[Crash-utility] arm64: bug report: segfault
Andrew Jones
drjones at redhat.com
Fri Dec 18 23:22:36 UTC 2015
On Fri, Dec 18, 2015 at 05:19:37PM -0600, Andrew Jones wrote:
> Hi Dave,
Sorry for the repeated send. Both messages are identical. VPN issues...
>
> When crash gets a prstatus for an AArch32 (compat) user mode stack frame,
> but assumes it can look at prstatus->sp for the stack pointer, and
> prstatus->sp has a stale AArch64 kernel address in it, then crash
> segfaults.
>
> This is because the stack pointer isn't a user stack address, and thus
> crash expects the stack to include at least two frames, which would mean
> fp is non-zero, but in this case it's not[1], and that leads to the
> calculation of a bad stack pointer (see arm64.c:1209), which then gets
> used as an offset into the stack buffer (see arm64.c:1001), overflowing
> it.
>
> The patch[2] I just sent resolves this issue for me, but only because
> it no longer tries to use prstatus->sp. We should probably still look
> into fixing this in another way, such as making sure fp is non-zero, as
> dumps can have all sorts of corruption breaking our assumptions.
>
> Thanks,
> drew
>
> [1] The dump was captured with QEMU, which doesn't require a real crash,
> i.e. panic() being called in the guest kernel, thus cpus can actually
> be in user mode, rather than in the 64-bit cpu-stop IPI handler, or
> other crashing kernel code.
> [2] https://www.redhat.com/archives/crash-utility/2015-December/msg00024.html
More information about the Crash-utility
mailing list