Hello Thorsten,
getting the source of such an address is possible, even with ASLR,
if the library versions are known and dbgsyms are available,
like in attached file.
It looks like a null pointer is given to strncasecmp_l.
But you are right, this information might still not be very useful,
because the location is in libc - if it would be in cups-browsed it
would be more useful.
Kind regards,
Bernhard
# From submitter:
cups-browsed[20400]: segfault at 0 ip 00000000f79ffb5b sp 00000000fffd3828
error 4 in libc-2.29.so[f78d2000+145000]
Code: 66 0f 6f 25 37 7c 03 00 66 0f 6f 2d 3f 7c 03 00 66 0f 6f 35 47 7c 03 00
83 f9 30 0f 87 8e 00 00 00 83 f8 30 0f 87 85 00 00 00 <f3> 0f 6f 0f f3 0f 6f 16
66 0f 6f f9 66 44 0f 6f c5 66 44 0f 6f ca
/*
* Page fault error code bits:
*
* bit 0 == 0: no page found 1: protection fault
* bit 1 == 0: read access 1: write access
* bit 2 == 0: kernel-mode access 1: user-mode access
* bit 3 == 1: use of reserved bit detected
* bit 4 == 1: fault was an instruction fetch
* bit 5 == 1: protection keys block access
*/
enum x86_pf_error_code {
PF_PROT = 1 << 0,
PF_WRITE = 1 << 1,
PF_USER = 1 << 2,
PF_RSVD = 1 << 3,
PF_INSTR = 1 << 4,
PF_PK = 1 << 5,
};
arch/x86/mm/fault.c:
printk("%s%s[%d]: segfault at %lx ip %px sp %px error %lx",
"error 4" == 0x4 == 0b100
bit 0 == 0: no page found
bit 1 == 0: read access
bit 2 == 1: user-mode access
bit 3 == 0:
bit 4 == 0:
bit 5 == 0:
##############
# Unstable amd64 qemu VM with x32 userland 2020-02-06
apt update
apt dist-upgrade
apt install systemd-coredump gdb cups-browsed cups-browsed-dbgsym
dpkg -l | grep -i libc6
dpkg -l | grep 2.29-10
wget
https://snapshot.debian.org/archive/debian-ports/20200111T150052Z/pool-x32/main/g/glibc/libc6_2.29-9_x32.deb
wget
https://snapshot.debian.org/archive/debian-ports/20200111T150052Z/pool-x32/main/g/glibc/libc6-dbg_2.29-9_x32.deb
wget
https://snapshot.debian.org/archive/debian-ports/20200111T150052Z/pool-x32/main/g/glibc/libc-bin_2.29-9_x32.deb
wget
https://snapshot.debian.org/archive/debian/20200111T032041Z/pool/main/g/glibc/libc-l10n_2.29-9_all.deb
wget
https://snapshot.debian.org/archive/debian/20200111T032041Z/pool/main/g/glibc/locales_2.29-9_all.deb
dpkg -i "*_2.29-9_*"
gdb -q
file /sbin/cups-browsed
b main
run
generate-core /tmp/core
kill
y
q
gdb -q | grep "libc\."
file /sbin/cups-browsed
core /tmp/core
set width 0
set pagination off
info share
q
# 0xf7920320 0xf7a634db Yes /lib/x86_64-linux-gnux32/libc.so.6
echo -n "find /b ..., ..., 0x" && \
{
echo "66 0f 6f 25 37 7c 03 00 66 0f 6f 2d 3f 7c 03 00 66 0f 6f 35 47 7c 03
00 83 f9 30 0f 87 8e 00 00 00 83 f8 30 0f 87 85 00 00 00 <f3> 0f 6f 0f f3 0f 6f
16 66 0f 6f f9 66 44 0f 6f c5 66 44 0f 6f ca"
} | sed 's/[<>]//g' | sed 's/ /, 0x/g'
# find /b ..., ..., 0x66, 0x0f, 0x6f, 0x25, 0x37, 0x7c, 0x03, 0x00, 0x66,
0x0f, 0x6f, 0x2d, 0x3f, 0x7c, 0x03, 0x00, 0x66, 0x0f, 0x6f, 0x35, 0x47, 0x7c,
0x03, 0x00, 0x83, 0xf9, 0x30, 0x0f, 0x87, 0x8e, 0x00, 0x00, 0x00, 0x83, 0xf8,
0x30, 0x0f, 0x87, 0x85, 0x00, 0x00, 0x00, 0xf3, 0x0f, 0x6f, 0x0f, 0xf3, 0x0f,
0x6f, 0x16, 0x66, 0x0f, 0x6f, 0xf9, 0x66, 0x44, 0x0f, 0x6f, 0xc5, 0x66, 0x44,
0x0f, 0x6f, 0xca
gdb -q
file /sbin/cups-browsed
core /tmp/core
set width 0
set pagination off
find /b 0xf7920320, 0xf7a634db, 0x66, 0x0f, 0x6f, 0x25, 0x37, 0x7c, 0x03, 0x00,
0x66, 0x0f, 0x6f, 0x2d, 0x3f, 0x7c, 0x03, 0x00, 0x66, 0x0f, 0x6f, 0x35, 0x47,
0x7c, 0x03, 0x00, 0x83, 0xf9, 0x30, 0x0f, 0x87, 0x8e, 0x00, 0x00, 0x00, 0x83,
0xf8, 0x30, 0x0f, 0x87, 0x85, 0x00, 0x00, 0x00, 0xf3, 0x0f, 0x6f, 0x0f, 0xf3,
0x0f, 0x6f, 0x16, 0x66, 0x0f, 0x6f, 0xf9, 0x66, 0x44, 0x0f, 0x6f, 0xc5, 0x66,
0x44, 0x0f, 0x6f, 0xca
disassemble /r 0xf7a4db31, 0xf7a4db31 + 62
b * (0xf7a4db31 + 42)
info b
benutzer@debian:~$ gdb -q
(gdb) file /sbin/cups-browsed
Reading symbols from /sbin/cups-browsed...
Reading symbols from
/usr/lib/debug/.build-id/30/1088ae63113870879be52401bc26cac176081b.debug...
(gdb) core /tmp/core
[New LWP 4218]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
...
(gdb) set width 0
(gdb) set pagination off
(gdb) find /b 0xf7920320, 0xf7a634db, 0x66, 0x0f, 0x6f, 0x25, 0x37, 0x7c, 0x03,
0x00, 0x66, 0x0f, 0x6f, 0x2d, 0x3f, 0x7c, 0x03, 0x00, 0x66, 0x0f, 0x6f, 0x35,
0x47, 0x7c, 0x03, 0x00, 0x83, 0xf9, 0x30, 0x0f, 0x87, 0x8e, 0x00, 0x00, 0x00,
0x83, 0xf8, 0x30, 0x0f, 0x87, 0x85, 0x00, 0x00, 0x00, 0xf3, 0x0f, 0x6f, 0x0f,
0xf3, 0x0f, 0x6f, 0x16, 0x66, 0x0f, 0x6f, 0xf9, 0x66, 0x44, 0x0f, 0x6f, 0xc5,
0x66, 0x44, 0x0f, 0x6f, 0xca
0xf7a4db31 <__strncasecmp_l_sse42+50>
warning: Unable to access 8427 bytes of target memory at 0xf7a613f1, halting
search.
1 pattern found.
(gdb) disassemble /r 0xf7a4db31, 0xf7a4db31 + 62
Dump of assembler code from 0xf7a4db31 to 0xf7a4db6f:
0xf7a4db31 <__strncasecmp_l_sse42+50>: 66 0f 6f 25 37 7c 03 00
movdqa 0x37c37(%rip),%xmm4 # 0xf7a85770
0xf7a4db39 <__strncasecmp_l_sse42+58>: 66 0f 6f 2d 3f 7c 03 00
movdqa 0x37c3f(%rip),%xmm5 # 0xf7a85780
0xf7a4db41 <__strncasecmp_l_sse42+66>: 66 0f 6f 35 47 7c 03 00
movdqa 0x37c47(%rip),%xmm6 # 0xf7a85790
0xf7a4db49 <__strncasecmp_l_sse42+74>: 83 f9 30 cmp
$0x30,%ecx
0xf7a4db4c <__strncasecmp_l_sse42+77>: 0f 87 8e 00 00 00 ja
0xf7a4dbe0 <__strncasecmp_l_sse42+225>
0xf7a4db52 <__strncasecmp_l_sse42+83>: 83 f8 30 cmp
$0x30,%eax
0xf7a4db55 <__strncasecmp_l_sse42+86>: 0f 87 85 00 00 00 ja
0xf7a4dbe0 <__strncasecmp_l_sse42+225>
0xf7a4db5b <__strncasecmp_l_sse42+92>: f3 0f 6f 0f
movdqu (%rdi),%xmm1 <<<<
0xf7a4db5f <__strncasecmp_l_sse42+96>: f3 0f 6f 16
movdqu (%rsi),%xmm2
0xf7a4db63 <__strncasecmp_l_sse42+100>: 66 0f 6f f9
movdqa %xmm1,%xmm7
0xf7a4db67 <__strncasecmp_l_sse42+104>: 66 44 0f 6f c5
movdqa %xmm5,%xmm8
0xf7a4db6c <__strncasecmp_l_sse42+109>: 66 44 0f 6f ca
movdqa %xmm2,%xmm9
End of assembler dump.
(gdb) b * (0xf7a4db31 + 42)
Breakpoint 1 at 0xf7a4db5b: file ../sysdeps/x86_64/multiarch/strcmp-sse42.S,
line 199.
(gdb) info b
Num Type Disp Enb Address What
1 breakpoint keep y 0xf7a4db5b
../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
