in rbp has some other meaning here.

The code in question does this:

i=find_random_active_event();
if (i<0) return;
if ((event_data[i].mmap)) {
value=0xdeadbeef;
memset(event_data[i].mmap,value,getpagesize());

[New LWP 10526]
Core was generated by `./perf_fuzzer -t OCIRMQWPpAi -r 1392938876'.
Program terminated with signal 11, Segmentation fault.
#0 0x0041efab in __memset_sse2 ()
(gdb) bt
#0 0x0041efab in __memset_sse2 ()
#1 0x004017ec in trash_random_mmap () at perf_fuzzer.c:808
#2 main (argc=<optimized out>, argv=<optimized out>) at perf_fuzzer.c:1604

So rbp is set by the imul below, it is the offset into the
event_data[i] array where the elements have size of 0x120

0x004017bd <+3085>: callq 0x402ee0 <find_random_active_event>
0x004017c2 <+3090>: test %eax,%eax
0x004017c4 <+3092>: js 0x4011e8 <main+1592>
0x004017ca <+3098>: imul $0x120,%eax,%ebp
0x004017d0 <+3104>: mov 0x756b2c(%ebp),%eax

0x004017d7 <+3111>: test %eax,%eax
0x004017d9 <+3113>: je 0x40183b <main+3211>

0x004017db <+3115>: mov 0xc(%esp),%edx
0x004017e0 <+3120>: mov %eax,%edi
0x004017e2 <+3122>: mov $0xdeadbeef,%esi
0x004017e7 <+3127>: callq 0x400260
0x004017ec <+3132>: testb $0x20,0x353e76(%rip) # 0x755669 <logging+$

400260: ff 25 ce 0e 2d 00 jmpq *0x2d0ece(%rip) # 6d1134 $

0x6d1134: 0x0041e710

Dump of assembler code for function __memset_sse2:

0x0041e710 <+0>: cmp $0x1,%rdx
0x0041e714 <+4>: mov %rdi,%rax
0x0041e717 <+7>: jne 0x41e71d <__memset_sse2+13>
0x0041e719 <+9>: mov %sil,(%rdi)

and as far as I can tell nothing touches rbp again until the segfault.
Nothing in _memset_sse2 does as far as I can tell.

Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gene Heskett: "Re: It BOOTS! 3.13.5 that is."
Previous message: Olof Johansson: "Re: [PATCH v2] MAINTAINERS: add additional ARM BCM281xx/BCM11xxx maintainer"
In reply to: H. Peter Anvin: "Re: perf_fuzzer compiled for x32 causes reboot"
Next in thread: Vince Weaver: "Re: perf_fuzzer compiled for x32 causes reboot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]