<div dir="ltr"><div dir="ltr">On Fri, Nov 6, 2020 at 4:25 AM Michael Ellerman <<a href="mailto:mpe@ellerman.id.au">mpe@ellerman.id.au</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">So something seems to have gone wrong linking this, I see eg:<br>
<br>
0000000010004a8c <syscall_random>:<br>
10004a8c: 2b 10 40 3c lis r2,4139<br>
10004a90: 88 f7 42 38 addi r2,r2,-2168<br>
10004a94: a6 02 08 7c mflr r0<br>
10004a98: 10 00 01 f8 std r0,16(r1)<br>
10004a9c: f8 ff e1 fb std r31,-8(r1)<br>
10004aa0: 81 ff 21 f8 stdu r1,-128(r1)<br>
10004aa4: 78 0b 3f 7c mr r31,r1<br>
10004aa8: 60 00 7f f8 std r3,96(r31)<br>
10004aac: 68 00 9f f8 std r4,104(r31)<br>
10004ab0: 00 00 00 60 nop<br>
10004ab4: 30 80 22 e9 ld r9,-32720(r2)<br>
10004ab8: 00 00 a9 2f cmpdi cr7,r9,0<br>
10004abc: 30 00 9e 41 beq cr7,10004aec <syscall_random+0x60><br>
10004ac0: 60 00 7f e8 ld r3,96(r31)<br>
10004ac4: 68 00 9f e8 ld r4,104(r31)<br>
10004ac8: 39 b5 ff 4b bl 10000000 <_init-0x1f00><br>
<br>
Notice that last bl (branch and link) to 0x10000000. But there's no text<br>
at 0x10000000, that's the start of the page which happens to be the ELF<br>
magic.<br>
<br>
I've seen something like this before, but I can't remember when/where so<br>
I haven't been able to track down what the problem was.<br>
<br>
Anyway hopefully someone on the list will know.<br>
<br>
That still doesn't explain the kernel crash though.<br></blockquote><div><br></div>Interesting. Sounds highly unlikely that the linker would have picked<br>that address at random, but it makes no sense. And, agreed, jumping<br>into junk should crash the program, not the kernel.<br><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On my machine it doesn't crash the kernel, so I can catch it later. For<br>
me it's here:<br>....</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
ie. in the syscall_random() that I mentioned above.<br>
<br>
You should be able to catch it there too if you do:<br>
<br>
(gdb) b *0x10000000<br>
(gdb) r<br>
<br>
Hopefully it will stop without crashing the kernel, and then a `bt` will<br>
show that you're in the same place as me.<br>
<br>
If you can get that to work, when you're stopped there, can you do an<br>
`info registers` and send us the output.<br></blockquote></div><div><br></div><div>Indeed, setting the breakpoint you suggested works, and the stack looks almost the same - only differences are a few bits off in main's argv pointer, rand_drbg_get_entropy's pout pointer, and the final address - you get 0x0000000010000004, I get 0x0000000010000000. Output, including "info registers", below. Hoping they provide some useful clues. Thanks again for looking into this.<br><br># gdb --args /tmp/ossl/rand_test<br>...<br>(gdb) b *0x10000000<br>Breakpoint 1 at 0x10000000<br>(gdb) r<br>Starting program: /tmp/ossl/rand_test <br><br>Breakpoint 1, 0x0000000010000000 in ?? ()<br>(gdb) bt<br>#0 0x0000000010000000 in ?? ()<br>#1 0x0000000010004acc in syscall_random (buf=0x102b0730, buflen=32) at crypto/rand/rand_unix.c:371<br>#2 0x00000000100053fc in rand_pool_acquire_entropy (pool=0x102b06e0) at crypto/rand/rand_unix.c:636<br>#3 0x0000000010002b58 in rand_drbg_get_entropy (drbg=0x102b02e0, pout=0x7fffffffecf0, entropy=256, min_len=32, <br> max_len=2147483647, prediction_resistance=0) at crypto/rand/rand_lib.c:198<br>#4 0x000000001001ed9c in RAND_DRBG_instantiate (drbg=0x102b02e0, <br> pers=0x10248d00 <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=28) at crypto/rand/drbg_lib.c:338<br>#5 0x0000000010020300 in drbg_setup (parent=0x0) at crypto/rand/drbg_lib.c:895<br>#6 0x0000000010020414 in do_rand_drbg_init () at crypto/rand/drbg_lib.c:924<br>#7 0x000000001002034c in do_rand_drbg_init_ossl_ () at crypto/rand/drbg_lib.c:909<br>#8 0x0000000010005d1c in CRYPTO_THREAD_run_once (once=0x102ab4d8 <rand_drbg_init>, <br> init=0x1002032c <do_rand_drbg_init_ossl_>) at crypto/threads_none.c:70<br>#9 0x00000000100209c4 in RAND_DRBG_get0_master () at crypto/rand/drbg_lib.c:1102<br>#10 0x0000000010020914 in drbg_status () at crypto/rand/drbg_lib.c:1084<br>#11 0x0000000010004a58 in RAND_status () at crypto/rand/rand_lib.c:961<br>#12 0x0000000010002890 in main (argc=1, argv=0x7ffffffff368) at rand_test.c:6<br>(gdb) info registers<br>r0 0x100053fc 268456956<br>r1 0x7fffffffeaf0 140737488349936<br>r2 0x102af788 271251336<br>r3 0x102b0730 271255344<br>r4 0x20 32<br>r5 0x30 48<br>r6 0x102b0760 271255392<br>r7 0x1 1<br>r8 0x0 0<br>r9 0x7fffb7dacc00 140736277957632<br>r10 0x102b0730 271255344<br>r11 0x10 16<br>r12 0x7fffb7e19280 140736278401664<br>r13 0x7fffb7ffa100 140736280371456<br>r14 0x0 0<br>r15 0x0 0<br>r16 0x0 0<br>r17 0x0 0<br>r18 0x0 0<br>r19 0x0 0<br>r20 0x0 0<br>r21 0x0 0<br>r22 0x0 0<br>r23 0x0 0<br>r24 0x0 0<br>r25 0x0 0<br>r26 0x0 0<br>r27 0x7fffb7fef4b8 140736280327352<br>r28 0x7fffb7ff0000 140736280330240<br>r29 0x0 0<br>r30 0x0 0<br>r31 0x7fffffffeaf0 140737488349936<br>pc 0x10000000 0x10000000<br>msr 0x800000010002d033 9223372041149927475<br>cr 0x44000844 1140852804<br>lr 0x10004acc 0x10004acc <syscall_random+64><br>ctr 0x0 0<br>xer 0x20000000 536870912<br>fpscr 0x0 0<br>vscr 0x0 0<br>vrsave 0xffffffff -1<br>ppr 0xc000000000000 3377699720527872<br>dscr 0x0 0<br>tar 0x0 0<br>bescr <unavailable><br>ebbhr <unavailable><br>ebbrr <unavailable><br>mmcr0 0x0 0<br>mmcr2 0x0 0<br>siar 0x0 0<br>sdar 0x0 0<br>sier 0x0 0<br>tfhar 0x0 0<br>texasr 0x0 0<br>tfiar 0x0 0<br>cr0 <unavailable><br>cr1 <unavailable><br>cr2 <unavailable><br>cr3 <unavailable><br>cr4 <unavailable><br>cr5 <unavailable><br>cr6 <unavailable><br>cr7 <unavailable><br>cr8 <unavailable><br>cr9 <unavailable><br>cr10 <unavailable><br>cr11 <unavailable><br>cr12 <unavailable><br>cr13 <unavailable><br>cr14 <unavailable><br>cr15 <unavailable><br>cr16 <unavailable><br>cr17 <unavailable><br>cr18 <unavailable><br>cr19 <unavailable><br>cr20 <unavailable><br>cr21 <unavailable><br>cr22 <unavailable><br>cr23 <unavailable><br>cr24 <unavailable><br>cr25 <unavailable><br>cr26 <unavailable><br>cr27 <unavailable><br>cr28 <unavailable><br>cr29 <unavailable><br>cr30 <unavailable><br>cr31 <unavailable><br>ccr <unavailable><br>cxer <unavailable><br>clr <unavailable><br>cctr <unavailable><br>cfpscr <unavailable><br>cvscr <unavailable><br>cvrsave <unavailable><br>cppr <unavailable><br>cdscr <unavailable><br>ctar <unavailable><br>orig_r3 0x10004ac8 268454600<br>trap 0x700 1792<br>(gdb) </div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Carl Jacobsen<div>Storix, Inc.</div></div></div></div>