Bug#807183: x86dis: * stack smashing detected *: x86dis terminated

Bernhard Übelacker Thu, 26 Jul 2018 07:57:26 -0700

Hello,
tried to reproduce this issue in a Debian Jessie VM.

The stack smashing detector bytes are changed here:



(gdb) bt
#0  __strncat_sse2 (s1=0x7fffffffd198 
"s\201\215I\267\344Cݠ\022\271\367\377\177", s2=0x7ffff7ba5046 
"s_expression>\n", n=0) at ../string/strncat.c:55
#1  0x00007ffff7b9da83 in strncat (__len=18446744073709551593, 
__src=0x7ffff7ba503c "\t\t</address_expression>\n", __dest=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"...) at 
/usr/include/x86_64-linux-gnu/bits/string3.h:150
#2  format_operand_xml (op=<optimized out>, buf=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"..., len=-22, 
insn=<optimized out>, insn=<optimized out>) at x86_format.c:860
#3  0x00007ffff7ba394a in format_xml_insn (len=3779, buf=0x7fffffffd1e0 
"<x86_insn>\n\t<address rva=\"0x00000167\" offset=\"0x00000167\" size=4 
bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic 
group=\"arithmetic\" type=\"add\" string=\"add\"/>\n\t<flags 
type=set>\n\t\t<flag n"..., insn=0x7fffffffe240) at x86_format.c:1200
#4  x86_format_insn (insn=insn@entry=0x7fffffffe240, 
buf=buf@entry=0x7fffffffd1e0 "<x86_insn>\n\t<address rva=\"0x00000167\" 
offset=\"0x00000167\" size=4 bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" 
string=\"\"/>\n\t<mnemonic group=\"arithmetic\" type=\"add\" 
string=\"add\"/>\n\t<flags type=set>\n\t\t<flag n"..., len=len@entry=4096, 
format=<optimized out>) at x86_format.c:1387
#5  0x0000000000401972 in x86dis_manual_print (insn=0x7fffffffe240, 
arg=<optimized out>) at x86dis.c:93
#6  0x00007ffff7b9bd20 in x86_disasm_forward (buf=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"..., 
buf_len=17012328, buf_rva=0, offset=0, func=0x7fffffffd196, 
arg=0x3ffffffffffffff8, resolver=0x401a30 <x86dis_resolver>, r_arg=0x0) at 
x86_disasm.c:144
#7  0x000000000040221f in do_request (type=4294955152, buf=0x0, 
buf_len=4294955152, buf_rva=140737349570628, offset=140737349481568, 
len=4294967288) at x86dis.c:275
#8  0x00000000004022b8 in act_on_mmap (list=<optimized out>, 
image=0x7ffff67b1000 "\177ELF\002\001\001\003", len=17012328, 
base=base@entry=0) at x86dis.c:294
#9  0x000000000040154a in act_on_mmap_file () at x86dis.c:316
#10 main (argc=7, argv=0x7fffffffe698) at x86dis.c:835


As far as I see is the assumption not true, that 256 bytes is enough for
every XML operand.


libdis.h
101 #define MAX_OP_XML_STRING 256   /* max possible operand size in xml form */

x86_format.c
1164 static int format_xml_insn( x86_insn_t *insn, char *buf, int len ) {
1165        char str[MAX_OP_XML_STRING];


The issue seems still reproduceable in a current amd64 Debian Testing.

Kind regards,
Bernhard



Tried to reproduce in a jessie VM:




root@debian:/home/benutzer# gdb -q --args x86dis -s xml -e 0 -f 
/usr/lib/gcc/x86_64-linux-gnu/4.9.2/cc1plus
Reading symbols from x86dis...(no debugging symbols found)...done.
(gdb) run
...
*** stack smashing detected ***: /usr/bin/x86dis terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x731af)[0x7ffff785e1af]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff78e3aa7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff78e3a70]
/usr/lib/x86_64-linux-gnu/libdisasm.so.0(x86_format_insn+0x295a)[0x7ffff7ba399a]
/usr/bin/x86dis[0x401922]
/usr/lib/x86_64-linux-gnu/libdisasm.so.0(x86_disasm_forward+0x90)[0x7ffff7b9bad0]
/usr/bin/x86dis[0x402191]
/usr/bin/x86dis[0x402228]
/usr/bin/x86dis[0x40150b]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff780cb45]
/usr/bin/x86dis[0x4017fc]
======= Memory map: ========
00400000-00404000 r-xp 00000000 08:01 278484                             
/usr/bin/x86dis
00603000-00604000 r--p 00003000 08:01 278484                             
/usr/bin/x86dis
00604000-00605000 rw-p 00004000 08:01 278484                             
/usr/bin/x86dis
00605000-00626000 rw-p 00000000 00:00 0                                  [heap]
7ffff659b000-7ffff65b1000 r-xp 00000000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff65b1000-7ffff67b0000 ---p 00016000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff67b0000-7ffff67b1000 rw-p 00015000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff67b1000-7ffff77eb000 r--s 00000000 08:01 275953                     
/usr/lib/gcc/x86_64-linux-gnu/4.9/cc1plus
7ffff77eb000-7ffff798c000 r-xp 00000000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff798c000-7ffff7b8c000 ---p 001a1000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b8c000-7ffff7b90000 r--p 001a1000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b90000-7ffff7b92000 rw-p 001a5000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b92000-7ffff7b96000 rw-p 00000000 00:00 0 
7ffff7b96000-7ffff7ba7000 r-xp 00000000 08:01 278532                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7ba7000-7ffff7da7000 ---p 00011000 08:01 278532                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7da7000-7ffff7da8000 r--p 00011000 08:01 278532                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7da8000-7ffff7ddc000 rw-p 00012000 08:01 278532                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7feb000-7ffff7fee000 rw-p 00000000 00:00 0 
7ffff7ff3000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00021000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7820067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
(gdb) set height 0
(gdb) set width 0
(gdb) bt
#0  0x00007ffff7820067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7821448 in __GI_abort () at abort.c:89
#2  0x00007ffff785e1b4 in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7ffff7950cb3 "*** %s ***: %s terminated\n") at 
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff78e3aa7 in __GI___fortify_fail (msg=msg@entry=0x7ffff7950c9b 
"stack smashing detected") at fortify_fail.c:31
#4  0x00007ffff78e3a70 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00007ffff7ba399a in x86_format_insn () from 
/usr/lib/x86_64-linux-gnu/libdisasm.so.0
#6  0x0000000000401922 in ?? ()
#7  0x00007ffff7b9bad0 in x86_disasm_forward () from 
/usr/lib/x86_64-linux-gnu/libdisasm.so.0
#8  0x0000000000402191 in ?? ()
#9  0x0000000000402228 in ?? ()
#10 0x000000000040150b in ?? ()
#11 0x00007ffff780cb45 in __libc_start_main (main=0x400f60, argc=7, 
argv=0x7fffffffe698, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffe688) at libc-start.c:287
#12 0x00000000004017fc in ?? ()




No debug information - rebuilding package with it:

mkdir x86dis; cd x86dis
apt-get source x86dis
cd libdisasm-0.23
DEB_BUILD_OPTIONS='nostrip' dpkg-buildpackage -b -uc -us
cd ..
dpkg -i x86dis_0.23-6_amd64.deb libdisasm0_0.23-6_amd64.deb





Again with debug information:

root@debian:/home/benutzer# gdb -q --args x86dis -s xml -e 0 -f 
/usr/lib/gcc/x86_64-linux-gnu/4.9.2/cc1plus
Reading symbols from x86dis...done.
(gdb) run
*** stack smashing detected ***: /usr/bin/x86dis terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x731af)[0x7ffff785e1af]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff78e3aa7]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff78e3a70]
/usr/lib/x86_64-linux-gnu/libdisasm.so.0(x86_format_insn+0x2c57)[0x7ffff7ba4407]
/usr/bin/x86dis[0x401972]
/usr/lib/x86_64-linux-gnu/libdisasm.so.0(x86_disasm_forward+0x90)[0x7ffff7b9bd20]
/usr/bin/x86dis[0x40221f]
/usr/bin/x86dis[0x4022b8]
/usr/bin/x86dis[0x40154a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff780cb45]
/usr/bin/x86dis[0x40183d]
======= Memory map: ========
00400000-00404000 r-xp 00000000 08:01 262472                             
/usr/bin/x86dis
00603000-00604000 r--p 00003000 08:01 262472                             
/usr/bin/x86dis
00604000-00605000 rw-p 00004000 08:01 262472                             
/usr/bin/x86dis
00605000-00626000 rw-p 00000000 00:00 0                                  [heap]
7ffff659b000-7ffff65b1000 r-xp 00000000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff65b1000-7ffff67b0000 ---p 00016000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff67b0000-7ffff67b1000 rw-p 00015000 08:01 397745                     
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff67b1000-7ffff77eb000 r--s 00000000 08:01 275953                     
/usr/lib/gcc/x86_64-linux-gnu/4.9/cc1plus
7ffff77eb000-7ffff798c000 r-xp 00000000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff798c000-7ffff7b8c000 ---p 001a1000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b8c000-7ffff7b90000 r--p 001a1000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b90000-7ffff7b92000 rw-p 001a5000 08:01 397752                     
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7b92000-7ffff7b96000 rw-p 00000000 00:00 0 
7ffff7b96000-7ffff7ba8000 r-xp 00000000 08:01 278487                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7ba8000-7ffff7da7000 ---p 00012000 08:01 278487                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7da7000-7ffff7da8000 r--p 00011000 08:01 278487                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7da8000-7ffff7ddc000 rw-p 00012000 08:01 278487                     
/usr/lib/x86_64-linux-gnu/libdisasm.so.0.0.0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7feb000-7ffff7fee000 rw-p 00000000 00:00 0 
7ffff7ff3000-7ffff7ff7000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00021000 08:01 392999                     
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  
[vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7820067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
(gdb) set height 0
(gdb) set width 0
(gdb) bt
#0  0x00007ffff7820067 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff7821448 in __GI_abort () at abort.c:89
#2  0x00007ffff785e1b4 in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7ffff7950cb3 "*** %s ***: %s terminated\n") at 
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff78e3aa7 in __GI___fortify_fail (msg=msg@entry=0x7ffff7950c9b 
"stack smashing detected") at fortify_fail.c:31
#4  0x00007ffff78e3a70 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00007ffff7ba4407 in x86_format_insn (insn=insn@entry=0x7fffffffe240, 
buf=<optimized out>, buf@entry=0x7fffffffd1e0 "<x86_insn>\n\t<address 
rva=\"0x00000167\" offset=\"0x00000167\" size=4 bytes=\"00 54 02 40 
\"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic group=\"arithmetic\" 
type=\"add\" string=\"add\"/>\n\t<flags type=set>\n\t\t<flag n"..., 
len=<optimized out>, len@entry=4096, format=<optimized out>) at 
x86_format.c:1429
#6  0x0000000000401972 in x86dis_manual_print (insn=0x7fffffffe240, 
arg=<optimized out>) at x86dis.c:93
#7  0x00007ffff7b9bd20 in x86_disasm_forward (buf=0x420e <error: Cannot access 
memory at address 0x420e>, buf_len=17012328, buf_rva=0, offset=0, 
func=0x7ffff79484a0 <_itoa_lower_digits>, arg=0x4023e4 <_fini>, 
resolver=0x401a30 <x86dis_resolver>, r_arg=0x0) at x86_disasm.c:144
#8  0x000000000040221f in do_request (type=16910, buf=0x246 <error: Cannot 
access memory at address 0x246>, buf_len=0, buf_rva=16910, offset=8, 
len=4203492) at x86dis.c:275
#9  0x00000000004022b8 in act_on_mmap (list=<optimized out>, 
image=0x7ffff67b1000 "\177ELF\002\001\001\003", len=17012328, 
base=base@entry=0) at x86dis.c:294
#10 0x000000000040154a in act_on_mmap_file () at x86dis.c:316
#11 main (argc=7, argv=0x7fffffffe698) at x86dis.c:835







How often x86_format_insn is executed?

(gdb) b x86_format_insn
Breakpoint 1 at 0x7ffff7ba17b0: file x86_format.c, line 1303.
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) ignore 1 10000
Will ignore next 10000 crossings of breakpoint 1.
(gdb) run
...
*** stack smashing detected ***: /usr/bin/x86dis terminated
...
(gdb) info b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x00007ffff7ba17b0 in x86_format_insn at 
x86_format.c:1303
        breakpoint already hit 168 times
        ignore next 9832 hits








Stop at the 168th execution and record execution and cont until 
__stack_chk_fail:

(gdb) ignore 1 167
Will ignore next 167 crossings of breakpoint 1.
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) run
...
Breakpoint 1, x86_format_insn (insn=insn@entry=0x7fffffffe240, 
buf=buf@entry=0x7fffffffd1e0 "<x86_insn>\n\t<address rva=\"0x00000165\" 
offset=\"0x00000165\" size=2 bytes=\"00 00 \"/>\n\t<prefix type=\"\" 
string=\"\"/>\n\t<mnemonic group=\"arithmetic\" type=\"add\" 
string=\"add\"/>\n\t<flags type=set>\n\t\t<flag name=\"c"..., 
len=len@entry=4096, format=xml_syntax) at x86_format.c:1303
1303                         enum x86_asm_format format ){
(gdb) record
(gdb) b __stack_chk_fail
Breakpoint 2 at 0x7ffff78e3a60: file stack_chk_fail.c, line 28.
(gdb) cont
Continuing.

Breakpoint 2, __stack_chk_fail () at stack_chk_fail.c:28
28      stack_chk_fail.c: Datei oder Verzeichnis nicht gefunden.






Show disassembly and step at instruction level back:

(gdb) display/i $pc
1: x/i $pc
=> 0x7ffff78e3a60 <__stack_chk_fail>:   lea    0x6d234(%rip),%rdi        # 
0x7ffff7950c9b
(gdb) reverse-nexti
x86_format_insn (insn=insn@entry=0x7fffffffe240, buf=<optimized out>, 
buf@entry=0x7fffffffd1e0 "<x86_insn>\n\t<address rva=\"0x00000167\" 
offset=\"0x00000167\" size=4 bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" 
string=\"\"/>\n\t<mnemonic group=\"arithmetic\" type=\"add\" 
string=\"add\"/>\n\t<flags type=set>\n\t\t<flag n"..., len=<optimized out>, 
len@entry=4096, format=<optimized out>) at x86_format.c:1429
1429    }
1: x/i $pc
=> 0x7ffff7ba4402 <x86_format_insn+11346>:      callq  0x7ffff7b99130 
<__stack_chk_fail@plt>
(gdb) reverse-nexti
0x00007ffff7ba1ceb      1429    }
1: x/i $pc
=> 0x7ffff7ba1ceb <x86_format_insn+1339>:       jne    0x7ffff7ba4402 
<x86_format_insn+11346>
(gdb) reverse-nexti
0x00007ffff7ba1ce2      1429    }
1: x/i $pc
=> 0x7ffff7ba1ce2 <x86_format_insn+1330>:       xor    %fs:0x28,%rcx
(gdb) reverse-nexti
1429    }
1: x/i $pc
=> 0x7ffff7ba1cda <x86_format_insn+1322>:       mov    0x168(%rsp),%rcx







0x168(%rsp) is the memory that is checked to detect the stack smashing:

(gdb) print/x $rsp
$1 = 0x7fffffffd030
(gdb) print/x 0x7fffffffd030+0x168
$2 = 0x7fffffffd198







Step back to recording history:

(gdb) reverse-cont
Continuing.

No more reverse-execution history.
x86_format_insn (insn=insn@entry=0x7fffffffe240, buf=buf@entry=0x7fffffffd1e0 
"<x86_insn>\n\t<address rva=\"0x00000165\" offset=\"0x00000165\" size=2 
bytes=\"00 00 \"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic 
group=\"arithmetic\" type=\"add\" string=\"add\"/>\n\t<flags 
type=set>\n\t\t<flag name=\"c"..., len=len@entry=4096, format=xml_syntax) at 
x86_format.c:1303
1303                         enum x86_asm_format format ){
1: x/i $pc
=> 0x7ffff7ba17b0 <x86_format_insn>:    push   %r15







Break on accesses to 0x7fffffffd198, cannot use hardware breakpoint because of 
recorded execution:

(gdb) set can-use-hw-watchpoints 0
(gdb) watch *0x7fffffffd198
Watchpoint 3: *0x7fffffffd198






Continue forward, first time the memory is set with a specific value:

(gdb) cont
Continuing.
Watchpoint 3: *0x7fffffffd198

Old value = -142211677
New value = 1234010368
0x00007ffff7ba17e8 in x86_format_insn (insn=0x0, insn@entry=0x7fffffffe240, 
buf=0x1 <error: Cannot access memory at address 0x1>, buf@entry=0x7fffffffd1e0 
"<x86_insn>\n\t<address rva=\"0x00000165\" offset=\"0x00000165\" size=2 
bytes=\"00 00 \"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic 
group=\"arithmetic\" type=\"add\" string=\"add\"/>\n\t<flags 
type=set>\n\t\t<flag name=\"c"..., len=len@entry=4096, format=xml_syntax) at 
x86_format.c:1303
1303                         enum x86_asm_format format ){
1: x/i $pc
=> 0x7ffff7ba17e8 <x86_format_insn+56>: xor    %eax,%eax






Continue forward, next hit is the problem:

(gdb) cont
Continuing.
Watchpoint 3: *0x7fffffffd198

Old value = 1234010368
New value = 1234010483
__strncat_sse2 (s1=0x7fffffffd198 "s\201\215I\267\344Cݠ\022\271\367\377\177", 
s2=0x7ffff7ba5046 "s_expression>\n", n=0) at ../string/strncat.c:55
55      ../string/strncat.c: Datei oder Verzeichnis nicht gefunden.
1: x/i $pc
=> 0x7ffff787cad2 <__strncat_sse2+66>:  je     0x7ffff787cb08 
<__strncat_sse2+120>

(gdb) bt
#0  __strncat_sse2 (s1=0x7fffffffd198 
"s\201\215I\267\344Cݠ\022\271\367\377\177", s2=0x7ffff7ba5046 
"s_expression>\n", n=0) at ../string/strncat.c:55
#1  0x00007ffff7b9da83 in strncat (__len=18446744073709551593, 
__src=0x7ffff7ba503c "\t\t</address_expression>\n", __dest=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"...) at 
/usr/include/x86_64-linux-gnu/bits/string3.h:150
#2  format_operand_xml (op=<optimized out>, buf=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"..., len=-22, 
insn=<optimized out>, insn=<optimized out>) at x86_format.c:860
#3  0x00007ffff7ba394a in format_xml_insn (len=3779, buf=0x7fffffffd1e0 
"<x86_insn>\n\t<address rva=\"0x00000167\" offset=\"0x00000167\" size=4 
bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic 
group=\"arithmetic\" type=\"add\" string=\"add\"/>\n\t<flags 
type=set>\n\t\t<flag n"..., insn=0x7fffffffe240) at x86_format.c:1200
#4  x86_format_insn (insn=insn@entry=0x7fffffffe240, 
buf=buf@entry=0x7fffffffd1e0 "<x86_insn>\n\t<address rva=\"0x00000167\" 
offset=\"0x00000167\" size=4 bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" 
string=\"\"/>\n\t<mnemonic group=\"arithmetic\" type=\"add\" 
string=\"add\"/>\n\t<flags type=set>\n\t\t<flag n"..., len=len@entry=4096, 
format=<optimized out>) at x86_format.c:1387
#5  0x0000000000401972 in x86dis_manual_print (insn=0x7fffffffe240, 
arg=<optimized out>) at x86dis.c:93
#6  0x00007ffff7b9bd20 in x86_disasm_forward (buf=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"..., 
buf_len=17012328, buf_rva=0, offset=0, func=0x7fffffffd196, 
arg=0x3ffffffffffffff8, resolver=0x401a30 <x86dis_resolver>, r_arg=0x0) at 
x86_disasm.c:144
#7  0x000000000040221f in do_request (type=4294955152, buf=0x0, 
buf_len=4294955152, buf_rva=140737349570628, offset=140737349481568, 
len=4294967288) at x86dis.c:275
#8  0x00000000004022b8 in act_on_mmap (list=<optimized out>, 
image=0x7ffff67b1000 "\177ELF\002\001\001\003", len=17012328, 
base=base@entry=0) at x86dis.c:294
#9  0x000000000040154a in act_on_mmap_file () at x86dis.c:316
#10 main (argc=7, argv=0x7fffffffe698) at x86dis.c:835







(gdb) up
#1  0x00007ffff7b9da83 in strncat (__len=18446744073709551593, 
__src=0x7ffff7ba503c "\t\t</address_expression>\n", __dest=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"...) at 
/usr/include/x86_64-linux-gnu/bits/string3.h:150
150       return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
(gdb) up
#2  format_operand_xml (op=<optimized out>, buf=0x7fffffffd090 
"\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"..., len=-22, 
insn=<optimized out>, insn=<optimized out>) at x86_format.c:860
860                             STRNCAT( buf, "\t\t</address_expression>\n", 
len );
(gdb) print len
$3 = -22

(gdb) up
#3  0x00007ffff7ba394a in format_xml_insn (len=3779, buf=0x7fffffffd1e0 
"<x86_insn>\n\t<address rva=\"0x00000167\" offset=\"0x00000167\" size=4 
bytes=\"00 54 02 40 \"/>\n\t<prefix type=\"\" string=\"\"/>\n\t<mnemonic 
group=\"arithmetic\" type=\"add\" string=\"add\"/>\n\t<flags 
type=set>\n\t\t<flag n"..., insn=0x7fffffffe240) at x86_format.c:1200
1200                    x86_format_operand( x86_operand_1st(insn), str,
(gdb) print sizeof(str)
$4 = 256

(gdb) print str
$5 = "\t\t<address_expression>\n\t\t\t<base>\n\t\t\t\t<register name=\"edx\" 
type=\"reg_gen\" size=4/>\n\t\t\t</base>\n\t\t\t<index>\n\t\t\t\t<register 
name=\"eax\" type=\"reg_gen reg_ret\" 
size=4/>\n\t\t\t</index>\n\t\t\t<scale>\n\t\t\t\t<immediate v"...
(gdb) x/257xb str
0x7fffffffd090: 0x09    0x09    0x3c    0x61    0x64    0x64    0x72    0x65
0x7fffffffd098: 0x73    0x73    0x5f    0x65    0x78    0x70    0x72    0x65
0x7fffffffd0a0: 0x73    0x73    0x69    0x6f    0x6e    0x3e    0x0a    0x09
0x7fffffffd0a8: 0x09    0x09    0x3c    0x62    0x61    0x73    0x65    0x3e
0x7fffffffd0b0: 0x0a    0x09    0x09    0x09    0x09    0x3c    0x72    0x65
0x7fffffffd0b8: 0x67    0x69    0x73    0x74    0x65    0x72    0x20    0x6e
0x7fffffffd0c0: 0x61    0x6d    0x65    0x3d    0x22    0x65    0x64    0x78
0x7fffffffd0c8: 0x22    0x20    0x74    0x79    0x70    0x65    0x3d    0x22
0x7fffffffd0d0: 0x72    0x65    0x67    0x5f    0x67    0x65    0x6e    0x22
0x7fffffffd0d8: 0x20    0x73    0x69    0x7a    0x65    0x3d    0x34    0x2f
0x7fffffffd0e0: 0x3e    0x0a    0x09    0x09    0x09    0x3c    0x2f    0x62
0x7fffffffd0e8: 0x61    0x73    0x65    0x3e    0x0a    0x09    0x09    0x09
0x7fffffffd0f0: 0x3c    0x69    0x6e    0x64    0x65    0x78    0x3e    0x0a
0x7fffffffd0f8: 0x09    0x09    0x09    0x09    0x3c    0x72    0x65    0x67
0x7fffffffd100: 0x69    0x73    0x74    0x65    0x72    0x20    0x6e    0x61
0x7fffffffd108: 0x6d    0x65    0x3d    0x22    0x65    0x61    0x78    0x22
0x7fffffffd110: 0x20    0x74    0x79    0x70    0x65    0x3d    0x22    0x72
0x7fffffffd118: 0x65    0x67    0x5f    0x67    0x65    0x6e    0x20    0x72
0x7fffffffd120: 0x65    0x67    0x5f    0x72    0x65    0x74    0x22    0x20
0x7fffffffd128: 0x73    0x69    0x7a    0x65    0x3d    0x34    0x2f    0x3e
0x7fffffffd130: 0x0a    0x09    0x09    0x09    0x3c    0x2f    0x69    0x6e
0x7fffffffd138: 0x64    0x65    0x78    0x3e    0x0a    0x09    0x09    0x09
0x7fffffffd140: 0x3c    0x73    0x63    0x61    0x6c    0x65    0x3e    0x0a
0x7fffffffd148: 0x09    0x09    0x09    0x09    0x3c    0x69    0x6d    0x6d
0x7fffffffd150: 0x65    0x64    0x69    0x61    0x74    0x65    0x20    0x76
0x7fffffffd158: 0x61    0x6c    0x75    0x65    0x3d    0x22    0x31    0x22
0x7fffffffd160: 0x2f    0x3e    0x0a    0x09    0x09    0x09    0x3c    0x2f
0x7fffffffd168: 0x73    0x63    0x61    0x6c    0x65    0x3e    0x0a    0x09
0x7fffffffd170: 0x09    0x09    0x3c    0x64    0x69    0x73    0x70    0x6c
0x7fffffffd178: 0x61    0x63    0x65    0x6d    0x65    0x6e    0x74    0x3e
0x7fffffffd180: 0x0a    0x09    0x09    0x09    0x09    0x3c    0x69    0x6d
0x7fffffffd188: 0x6d    0x65    0x64    0x69    0x61    0x74    0x65    0x09
0x7fffffffd190: 0x09
(gdb) x/257cb str
0x7fffffffd090: 9 '\t'  9 '\t'  60 '<'  97 'a'  100 'd' 100 'd' 114 'r' 101 'e'
0x7fffffffd098: 115 's' 115 's' 95 '_'  101 'e' 120 'x' 112 'p' 114 'r' 101 'e'
0x7fffffffd0a0: 115 's' 115 's' 105 'i' 111 'o' 110 'n' 62 '>'  10 '\n' 9 '\t'
0x7fffffffd0a8: 9 '\t'  9 '\t'  60 '<'  98 'b'  97 'a'  115 's' 101 'e' 62 '>'
0x7fffffffd0b0: 10 '\n' 9 '\t'  9 '\t'  9 '\t'  9 '\t'  60 '<'  114 'r' 101 'e'
0x7fffffffd0b8: 103 'g' 105 'i' 115 's' 116 't' 101 'e' 114 'r' 32 ' '  110 'n'
0x7fffffffd0c0: 97 'a'  109 'm' 101 'e' 61 '='  34 '"'  101 'e' 100 'd' 120 'x'
0x7fffffffd0c8: 34 '"'  32 ' '  116 't' 121 'y' 112 'p' 101 'e' 61 '='  34 '"'
0x7fffffffd0d0: 114 'r' 101 'e' 103 'g' 95 '_'  103 'g' 101 'e' 110 'n' 34 '"'
0x7fffffffd0d8: 32 ' '  115 's' 105 'i' 122 'z' 101 'e' 61 '='  52 '4'  47 '/'
0x7fffffffd0e0: 62 '>'  10 '\n' 9 '\t'  9 '\t'  9 '\t'  60 '<'  47 '/'  98 'b'
0x7fffffffd0e8: 97 'a'  115 's' 101 'e' 62 '>'  10 '\n' 9 '\t'  9 '\t'  9 '\t'
0x7fffffffd0f0: 60 '<'  105 'i' 110 'n' 100 'd' 101 'e' 120 'x' 62 '>'  10 '\n'
0x7fffffffd0f8: 9 '\t'  9 '\t'  9 '\t'  9 '\t'  60 '<'  114 'r' 101 'e' 103 'g'
0x7fffffffd100: 105 'i' 115 's' 116 't' 101 'e' 114 'r' 32 ' '  110 'n' 97 'a'
0x7fffffffd108: 109 'm' 101 'e' 61 '='  34 '"'  101 'e' 97 'a'  120 'x' 34 '"'
0x7fffffffd110: 32 ' '  116 't' 121 'y' 112 'p' 101 'e' 61 '='  34 '"'  114 'r'
0x7fffffffd118: 101 'e' 103 'g' 95 '_'  103 'g' 101 'e' 110 'n' 32 ' '  114 'r'
0x7fffffffd120: 101 'e' 103 'g' 95 '_'  114 'r' 101 'e' 116 't' 34 '"'  32 ' '
0x7fffffffd128: 115 's' 105 'i' 122 'z' 101 'e' 61 '='  52 '4'  47 '/'  62 '>'
0x7fffffffd130: 10 '\n' 9 '\t'  9 '\t'  9 '\t'  60 '<'  47 '/'  105 'i' 110 'n'
0x7fffffffd138: 100 'd' 101 'e' 120 'x' 62 '>'  10 '\n' 9 '\t'  9 '\t'  9 '\t'
0x7fffffffd140: 60 '<'  115 's' 99 'c'  97 'a'  108 'l' 101 'e' 62 '>'  10 '\n'
0x7fffffffd148: 9 '\t'  9 '\t'  9 '\t'  9 '\t'  60 '<'  105 'i' 109 'm' 109 'm'
0x7fffffffd150: 101 'e' 100 'd' 105 'i' 97 'a'  116 't' 101 'e' 32 ' '  118 'v'
0x7fffffffd158: 97 'a'  108 'l' 117 'u' 101 'e' 61 '='  34 '"'  49 '1'  34 '"'
0x7fffffffd160: 47 '/'  62 '>'  10 '\n' 9 '\t'  9 '\t'  9 '\t'  60 '<'  47 '/'
0x7fffffffd168: 115 's' 99 'c'  97 'a'  108 'l' 101 'e' 62 '>'  10 '\n' 9 '\t'
0x7fffffffd170: 9 '\t'  9 '\t'  60 '<'  100 'd' 105 'i' 115 's' 112 'p' 108 'l'
0x7fffffffd178: 97 'a'  99 'c'  101 'e' 109 'm' 101 'e' 110 'n' 116 't' 62 '>'
0x7fffffffd180: 10 '\n' 9 '\t'  9 '\t'  9 '\t'  9 '\t'  60 '<'  105 'i' 109 'm'
0x7fffffffd188: 109 'm' 101 'e' 100 'd' 105 'i' 97 'a'  116 't' 101 'e' 9 '\t'
0x7fffffffd190: 9 '\t'




libdis.h
101 #define MAX_OP_XML_STRING 256   /* max possible operand size in xml form */


x86_format.c
1164 static int format_xml_insn( x86_insn_t *insn, char *buf, int len ) {
1165        char str[MAX_OP_XML_STRING];

Bug#807183: x86dis: *** stack smashing detected ***: x86dis terminated

Reply via email to

Bug#807183: x86dis: * stack smashing detected *: x86dis terminated