[syslinux] Crash with core32 (syslinux-3.81-pre12-68-g4a211f6)
Sebastian Herbszt
herbszt at gmx.de
Mon May 25 14:54:43 PDT 2009
Sebastian Herbszt wrote:
> H. Peter Anvin wrote:
>> Sebastian Herbszt wrote:
>>> I got a qemu crash and errors reported in bochs while trying to get
>>> latest core32
>>> branch working (pxelinux):
>>>
>>> bochsout.txt:
>>>
>>> 00540593725e[CPU0 ] write_virtual_checks(): no write access to seg
>>> 00540593814e[CPU0 ] fetch_raw_descriptor: GDT: index (3a27)744 > limit (2f)
>>> 00540593903e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>>> ...
>>> 00540644544e[CPU0 ] fetch_raw_descriptor: LDTR.valid=0
>>> 00540644633e[CPU0 ] fetch_raw_descriptor: GDT: index (3137)626 > limit (2f)
>>> 00540644666e[CPU0 ] prefetch: EIP [00010000] > CS.limit [0000ffff]
>>>
>>
>> It Works For Me[TM] in KVM...
>>
>> In Bochs, one can often set a simulation time breakpoint with the "sba"
>> command (the number at the front is the simulation time) and execute
>> until a little bit before the failure ... it makes it easier to see.
>
> It seems to fail while running "hello" (pm_call hello).
>
> 0x0010016c <myputs+0>: push %ebx
> 0x0010016d <myputs+1>: sub $0x8,%esp
> 0x00100170 <myputs+4>: mov %eax,%ebx
> 0x00100172 <myputs+6>: jmp 0x10017d <myputs+17>
> 0x00100174 <myputs+8>: inc %ebx
> 0x00100175 <myputs+9>: movsbl %al,%eax
> 0x00100178 <myputs+12>: call 0x100130 <myputchar> <- boom
> 0x0010017d <myputs+17>: mov (%ebx),%al
> 0x0010017f <myputs+19>: test %al,%al
> 0x00100181 <myputs+21>: jne 0x100174 <myputs+8>
> 0x00100183 <myputs+23>: pop %eax
> 0x00100184 <myputs+24>: pop %edx
> 0x00100185 <myputs+25>: pop %ebx
> 0x00100186 <myputs+26>: ret
>
> 0x00100130 <myputchar+0>: push %ebx
> 0x00100131 <myputchar+1>: sub $0xc,%esp
> 0x00100134 <myputchar+4>: mov %eax,%ebx
> 0x00100136 <myputchar+6>: movb $0x2,0x1003a5
> 0x0010013d <myputchar+13>: mov %al,0x10039c
> 0x00100142 <myputchar+18>: push $0x0
> 0x00100144 <myputchar+20>: push $0x100380
> 0x00100149 <myputchar+25>: push $0x21
> 0x0010014b <myputchar+27>: call 0x10003b <core_intcall> <- boom
> 0x00100150 <myputchar+32>: mov 0x10030c,%eax
> 0x00100155 <myputchar+37>: lea 0x1f00(%ebx),%edx
> 0x0010015b <myputchar+43>: mov %dx,(%eax)
> 0x0010015e <myputchar+46>: add $0x2,%eax
> 0x00100161 <myputchar+49>: mov %eax,0x10030c
> 0x00100166 <myputchar+54>: add $0x18,%esp
> 0x00100169 <myputchar+57>: pop %ebx
> 0x0010016a <myputchar+58>: ret
>
> Then it goes thru core_intcall, core_syscall, comboot_int21,
> core_syscall.rm_return, enter_pm and jumps to 0x000034b4
> (0020:00000000000034b4) in enter_pm.in_pm by doing "jmp ebx":
>
> 8783 0000AD0B 8B25[4C040000] <2> mov esp,[PMESP] ; Load protmode %esp
> 8784 0000AD11 89E8 <2> mov eax,ebp ; EAX -> top of real-mode stack
> 8785 0000AD13 FFE3 <2> jmp ebx ; Go to where we need to go
>
>> In both cases it looks like it's jumping through an invalid pointer.
This is how the stack looks like:
<bochs:135> print-stack
Stack address size 4
| STACK 0x001023b4 [0x00000000]
| STACK 0x001023b8 [0x3feabe00]
| STACK 0x001023bc [0x0000bc09]
| STACK 0x001023c0 [0x00007ba2]
| STACK 0x001023c4 [0x00000048]
| STACK 0x001023c8 [0x00000212]
| STACK 0x001023cc [0x00100150]
| STACK 0x001023d0 [0x00000021]
| STACK 0x001023d4 [0x00100380]
| STACK 0x001023d8 [0x00000000]
| STACK 0x001023dc [0x00003418]
| STACK 0x001023e0 [0x00000871]
| STACK 0x001023e4 [0x3fea4e98]
| STACK 0x001023e8 [0x001002f1]
| STACK 0x001023ec [0x0010017d]
| STACK 0x001023f0 [0x0000d004]
and myputchar() got
0x00100149 <myputchar+25>: push $0x21
0x0010014b <myputchar+27>: call 0x10003b <core_intcall>
0x00100150 <myputchar+32>: mov 0x10030c,%eax
so the return address is at STACK 0x001023cc [0x00100150]
- Sebastian
More information about the Syslinux
mailing list