Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

APP CRASH on sysenter after vsyscall hook fails in 32-bit apps on Ubuntu20

Running any Dr. Memory test app, including tests/hello, and presumably any 32-bit app at all (but then why doesn't every single test fail in the DR and DrM suites??), we have an app crash:

bruening@ubuntu:~/drmemory/git/build_x86_dbg_tests$ dynamorio/bin32/drrun -- tests/hello
<Starting application /home/bruening/drmemory/git/build_x86_dbg_tests/tests/hello (35741)>
<Initial options = -no_dynamic_options -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/home/bruening/drmemory/git/build_x86_dbg_tests/dynamorio/lib32/debug/libdynamorio.so' 0xf7b9f000
>
<spurious rep/repne prefix @0xf7b48dd0 (f3 0f 1e fb): >
<(1+x) Handling our fault in a TRY at 0xf7db56fd>
<Application tried to execute from unreadable memory 0x00000000.
This may be a result of an unsuccessful attack or a potential application vulnerability.>
<Application /home/bruening/drmemory/git/build_x86_dbg_tests/tests/hello (35741).  Application exception at PC 0xf7b7e549.  
Signal 11 delivered to application as default action.
Callstack:
	0xf7b7e549   <[vdso]+0x549>
>
<Stopping application /home/bruening/drmemory/git/build_x86_dbg_tests/tests/hello (35741)>
Segmentation fault (core dumped)
interp: start_pc = 0xf7a251dd
check_thread_vm_area: pc = 0xf7a251dd
prepend_entry_to_fraglist: putting fragment @0xf7a251dd (shared) on vmarea 0xf794e000-0xf7aa6000
check_thread_vm_area: check_stop = 0xf7aa6000
  0xf7a251dd  8b 4c 24 20          mov    0x20(%esp)[4byte] -> %ecx
  0xf7a251e1  b8 27 01 00 00       mov    $0x00000127 -> %eax
  0xf7a251e6  bb 9c ff ff ff       mov    $0xffffff9c -> %ebx
  0xf7a251eb  65 ff 15 10 00 00 00 call   %gs:0x10[4byte] %esp -> %esp 0xfffffffc(%esp)[4byte]
mbr exit target = 0x4bfa1640
end_pc = 0xf7a251f2

interp: start_pc = 0xf7b65540
check_thread_vm_area: pc = 0xf7b65540
new shared vm area: 0xf7b65000-0xf7b67000 ---- VDSO linux-gate.so.1
checking thread vmareas against executable_areas
prepend_entry_to_fraglist: putting fragment @0xf7b65540 (shared) on vmarea 0xf7b65000-0xf7b67000
check_thread_vm_area: check_stop = 0xf7b67000
  0xf7b65540  51                   push   %ecx %esp -> %esp 0xfffffffc(%esp)[4byte]
  0xf7b65541  52                   push   %edx %esp -> %esp 0xfffffffc(%esp)[4byte]
  0xf7b65542  55                   push   %ebp %esp -> %esp 0xfffffffc(%esp)[4byte]
  0xf7b65543  89 e5                mov    %esp -> %ebp
  0xf7b65545  0f 34                sysenter  -> %esp
interp: syscall @ 0xf7b65545
find_syscall_num: never found write of syscall number
syscall # is -1
found non-ignorable system call 0xffffffff
ending bb at syscall & removing the interrupt itself
end_pc = 0xf7b65547

fcache_enter = 0x4bfa0e80, target = 0x4bfb45dc
Exit from F1856(0xf7b65540).0x4bfb45e1 (shared) 
 (block ends with syscall)
Entry into do_syscall to execute a non-ignorable system call
system call 295
fcache_enter = 0x4c017e80, target = 0x4c018240
Exit from system call
post syscall: sysnum=0x00000127, result=0x00000003 (3)
adjust_syscall_continuation: asynch_target => 0xf7b65549
finished handling system call

d_r_dispatch: target = 0xf7b65549

interp: start_pc = 0x00000000
check_thread_vm_area: pc = 0x00000000
application tried to execute from unreadable 0x00000000 is_allocated_mem=0 prot=0x0
Thread 35406 call stack:
SYSLOG_WARNING: Application tried to execute from unreadable memory 0x00000000.

Presumably it's related to this but it's not immediately clear why it went to 0:

Found vsyscall @ 0xf7b65545 => page 0xf7b65000, post 0xf7b65547
Unable to hook vsyscall page; falling back on int

The layout is not what our hook code expects:

(gdb) x/25i 0xf7fcf540
   0xf7fcf540 <__kernel_vsyscall>:	push   %ecx
   0xf7fcf541 <__kernel_vsyscall+1>:	push   %edx
   0xf7fcf542 <__kernel_vsyscall+2>:	push   %ebp
   0xf7fcf543 <__kernel_vsyscall+3>:	mov    %esp,%ebp
   0xf7fcf545 <__kernel_vsyscall+5>:	sysenter 
   0xf7fcf547 <__kernel_vsyscall+7>:	int    $0x80
   0xf7fcf549 <__kernel_vsyscall+9>:	pop    %ebp
   0xf7fcf54a <__kernel_vsyscall+10>:	pop    %edx
   0xf7fcf54b <__kernel_vsyscall+11>:	pop    %ecx
   0xf7fcf54c <__kernel_vsyscall+12>:	ret    
   0xf7fcf54d:	nop
   0xf7fcf54e:	nop
   0xf7fcf54f:	nop
   0xf7fcf550:	nop
   0xf7fcf551:	lea    0x0(%esi,%eiz,1),%esi
   0xf7fcf558:	lea    0x0(%esi,%eiz,1),%esi
   0xf7fcf55f:	nop
   0xf7fcf560 <__kernel_sigreturn>:	pop    %eax
   0xf7fcf561 <__kernel_sigreturn+1>:	mov    $0x77,%eax
   0xf7fcf566 <__kernel_sigreturn+6>:	int    $0x80
   0xf7fcf568 <__kernel_sigreturn+8>:	nop
   0xf7fcf569:	lea    0x0(%esi,%eiz,1),%esi
   0xf7fcf570 <__kernel_rt_sigreturn>:	mov    $0xad,%eax
   0xf7fcf575 <__kernel_rt_sigreturn+5>:	int    $0x80
   0xf7fcf577 <__kernel_rt_sigreturn+7>:	nop