Re: fuzzing crash(8)

Dave Anderson <anderson@xxxxxxxxxx> · Tue, 1 Dec 2009 10:24:12 -0500 (EST)

----- "Dave Anderson" <anderson@xxxxxxxxxx> wrote:

I did the same thing to a vmcore (i.e. handcrafting the PT_NOTE
segment's p_offset field like you did), and was able to get the
crash session up with the attached patch.

Does it work for you?

Dave


Index: netdump.c
===================================================================
RCS file: /nfs/projects/cvs/crash/netdump.c,v
retrieving revision 1.93
diff -u -r1.93 netdump.c

--- netdump.c	29 Oct 2009 15:45:34 -0000	1.93
+++ netdump.c	1 Dec 2009 15:18:12 -0000
@@ -694,6 +694,9 @@
                 else
                         note32 = (Elf32_Nhdr *)nd->nt_prstatus;
 
+		if (!note32)
+			goto panic_task_undetermined;
+
 	        len = sizeof(Elf32_Nhdr);
 	        len = roundup(len + note32->n_namesz, 4);
 	        len = roundup(len + note32->n_descsz, 4);
@@ -738,6 +741,9 @@
                 else
                         note64 = (Elf64_Nhdr *)nd->nt_prstatus;
 
+		if (!note64)
+			goto panic_task_undetermined;
+
 	        len = sizeof(Elf64_Nhdr);
 	        len = roundup(len + note64->n_namesz, 4);
 		user_regs = (char *)((char *)note64 + len +
@@ -1577,11 +1583,10 @@
         ptr = (char *)note + sizeof(Elf32_Nhdr);
 
 	if (ptr > (nd->elf_header + nd->header_size)) {
-		if (CRASHDEBUG(1))
-			error(WARNING, 
-		    	    "Elf32_Nhdr pointer: %lx ELF header end: %lx\n",
-				(char *)note, nd->elf_header + nd->header_size);
-		remaining = 0;
+		error(WARNING, 
+	    	    "Elf32_Nhdr pointer: %lx ELF header end: %lx\n",
+			(char *)note, nd->elf_header + nd->header_size);
+		return 0;
 	} else
 		remaining = (uint64_t)((nd->elf_header + nd->header_size) - ptr);
 
@@ -1796,11 +1801,10 @@
 	xen_core = vmcoreinfo = FALSE;
 
 	if (ptr > (nd->elf_header + nd->header_size)) {
-		if (CRASHDEBUG(1))
-			error(WARNING, 
-		    	    "Elf64_Nhdr pointer: %lx  ELF header end: %lx\n\n",
-				(char *)note, nd->elf_header + nd->header_size);
-		remaining = 0;
+		error(WARNING, 
+	    	    "Elf64_Nhdr pointer: %lx  ELF header end: %lx\n\n",
+			(char *)note, nd->elf_header + nd->header_size);
+		return 0;
 	} else
 		remaining = (uint64_t)((nd->elf_header + nd->header_size) - ptr);
 
--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/crash-utility




