[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: user/3639: ftp dumps core after login

To: bugs@cvs.openbsd.org
Subject: Re: user/3639: ftp dumps core after login
From: Pedro Martelletto <pbastos@rdc.puc-rio.br>
Date: Mon, 19 Jan 2004 15:25:24 -0200
Content-Disposition: inline
References: <200401191345.i0JDj21j014011@cvs.openbsd.org>
User-Agent: Mutt/1.4.1i

Wouter,

After taking a quick look at the material you privately sent me, it
looks like you're linking against the new version of libedit rather than
the old one - which you should be using, if you're running OpenBSD
3.4-stable. However, that's just a guess.

Looking at the core file you sent me:

(gdb) r
Starting program: /usr/home/pedro/mail/ftp 
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x94ebe55 in history ()
(gdb) bt
#0  0x94ebe55 in history ()
Error accessing memory address 0x1: Invalid argument.
(gdb) disassemble history
Dump of assembler code for function history:
0x94ebe34 <history>:    push   %ebp
0x94ebe35 <history+1>:  mov    %esp,%ebp
0x94ebe37 <history+3>:  sub    $0x3c,%esp
0x94ebe3a <history+6>:  push   %edi
0x94ebe3b <history+7>:  push   %esi
0x94ebe3c <history+8>:  push   %ebx
0x94ebe3d <history+9>:  call   0x94ebe42 <history+14>
0x94ebe42 <history+14>: pop    %ebx
0x94ebe43 <history+15>: add    $0x1fff1c7e,%ebx
0x94ebe49 <history+21>: mov    0x8(%ebp),%esi
0x94ebe4c <history+24>: mov    0xc(%ebp),%edi
0x94ebe4f <history+27>: mov    0x10(%ebp),%ecx
0x94ebe52 <history+30>: lea    0x14(%ebp),%edx
0x94ebe55 <history+33>: movl   $0x0,(%edi)
(gdb) display/i $pc
1: x/i $eip  0x94ebe55 <history+33>:    movl   $0x0,(%edi)
(gdb)

It's getting 4 bytes passed on the stack as the second argument
(ebp + 12) to history() and putting them in the edi register. So far, so
good. But then it considers these four bytes to be a valid memory
address and tries to write in such location. As the second argument is
not a pointer to a valid memory address, it crashes.

(gdb) display/x $edi
2: /x $edi = 0x1
(gdb) x/x $ebp + 12
0xcfbfb798:     0x00000001
(gdb) 

Now if you look at the ftp sources in the -stable tree, you'll see the
following call to history():

        history(hist, H_EVENT, 100);    /* remember 100 events */

Once H_EVENT is defined as being '1', it gets easy now to guess what's
happening... Possible solutions are: Either downgrade your libedit and
link against the correct version, or update the sources of ftp/cdio and
other programs that use libedit. I'll be around in case you need further
assistance.

-p.

On Mon, Jan 19, 2004 at 06:45:02AM -0700, Pedro Martelletto wrote:
> The following reply was made to PR user/3639; it has been noted by GNATS.
> 
> From: Pedro Martelletto <pbastos@rdc.puc-rio.br>
> To: Wouter Clarie <wouter.clarie@pandora.be>
> Cc: gnats@openbsd.org
> Subject: Re: user/3639: ftp dumps core after login
> Date: Mon, 19 Jan 2004 11:30:33 -0200
> 
>  Wouter,
>  
>  I couldn't reproduce this on a OpenBSD 3.4-stable macppc box. Would you
>  mind re-compiling ftp with -g -ggdb, so that we can take more info from
>  the core file ? That can be easily done using the following syntax:
>  
>  env CFLAGS="-g -ggdb" make
>  
>  I'd also appreciate if you could provide the output of display/i $pc as
>  well as the backtrace. Or even the core file itself...
>  
>  -p.

Follow-Ups:
- Re: user/3639: ftp dumps core after login
  - From: Wouter Clarie <rimshot@pandora.be>

References:
- Re: user/3639: ftp dumps core after login
  - From: Pedro Martelletto <pbastos@rdc.puc-rio.br>

Prev by Date: Re: system/3638: Shortened Addresses in pf are dumb and prone to human error
Next by Date: Fwd: good stuff
Prev by thread: Re: user/3639: ftp dumps core after login
Next by thread: Re: user/3639: ftp dumps core after login
Index(es):
- Date
- Thread