Your message dated Fri, 03 Jan 2014 13:03:40 +0000 with message-id <[email protected]> and subject line Bug#649569: fixed in ltrace 0.7.3-4 has caused the Debian Bug report #649569, regarding SIGSEGV due to int3 right after a call instruction to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 649569: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649569 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ltrace Version: 0.5.3-2.1 Severity: important Tags: patch Info: All the following code reference refers to the latest ltrace version (git tag 0.6.0) but we also tested it on various ltrace debian versions (x86/amd64). Abstract: The execution of an int3 instruction immediately following a call instruction will crash ltrace with a SIGSEGV. Detail: ltrace initially scans the list of imported library symbols of the monitored process (function breakpoints.c:breakpoints_init). Then it adds all of them to the dictionary of Breakpoint struct (function breakpoints.c:insert_breakpoint). struct Breakpoint { void * addr; unsigned char orig_value[BREAKPOINT_LENGTH]; int enabled; struct library_symbol * libsym; } ltrace set a first breakpoint on the call instruction and another one immediately after it, in order to interrupt the execution both when executing the call instruction and just after returning from the called function so that it can get the function return value. The former breakpoint address is added to the dictionary when a library call symbol is found, whereas the latter breakpoint address is added to the dictionary just before the call instruction is executed. The latter is, as the former, a Breakpoint structure. Differently from the former, the Breakpoint structure is not fully initialized: addr is initialized with the address immediately following the call instruction whereas libsym is set to NULL because it has no symbol value. ltrace then continues these steps till the end of the process. The real problem arises when a int3 is placed into the original code adjacent to the end of a call instruction. Specifically, ltrace sets a first breakpoint on the address of the call instruction and another one on the instruction following the call. Both these breakpoints are added to the dictionary, but ltrace never deletes the Breakpoint structure identifying the second one. Therefore, when an int3 placed into the code just after a call, for example: ... foobar(foo, bar); __asm__ __volatile__ ( "int3" ); ... is executed, ltrace intercepts the breakpoint and tries to handle it (static void handle_breakpoint(Event *event)). To do that, ltrace checks if the breakpoint has already been added to the dictionary. In this situation, an entry corresponding to that address will be found and eventually used, leading to an error condition described in the following. ... if ((sbp = address2bpstruct(event->proc, event->e_un.brk_addr))) { if (strcmp(sbp->libsym->name, "") == 0) { debug(2, "Hit _dl_debug_state breakpoint!\n"); ... Nevertheless, this entry doesn't correspond to a breakpoint previously added by ltrace for intercepting the end of a call instruction. Instead, it is a breakpoint intentionally inserted by the program developer. ltrace fails to properly check this situations and it dereferences a NULL pointer (sbp->libsym->name) as the breakpoint doesn't represent an address of an imported symbol. --- ltrace-patch/handle_event.c 2011-11-22 08:40:40.000000000 +0100 +++ ltrace/handle_event.c 2011-11-22 08:48:53.000000000 +0100 @@ -617,6 +617,12 @@ } if ((sbp = address2bpstruct(event->proc, event->e_un.brk_addr))) { + if (sbp->libsym == NULL) { + output_line(event->proc, "unexpected breakpoint at %p", + (void *)event->e_un.brk_addr); + continue_process(event->proc->pid); + return; + } if (strcmp(sbp->libsym->name, "") == 0) { debug(2, "Hit _dl_debug_state breakpoint!\n"); arch_check_dbg(event->proc); -- Alessandro Reina <adrenaline.soars{at}security.dico.unimi.it> Aristide Fattori <joystick{at}security.dico.unimi.it>
--- End Message ---
--- Begin Message ---Source: ltrace Source-Version: 0.7.3-4 We believe that the bug you reported is fixed in the latest version of ltrace, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Juan Cespedes <[email protected]> (supplier of updated ltrace package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 03 Jan 2014 13:56:53 +0100 Source: ltrace Binary: ltrace Architecture: source amd64 Version: 0.7.3-4 Distribution: unstable Urgency: low Maintainer: Juan Cespedes <[email protected]> Changed-By: Juan Cespedes <[email protected]> Description: ltrace - Tracks runtime library calls in dynamically linked programs Closes: 649569 Changes: ltrace (0.7.3-4) unstable; urgency=low . * Get rid of dh_autoreconf (not needed) * Added "mips" and "mipsel" architectures * Continue after unexpected breakpoint (closes: #649569) Checksums-Sha1: 368ec4a927653b18b5675e513483576de1f84aa6 1172 ltrace_0.7.3-4.dsc 62b8bc965f43aeec6f9645c479336fdafdb93a75 11373 ltrace_0.7.3-4.debian.tar.gz 599f5f843522e3d9710156ebe2f5bb7ef8185540 147138 ltrace_0.7.3-4_amd64.deb Checksums-Sha256: 26e26b031937e4fe2f8d270a6e857c9e48ce2549f48dba38f4c4a35612ca0ac2 1172 ltrace_0.7.3-4.dsc 44dab94f96f1427ecdff1a08148e81b11eafacb542400fc7067c750590c7e5b9 11373 ltrace_0.7.3-4.debian.tar.gz 461b1450fe4f572d394dd414f4e532f2c9107ba54d71c4da181f7fafe4480060 147138 ltrace_0.7.3-4_amd64.deb Files: 35e4fc7257d6011923740eb9d6b2f2df 1172 utils optional ltrace_0.7.3-4.dsc ad5dde61fa4eabf4d774cf519cd743a7 11373 utils optional ltrace_0.7.3-4.debian.tar.gz 5e39e52a0d4de83129322853eae38769 147138 utils optional ltrace_0.7.3-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlLGs78ACgkQepWluYh4RwO30QCgoCU1rEPGRbLW73lmQ0VrqpSs YOQAoIwGAMIBZ/ApfuFC1kAX1G7ZaSDm =4QUe -----END PGP SIGNATURE-----
--- End Message ---
