libcpuidoverride icon indicating copy to clipboard operation
libcpuidoverride copied to clipboard

Published 20 hours ago verified publisher icon ddcc

Crash in ld

Open ashu-mehra opened this issue 2 years ago • 5 comments

I am trying to use this library to override cpuid instruction but my patched sample program keeps crashing, and the SIGSEGV seems to be coming from ld.

I am doing the test on a virtual machine running Fedora 26 with glibc 2.25.

Patched the sample program as:

# ./patchelf/src/patchelf --set-interpreter /root/work/libcpuidoverride/libcpuidoverride.so patched_memtest

Running it as:

# ./patched_memtest 
Segmentation fault (core dumped)

Running in gdb crash location appears to be in ld-2.25.so:

# gdb -q ./patched_memtest
Reading symbols from ./patched_memtest...done.
(gdb) r
Starting program: /root/work/patched_memtest 
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.

Program received signal SIGSEGV, Segmentation fault.
0x000059006b2a1f3e in ?? ()
(gdb) bt
#0  0x000059006b2a1f3e in ?? ()
#1  0x0000000000000000 in ?? ()
(gdb) info proc map
process 5214
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x3ff000           0x400000     0x1000        0x0 /root/work/patched_memtest
            0x400000           0x402000     0x2000        0x0 /root/work/libcpuidoverride/libcpuidoverride.so
            0x602000           0x603000     0x1000     0x2000 /root/work/libcpuidoverride/libcpuidoverride.so
      0x59006b2a0000     0x59006b2c6000    0x26000        0x0 /usr/lib64/ld-2.25.so
      0x59006b4c5000     0x59006b4c7000     0x2000    0x25000 /usr/lib64/ld-2.25.so
      0x59006b4c8000     0x59006b4c9000     0x1000        0x0 
      0x7ffff7ffa000     0x7ffff7ffd000     0x3000        0x0 [vvar]
      0x7ffff7ffd000     0x7ffff7fff000     0x2000        0x0 [vdso]
      0x7ffffffde000     0x7ffffffff000    0x21000        0x0 [stack]
  0xffffffffff600000 0xffffffffff601000     0x1000        0x0 [vsyscall]

Any idea what could be wrong here?

ashu-mehra avatar Jan 11 '22 15:01 ashu-mehra

Some more info: I tried the cpuid example mentioned in README of this repo and it failed as well on fedora 26 VM. But it worked fine on fedora 30 VM (glibc 2.29), however my test C program didn't work and crashed with seg fault. No core is generated but I do see the following in /var/log/messages:

Jan 11 17:25:46 localhost audit[16315]: ANOM_ABEND auid=0 uid=0 gid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=16315 comm="patched_memtest" exe="/root/work/patched_memtest" sig=11 res=1
Jan 11 17:25:46 localhost kernel: 16315 (patched_memtest): Uhuuh, elf segment at 0000000000400000 requested but the memory is mapped already

ashu-mehra avatar Jan 11 '22 21:01 ashu-mehra

I'm not familiar with Fedora and haven't done any testing with it. You could try installing debugging symbols for binutils to get a more useful stack trace and see where it's crashing. This library uses a custom ELF loader that I haven't tested with very many input programs, so that could be where the issue is.

ddcc avatar Jan 12 '22 07:01 ddcc

@ddcc which distros is this library known to work on? Ubuntu? I can try using that and do some comparison which may help debugging this issue.

ashu-mehra avatar Jan 12 '22 21:01 ashu-mehra

I originally developed this on Ubuntu, probably the 20.04 LTS version but I don't recall exactly. However, I haven't tested it recently, so it's possible that changes in newer glibc are the reason it's crashing.

ddcc avatar Jan 13 '22 04:01 ddcc

It is crashing both on Fedora 36 x86_64 (glibc-2.35-22.fc36.x86_64) and Debian 12 x86_64 (libc6 2.36-8).

jankratochvil avatar Mar 07 '23 13:03 jankratochvil