[syslinux] Crash with core32 (syslinux-3.81-pre12-68-g4a211f6)
Sebastian Herbszt
herbszt at gmx.de
Mon May 25 14:46:30 PDT 2009
H. Peter Anvin wrote:
> Sebastian Herbszt wrote:
>> I got a qemu crash and errors reported in bochs while trying to get
>> latest core32
>> branch working (pxelinux):
>>
>> bochsout.txt:
>>
>> 00540593725e[CPU0 ] write_virtual_checks(): no write access to seg
>> 00540593814e[CPU0 ] fetch_raw_descriptor: GDT: index (3a27)744 > limit (2f)
>> 00540593903e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>> ...
>> 00540644544e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>> 00540644633e[CPU0 ] fetch_raw_descriptor: GDT: index (3137)626 > limit (2f)
>> 00540644666e[CPU0 ] prefetch: EIP [00010000] > CS.limit [0000ffff]
>>
>
> It Works For Me[TM] in KVM...
>
> In Bochs, one can often set a simulation time breakpoint with the "sba"
> command (the number at the front is the simulation time) and execute
> until a little bit before the failure ... it makes it easier to see.
It seems to fail while running "hello" (pm_call hello).
0x0010016c <myputs+0>: push %ebx
0x0010016d <myputs+1>: sub $0x8,%esp
0x00100170 <myputs+4>: mov %eax,%ebx
0x00100172 <myputs+6>: jmp 0x10017d <myputs+17>
0x00100174 <myputs+8>: inc %ebx
0x00100175 <myputs+9>: movsbl %al,%eax
0x00100178 <myputs+12>: call 0x100130 <myputchar> <- boom
0x0010017d <myputs+17>: mov (%ebx),%al
0x0010017f <myputs+19>: test %al,%al
0x00100181 <myputs+21>: jne 0x100174 <myputs+8>
0x00100183 <myputs+23>: pop %eax
0x00100184 <myputs+24>: pop %edx
0x00100185 <myputs+25>: pop %ebx
0x00100186 <myputs+26>: ret
0x00100130 <myputchar+0>: push %ebx
0x00100131 <myputchar+1>: sub $0xc,%esp
0x00100134 <myputchar+4>: mov %eax,%ebx
0x00100136 <myputchar+6>: movb $0x2,0x1003a5
0x0010013d <myputchar+13>: mov %al,0x10039c
0x00100142 <myputchar+18>: push $0x0
0x00100144 <myputchar+20>: push $0x100380
0x00100149 <myputchar+25>: push $0x21
0x0010014b <myputchar+27>: call 0x10003b <core_intcall> <- boom
0x00100150 <myputchar+32>: mov 0x10030c,%eax
0x00100155 <myputchar+37>: lea 0x1f00(%ebx),%edx
0x0010015b <myputchar+43>: mov %dx,(%eax)
0x0010015e <myputchar+46>: add $0x2,%eax
0x00100161 <myputchar+49>: mov %eax,0x10030c
0x00100166 <myputchar+54>: add $0x18,%esp
0x00100169 <myputchar+57>: pop %ebx
0x0010016a <myputchar+58>: ret
Then it goes thru core_intcall, core_syscall, comboot_int21,
core_syscall.rm_return, enter_pm and jumps to 0x000034b4
(0020:00000000000034b4) in enter_pm.in_pm by doing "jmp ebx":
8783 0000AD0B 8B25[4C040000] <2> mov esp,[PMESP] ; Load protmode %esp
8784 0000AD11 89E8 <2> mov eax,ebp ; EAX -> top of real-mode stack
8785 0000AD13 FFE3 <2> jmp ebx ; Go to where we need to go
> In both cases it looks like it's jumping through an invalid pointer.
Guess ebx is not what it's supposed to be since there are just a bunch of 0-bytes
at 0x000034b4.
> -hpa
>
> P.S. Make sure you have the latest core32 branch... it was seriously
> broken until my changes this morning.
syslinux-3.81-pre12-68-g4a211f6 includes commit
"com32r: allow absolute and relative symbols based on regex" from
"Mon May 25 10:33:12 2009 -0700" so it seems to be latest.
- Sebastian
More information about the Syslinux
mailing list