> Maybe a different bug that passes a *wrong* size argument somehow
> that would under-allocate tmp? mid underflow? right >= xt[af].cur?
If I am interpreting this correctly, at the time of the panic (at 7c)
"right" is 0x2580249 (in ECX), originally coming from xt[af].cur via:
59: 48 6b ff 70 imul $0x70,%rdi,%rdi
5d: 48 03 3d 00 00 00 00 add 0x0(%rip),%rdi
...
67: 8b 4f 6c mov 0x6c(%rdi),%ecx
...
6e: ff c9 dec %ecx
and later possibly modified in the loop.
xt[af].cur is set to 0 in xt_compat_init_offsets(). Is it also guaranteed
to be 0 if xt_compat_init_offsets() is skipped?
000000000000004d <xt_compat_calc_jump>:
}
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
{
4d: e8 00 00 00 00 callq 52 <xt_compat_calc_jump+0x5>
struct compat_delta *tmp = xt[af].compat_tab;
52: 40 0f b6 ff movzbl %dil,%edi
}
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
{
56: 55 push %rbp
struct compat_delta *tmp = xt[af].compat_tab;
int mid, left = 0, right = xt[af].cur - 1;
57: 31 c0 xor %eax,%eax
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
{
struct compat_delta *tmp = xt[af].compat_tab;
59: 48 6b ff 70 imul $0x70,%rdi,%rdi
5d: 48 03 3d 00 00 00 00 add 0x0(%rip),%rdi # 64
<xt_compat_calc_jump+0x17>
}
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
{
64: 48 89 e5 mov %rsp,%rbp
struct compat_delta *tmp = xt[af].compat_tab;
int mid, left = 0, right = xt[af].cur - 1;
67: 8b 4f 6c mov 0x6c(%rdi),%ecx
}
EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
{
struct compat_delta *tmp = xt[af].compat_tab;
6a: 4c 8b 47 60 mov 0x60(%rdi),%r8
int mid, left = 0, right = xt[af].cur - 1;
6e: ff c9 dec %ecx
while (left <= right) {
70: 39 c8 cmp %ecx,%eax
72: 7f 2f jg a3 <xt_compat_calc_jump+0x56>
mid = (left + right) >> 1;
74: 8d 14 08 lea (%rax,%rcx,1),%edx
77: d1 fa sar %edx
if (offset > tmp[mid].offset)
79: 48 63 fa movslq %edx,%rdi
7c: 41 39 34 f8 cmp %esi,(%r8,%rdi,8)
80: 4c 8d 0c fd 00 00 00 lea 0x0(,%rdi,8),%r9
87: 00
88: 73 05 jae 8f <xt_compat_calc_jump+0x42>
left = mid + 1;
8a: 8d 42 01 lea 0x1(%rdx),%eax
8d: eb e1 jmp 70 <xt_compat_calc_jump+0x23>
else if (offset < tmp[mid].offset)
8f: 76 05 jbe 96 <xt_compat_calc_jump+0x49>
right = mid - 1;
91: 8d 4a ff lea -0x1(%rdx),%ecx
94: eb da jmp 70 <xt_compat_calc_jump+0x23>
else
return mid ? tmp[mid - 1].delta : 0;
96: 31 c0 xor %eax,%eax
98: 85 d2 test %edx,%edx
9a: 74 12 je ae <xt_compat_calc_jump+0x61>
9c: 43 8b 44 08 fc mov -0x4(%r8,%r9,1),%eax
a1: eb 0b jmp ae <xt_compat_calc_jump+0x61>
}
return left ? tmp[left - 1].delta : 0;
a3: 85 c0 test %eax,%eax
a5: 74 07 je ae <xt_compat_calc_jump+0x61>
a7: 48 98 cltq
a9: 41 8b 44 c0 fc mov -0x4(%r8,%rax,8),%eax
}
ae: 5d pop %rbp
af: c3 retq
