Quoting Andy Polyakov <[email protected]>:
What OS/platform is this, and what version of OpenSSL?Also, run 'disass ssl3_get_message' at debugger prompt, advance to vicinity of address provided in back-trace, 0x00007fe5a839334f in provided example, and send that page. I mean it's lesser point to send whole disass output, limit it to ~20 lines.0x00007fe5a839331d <+1069>: callq *%r10 0x00007fe5a8393320 <+1072>: jmpq 0x7fe5a8392f4c <ssl3_get_message+92> 0x00007fe5a8393325 <+1077>: movslq 0x60(%rbx),%r8 0x00007fe5a8393329 <+1081>: mov 0xa0(%rbx),%rdx 0x00007fe5a8393330 <+1088>: mov %rbx,%r9 0x00007fe5a8393333 <+1091>: mov 0x50(%rbx),%rbp 0x00007fe5a8393337 <+1095>: mov (%rbx),%esi 0x00007fe5a8393339 <+1097>: xor %edi,%edi 0x00007fe5a839333b <+1099>: mov 0x8(%rbp),%rcx 0x00007fe5a839333f <+1103>: add $0x4,%r8 0x00007fe5a8393343 <+1107>: mov %rdx,(%rsp) 0x00007fe5a8393347 <+1111>: mov $0x16,%edx 0x00007fe5a839334c <+1116>: callq *%r10 0x00007fe5a839334f <+1119>: jmpq 0x7fe5a83930e4 <ssl3_get_message+500>The challenge here is to map this to source code. I was hoping that call would be direct, i.e. not *%r10, which would make the task easier. Could you 'disass 0x7fe5a83930e4' and see if there are direct calls nearby that location. You see a direct call below.
I don't know if it is nearby, but the closest one is 0x00007fe5a83930e4 <+500>: movl $0x1,(%r14) 0x00007fe5a83930eb <+507>: movslq 0x60(%rbx),%rax 0x00007fe5a83930ef <+511>: jmpq 0x7fe5a8392f88 <ssl3_get_message+152> 0x00007fe5a83930f4 <+516>: nopl 0x0(%rax) 0x00007fe5a83930f8 <+520>: movzbl %al,%r10d 0x00007fe5a83930fc <+524>: cmp %ebp,%r10d 0x00007fe5a83930ff <+527>: jne 0x7fe5a839324f <ssl3_get_message+863> 0x00007fe5a8393105 <+533>: movzbl (%r12),%r11d 0x00007fe5a839310a <+538>: mov 0x80(%rbx),%r10 0x00007fe5a8393111 <+545>: lea 0x1(%r12),%r8 0x00007fe5a8393116 <+550>: mov %r11d,0x3b8(%r10) 0x00007fe5a839311d <+557>: movzbl 0x1(%r12),%r9d 0x00007fe5a8393123 <+563>: movzbl 0x2(%r8),%ebp 0x00007fe5a8393128 <+568>: movzbl 0x1(%r8),%eax 0x00007fe5a839312d <+573>: shl $0x10,%r9 0x00007fe5a8393131 <+577>: or %r9,%rbp 0x00007fe5a8393134 <+580>: shl $0x8,%rax 0x00007fe5a8393138 <+584>: or %rax,%rbp 0x00007fe5a839313b <+587>: cmp 0x10(%rsp),%rbp 0x00007fe5a8393140 <+592>: ja 0x7fe5a8393295 <ssl3_get_message+933> 0x00007fe5a8393146 <+598>: test %rbp,%rbp 0x00007fe5a8393149 <+601>: je 0x7fe5a839315f <ssl3_get_message+623> 0x00007fe5a839314b <+603>: mov 0x50(%rbx),%rdi 0x00007fe5a839314f <+607>: lea 0x4(%rbp),%esi 0x00007fe5a8393152 <+610>: callq 0x7fe5a8372308 <BUF_MEM_grow_clean@plt>
Another option is to make your libssl.so binary for download somewhere. It's probably better. Could you? [Feel free to post link to me personally].
I will send you the link -------------------------------------------------------------------------------- M.Menge Tel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912Zentrum für Datenverarbeitung mail: [email protected]
Wächterstraße 76 72074 Tübingen
smime.p7s
Description: S/MIME Signatur
