[syslinux] Crash with core32 (syslinux-3.81-pre12-68-g4a211f6)

Sebastian Herbszt herbszt at gmx.de
Mon May 25 14:46:30 PDT 2009 

H. Peter Anvin wrote:
> Sebastian Herbszt wrote:
>> I got a qemu crash and errors reported in bochs while trying to get
>> latest core32
>> branch working (pxelinux):
>> 
>> bochsout.txt:
>> 
>> 00540593725e[CPU0 ] write_virtual_checks(): no write access to seg
>> 00540593814e[CPU0 ] fetch_raw_descriptor: GDT: index (3a27)744 > limit (2f)
>> 00540593903e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>> ...
>> 00540644544e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>> 00540644633e[CPU0 ] fetch_raw_descriptor: GDT: index (3137)626 > limit (2f)
>> 00540644666e[CPU0 ] prefetch: EIP [00010000] > CS.limit [0000ffff]
>> 
> 
> It Works For Me[TM] in KVM...
> 
> In Bochs, one can often set a simulation time breakpoint with the "sba"
> command (the number at the front is the simulation time) and execute
> until a little bit before the failure ... it makes it easier to see.

It seems to fail while running "hello" (pm_call hello).

0x0010016c <myputs+0>:  push   %ebx
0x0010016d <myputs+1>:  sub    $0x8,%esp
0x00100170 <myputs+4>:  mov    %eax,%ebx
0x00100172 <myputs+6>:  jmp    0x10017d <myputs+17>
0x00100174 <myputs+8>:  inc    %ebx
0x00100175 <myputs+9>:  movsbl %al,%eax
0x00100178 <myputs+12>: call   0x100130 <myputchar>        <- boom
0x0010017d <myputs+17>: mov    (%ebx),%al
0x0010017f <myputs+19>: test   %al,%al
0x00100181 <myputs+21>: jne    0x100174 <myputs+8>
0x00100183 <myputs+23>: pop    %eax
0x00100184 <myputs+24>: pop    %edx
0x00100185 <myputs+25>: pop    %ebx
0x00100186 <myputs+26>: ret

0x00100130 <myputchar+0>:       push   %ebx
0x00100131 <myputchar+1>:       sub    $0xc,%esp
0x00100134 <myputchar+4>:       mov    %eax,%ebx
0x00100136 <myputchar+6>:       movb   $0x2,0x1003a5
0x0010013d <myputchar+13>:      mov    %al,0x10039c
0x00100142 <myputchar+18>:      push   $0x0
0x00100144 <myputchar+20>:      push   $0x100380
0x00100149 <myputchar+25>:      push   $0x21
0x0010014b <myputchar+27>:      call   0x10003b <core_intcall>        <- boom
0x00100150 <myputchar+32>:      mov    0x10030c,%eax
0x00100155 <myputchar+37>:      lea    0x1f00(%ebx),%edx
0x0010015b <myputchar+43>:      mov    %dx,(%eax)
0x0010015e <myputchar+46>:      add    $0x2,%eax
0x00100161 <myputchar+49>:      mov    %eax,0x10030c
0x00100166 <myputchar+54>:      add    $0x18,%esp
0x00100169 <myputchar+57>:      pop    %ebx
0x0010016a <myputchar+58>:      ret

Then it goes thru core_intcall, core_syscall, comboot_int21,
core_syscall.rm_return, enter_pm and jumps to 0x000034b4
(0020:00000000000034b4) in enter_pm.in_pm by doing "jmp ebx":

  8783 0000AD0B 8B25[4C040000]      <2>                 mov esp,[PMESP]         ; Load protmode %esp
  8784 0000AD11 89E8                <2>                 mov eax,ebp             ; EAX -> top of real-mode stack
  8785 0000AD13 FFE3                <2>                 jmp ebx                 ; Go to where we need to go
 
> In both cases it looks like it's jumping through an invalid pointer.

Guess ebx is not what it's supposed to be since there are just a bunch of 0-bytes
at 0x000034b4.
 
> -hpa
> 
> P.S. Make sure you have the latest core32 branch... it was seriously
> broken until my changes this morning.

syslinux-3.81-pre12-68-g4a211f6 includes commit
"com32r: allow absolute and relative symbols based on regex" from
"Mon May 25 10:33:12 2009 -0700" so it seems to be latest.

- Sebastian

More information about the Syslinux mailing list