[grsec] fsck.reiserfs and vgchange SIGSEGV with 2.0.3-2.6.9

Milan Holzäpfel lists at mjh.name
Wed Dec 22 09:56:46 EST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 21 Dec 2004 23:21:44 +0100
pageexec at freemail.hu wrote:

> > I just tried to use the just released 2.0.3-2.6.9, but first I got a
> > SEGV from reiserfsck, which was ran like that:
> 
> can you enable coredumps (ulimit -c unlimited in bash) and look at
> the core in gdb ('bt', 'info reg', 'x/16x $esp', 'x/16i $eip', etc).

(note: I'm not sure what "etc" may tell me, since I'm not so familiar
with gdb ;-) ) 


| # gdb -c fsck.reiserfs-coredump
| GNU gdb 6.0
| Copyright 2003 Free Software Foundation, Inc.
| GDB is free software, covered by the GNU General Public License, and you are
| welcome to change it and/or distribute copies of it under certain conditions.
| Type "show copying" to see the conditions.
| There is absolutely no warranty for GDB.  Type "show warranty" for details.
| This GDB was configured as "i686-pc-linux-gnu".
| Core was generated by `reiserfsck -a /dev/sda9'.
| Program terminated with signal 11, Segmentation fault.
| #0  0x2523c4f7 in ?? ()
| (gdb) bt
| #0  0x2523c4f7 in ?? ()
| Cannot access memory at address 0x5d2566e8
| (gdb) info reg
| eax            0x25314640       623986240
| ecx            0x1067c5b8       275236280
| edx            0x5d25b4a8       1562752168
| ebx            0x25314e68       623988328
| esp            0x5d2566e8       0x5d2566e8
| ebp            0x5d258d94       0x5d258d94
| esi            0x1067ac90       275229840
| edi            0x5d258f8c       1562742668
| eip            0x2523c4f7       0x2523c4f7
| eflags         0x10206  66054
| cs             0x73     115
| ss             0x7b     123
| ds             0x7b     123
| es             0x7b     123
| fs             0x0      0
| gs             0x0      0
| (gdb) x/16x $esp
| 0x5d2566e8:     Cannot access memory at address 0x5d2566e8
| (gdb) x/16i $eip
| 0x2523c4f7:     movl   $0x0,0xffffda98(%ebp)
| 0x2523c501:     call   0x25216610
| 0x2523c506:     mov    (%eax),%eax
| 0x2523c508:     mov    %eax,0xffffda78(%ebp)
| 0x2523c50e:     mov    0x8(%ebp),%eax
| 0x2523c511:     cmpb   $0x0,0x46(%eax)
| 0x2523c515:     jne    0x2523c546
| 0x2523c517:     mov    0x220(%ebx),%ecx
| 0x2523c51d:     test   %ecx,%ecx
| 0x2523c51f:     je     0x2523c8dd
| 0x2523c525:     mov    %eax,%edx
| 0x2523c527:     mov    0x5c(%eax),%eax
| 0x2523c52a:     test   %eax,%eax
| 0x2523c52c:     jne    0x2523c53a
| 0x2523c52e:     movl   $0xffffffff,0x5c(%edx)
| 0x2523c535:     mov    $0xffffffff,%eax
| (gdb)


| # gdb -c vgchange-coredump
| GNU gdb 6.0
| Copyright 2003 Free Software Foundation, Inc.
| GDB is free software, covered by the GNU General Public License, and you are
| welcome to change it and/or distribute copies of it under certain conditions.
| Type "show copying" to see the conditions.
| There is absolutely no warranty for GDB.  Type "show warranty" for details.
| This GDB was configured as "i686-pc-linux-gnu".
| Core was generated by `vgchange -a y'.
| Program terminated with signal 11, Segmentation fault.
| #0  0x16e1c280 in ?? ()
| (gdb) bt
| #0  0x16e1c280 in ?? ()
| Cannot access memory at address 0x5dc3c0a0
| (gdb) info reg
| eax            0x5dc3c0b0       1573109936
| ecx            0xc8eb081d       -924121059
| edx            0x40000  262144
| ebx            0x16e43ff0       384057328
| esp            0x5dc3c0a0       0x5dc3c0a0
| ebp            0x5dc7c0e8       0x5dc7c0e8
| esi            0x16e3fbc0       384039872
| edi            0x206f71a4       544174500
| eip            0x16e1c280       0x16e1c280
| eflags         0x10202  66050
| cs             0x73     115
| ss             0x7b     123
| ds             0x7b     123
| es             0x7b     123
| fs             0x0      0
| gs             0x0      0
| (gdb) x/16x $esp
| 0x5dc3c0a0:     Cannot access memory at address 0x5dc3c0a0
| (gdb) x/16i $eip
| 0x16e1c280:     call   0x16e1c160
| 0x16e1c285:     jmp    0x16e1c20c
| 0x16e1c287:     mov    %esi,%esi
| 0x16e1c289:     lea    0x0(%edi,1),%edi
| 0x16e1c290:     push   %ebp
| 0x16e1c291:     mov    %esp,%ebp
| 0x16e1c293:     sub    $0x48,%esp
| 0x16e1c296:     mov    %ebx,0xfffffff4(%ebp)
| 0x16e1c299:     call   0x16de43a4
| 0x16e1c29e:     add    $0x27d52,%ebx
| 0x16e1c2a4:     mov    %esi,0xfffffff8(%ebp)
| 0x16e1c2a7:     mov    0xffffffd4(%ebx),%eax
| 0x16e1c2ad:     lea    0xffffbbd0(%ebx),%esi
| 0x16e1c2b3:     mov    %edi,0xfffffffc(%ebp)
| 0x16e1c2b6:     mov    (%eax),%eax
| 0x16e1c2b8:     mov    %eax,0xffffffd8(%ebp)
| (gdb)


> another quick experiment could be to simply make mlockall() do nothing
> and see if that helps (LD_PRELOAD or patch the kernel).

Everything works fine when mlockall() is caught by a preloaded lib.

Please ask for any other info which might come handy...

Regards,
Milan

- -- 

                   Milan Holzäpfel alias jagdfalke alias jag

Antworten direkt an mich                             Answers directly to me
gehen bitte an eine Addresse,                        go to an address one
die man hier finden kann:                            can find here, please:

Kontaktinfos sowie                                   Contact infos as well as
Öff GnuPG-Schlüssel    <URL:http://con.mjh.name/>    GnuPG Public Key
GnuPG Fingerabdruck     4C8A 5FAF 5D32 6125 89D1     GnuPG Fingerprint
                        0CE5 DB0C AF4F 6583 7966



                    http://www.deppenleerzeichen.de/                        


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFByYsu2wyvT2WDeWYRAivxAKC0vaJqbV2zyTSGnDIUJcR6we3/SQCcCSLS
IalYNLzK2G9r6I6197y2fSs=
=O5Al
-----END PGP SIGNATURE-----

More information about the grsecurity mailing list