[syslinux] Crash with core32 (syslinux-3.81-pre12-68-g4a211f6)

Sebastian Herbszt herbszt at gmx.de
Mon May 25 14:54:43 PDT 2009


Sebastian Herbszt wrote:
> H. Peter Anvin wrote:
>> Sebastian Herbszt wrote:
>>> I got a qemu crash and errors reported in bochs while trying to get
>>> latest core32
>>> branch working (pxelinux):
>>> 
>>> bochsout.txt:
>>> 
>>> 00540593725e[CPU0 ] write_virtual_checks(): no write access to seg
>>> 00540593814e[CPU0 ] fetch_raw_descriptor: GDT: index (3a27)744 > limit (2f)
>>> 00540593903e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>>> ...
>>> 00540644544e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>>> 00540644633e[CPU0 ] fetch_raw_descriptor: GDT: index (3137)626 > limit (2f)
>>> 00540644666e[CPU0 ] prefetch: EIP [00010000] > CS.limit [0000ffff]
>>> 
>> 
>> It Works For Me[TM] in KVM...
>> 
>> In Bochs, one can often set a simulation time breakpoint with the "sba"
>> command (the number at the front is the simulation time) and execute
>> until a little bit before the failure ... it makes it easier to see.
> 
> It seems to fail while running "hello" (pm_call hello).
> 
> 0x0010016c <myputs+0>:  push   %ebx
> 0x0010016d <myputs+1>:  sub    $0x8,%esp
> 0x00100170 <myputs+4>:  mov    %eax,%ebx
> 0x00100172 <myputs+6>:  jmp    0x10017d <myputs+17>
> 0x00100174 <myputs+8>:  inc    %ebx
> 0x00100175 <myputs+9>:  movsbl %al,%eax
> 0x00100178 <myputs+12>: call   0x100130 <myputchar>        <- boom
> 0x0010017d <myputs+17>: mov    (%ebx),%al
> 0x0010017f <myputs+19>: test   %al,%al
> 0x00100181 <myputs+21>: jne    0x100174 <myputs+8>
> 0x00100183 <myputs+23>: pop    %eax
> 0x00100184 <myputs+24>: pop    %edx
> 0x00100185 <myputs+25>: pop    %ebx
> 0x00100186 <myputs+26>: ret
> 
> 0x00100130 <myputchar+0>:       push   %ebx
> 0x00100131 <myputchar+1>:       sub    $0xc,%esp
> 0x00100134 <myputchar+4>:       mov    %eax,%ebx
> 0x00100136 <myputchar+6>:       movb   $0x2,0x1003a5
> 0x0010013d <myputchar+13>:      mov    %al,0x10039c
> 0x00100142 <myputchar+18>:      push   $0x0
> 0x00100144 <myputchar+20>:      push   $0x100380
> 0x00100149 <myputchar+25>:      push   $0x21
> 0x0010014b <myputchar+27>:      call   0x10003b <core_intcall>        <- boom
> 0x00100150 <myputchar+32>:      mov    0x10030c,%eax
> 0x00100155 <myputchar+37>:      lea    0x1f00(%ebx),%edx
> 0x0010015b <myputchar+43>:      mov    %dx,(%eax)
> 0x0010015e <myputchar+46>:      add    $0x2,%eax
> 0x00100161 <myputchar+49>:      mov    %eax,0x10030c
> 0x00100166 <myputchar+54>:      add    $0x18,%esp
> 0x00100169 <myputchar+57>:      pop    %ebx
> 0x0010016a <myputchar+58>:      ret
> 
> Then it goes thru core_intcall, core_syscall, comboot_int21,
> core_syscall.rm_return, enter_pm and jumps to 0x000034b4
> (0020:00000000000034b4) in enter_pm.in_pm by doing "jmp ebx":
> 
>  8783 0000AD0B 8B25[4C040000]      <2>                 mov esp,[PMESP]         ; Load protmode %esp
>  8784 0000AD11 89E8                <2>                 mov eax,ebp             ; EAX -> top of real-mode stack
>  8785 0000AD13 FFE3                <2>                 jmp ebx                 ; Go to where we need to go
> 
>> In both cases it looks like it's jumping through an invalid pointer.

This is how the stack looks like:

<bochs:135> print-stack
Stack address size 4
 | STACK 0x001023b4 [0x00000000]
 | STACK 0x001023b8 [0x3feabe00]
 | STACK 0x001023bc [0x0000bc09]
 | STACK 0x001023c0 [0x00007ba2]
 | STACK 0x001023c4 [0x00000048]
 | STACK 0x001023c8 [0x00000212]
 | STACK 0x001023cc [0x00100150]
 | STACK 0x001023d0 [0x00000021]
 | STACK 0x001023d4 [0x00100380]
 | STACK 0x001023d8 [0x00000000]
 | STACK 0x001023dc [0x00003418]
 | STACK 0x001023e0 [0x00000871]
 | STACK 0x001023e4 [0x3fea4e98]
 | STACK 0x001023e8 [0x001002f1]
 | STACK 0x001023ec [0x0010017d]
 | STACK 0x001023f0 [0x0000d004]

and myputchar() got

0x00100149 <myputchar+25>:      push   $0x21
0x0010014b <myputchar+27>:      call   0x10003b <core_intcall>
0x00100150 <myputchar+32>:      mov    0x10030c,%eax

so the return address is at  STACK 0x001023cc [0x00100150]

- Sebastian




More information about the Syslinux mailing list