[Crash-utility] arm64: bug report: segfault

Andrew Jones drjones at redhat.com
Mon Dec 21 20:28:51 UTC 2015 

On Mon, Dec 21, 2015 at 08:37:25AM -0500, Dave Anderson wrote:
> 
> 
> Hi Drew,
> 
> I am out of the office until Jan 4th, so I may not get around to checking
> this out fully until then.  But in the meantime, can you save this dumpfile
> and send me a pointer to it offline?  I want to keep it around for future
> testing.

OK, I've got a 90MB kdump-zlib core I can put somewhere. I don't know
where though, other than just telling you where in RH's network you can
grab it from. Also the vmlinux associated with it is one of my own
builds, basically a RHELSA kernel, but with 4K pages (4K pages needed in
order to use 32-bit user binaries).

Thanks,
drew

> 
> Thanks,
>   Dave
> 
> 
> ----- Original Message -----
> > Hi Dave,
> > 
> > When crash gets a prstatus for an AArch32 (compat) user mode stack frame,
> > but assumes it can look at prstatus->sp for the stack pointer, and
> > prstatus->sp has a stale AArch64 kernel address in it, then crash
> > segfaults.
> > 
> > This is because the stack pointer isn't a user stack address, and thus
> > crash expects the stack to include at least two frames, which would mean
> > fp is non-zero, but in this case it's not[1], and that leads to the
> > calculation of a bad stack pointer (see arm64.c:1209), which then gets
> > used as an offset into the stack buffer (see arm64.c:1001), overflowing
> > it.
> > 
> > The patch[2] I just sent resolves this issue for me, but only because
> > it no longer tries to use prstatus->sp. We should probably still look
> > into fixing this in another way, such as making sure fp is non-zero, as
> > dumps can have all sorts of corruption breaking our assumptions.
> > 
> > Thanks,
> > drew
> > 
> > [1] The dump was captured with QEMU, which doesn't require a real crash,
> >     i.e. panic() being called in the guest kernel, thus cpus can actually
> >     be in user mode, rather than in the 64-bit cpu-stop IPI handler, or
> >     other crashing kernel code.
> > [2] https://www.redhat.com/archives/crash-utility/2015-December/msg00024.html
> >

More information about the Crash-utility mailing list