Bug#1018061: pads: segfault at 3a ip
Hello Tim,
I tried to have a look at those two dmesg lines and it seems
they point to the function print_arp_asset_screen, line 115 [1],
where parameter rec is dereferenced unconditionally.
However, if it would be possible to install systemd-coredump then
a backtrace of those crashes should be printed to the journal.
This would give a way better information as the two dmesg lines alone,
as it would also show the functions calling print_arp_asset_screen
and therefore leading to the crash.
The link [2] might give some more hints to collect
more information for the maintainer.
Kind regards,
Bernhard
[1] https://sources.debian.org/src/pads/1.2-13/src/output/output-screen.c/#L115
112 print_arp_asset_screen (ArpAsset *rec)
113 {
114 /* Print to Screen */
115 if(rec->mac_resolved != NULL) {
116 fprintf(stdout, "[*] Asset Found: IP Address - %s / MAC Address - %s (%s)\n",
[2] https://wiki.debian.org/HowToGetABacktrace
# 2022-09-27 Bookworm/testing qemu amd64 VM
apt install systemd-coredump mc gdb pads pads-dbgsym
apt build-dep pads
mkdir /home/benutzer/source/pads/orig -p
cd /home/benutzer/source/pads/orig
apt source pads
cd
https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash
[87486.873713] pads[2092050]: segfault at 3a ip 00005569c2dadb64 sp 00007ffc6ce82ed0 error 4 in pads[5569c2da6000+9000]
[87486.873733] Code: 23 00 00 be 01 00 00 00 0f b7 c9 e8 46 85 ff ff 58 31 c0 5a 5b 5d 41 5c c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 c7 04 48 85 c0 74 44 4c 8b 60 08 e8 b3
error 4 == 0b00000100
* bit 0 == 0: no page found
* bit 1 == 0: read access
* bit 2 == 1: user-mode access
echo -n "find /b ..., ..., 0x" && \
echo "23 00 00 be 01 00 00 00 0f b7 c9 e8 46 85 ff ff 58 31 c0 5a 5b 5d 41 5c c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 54 55 53 <48> 8b 47 10 48 89 fb 48 83 c7 04 48 85 c0 74 44 4c 8b 60 08 e8 b3" \
| sed 's/[<>]//g' | sed 's/ /, 0x/g'
benutzer@debian:~$ gdb -q
(gdb) set width 0
(gdb) set pagination off
(gdb) file /usr/bin/pads
Reading symbols from /usr/bin/pads...
Reading symbols from /usr/lib/debug/.build-id/56/25dea5149cbe3b93f99e31e95d4e8920ce5a73.debug...
(gdb) b main
Breakpoint 1 at 0x2470: file ./src/pads.c, line 486.
(gdb) run
Starting program: /usr/bin/pads
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=1, argv=0x7fffffffe5a8) at ./src/pads.c:486
486 ./src/pads.c: Datei oder Verzeichnis nicht gefunden.
(gdb) directory /home/benutzer/source/pads/orig/pads-1.2
Source directories searched: /home/benutzer/source/pads/orig/pads-1.2:$cdir:$cwd
(gdb) dele 1
(gdb) pipe info target | grep ".text"
0x0000555555556460 - 0x000055555555e8a1 is .text
0x00007ffff7fcc050 - 0x00007ffff7ff0391 is .text in /lib64/ld-linux-x86-64.so.2
0x00007ffff7fc96c0 - 0x00007ffff7fc9d1d is .text in system-supplied DSO at 0x7ffff7fc9000
0x00007ffff7f4b1e0 - 0x00007ffff7f9f322 is .text in /lib/x86_64-linux-gnu/libpcre.so.3
0x00007ffff7f038b0 - 0x00007ffff7f29c4e is .text in /lib/x86_64-linux-gnu/libpcap.so.0.8
0x00007ffff7c28380 - 0x00007ffff7d94e9d is .text in /lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7ef9040 - 0x00007ffff7ef9101 is .text in /lib/x86_64-linux-gnu/libpthread.so.0
0x00007ffff7eb0e30 - 0x00007ffff7edf098 is .text in /lib/x86_64-linux-gnu/libdbus-1.so.3
0x00007ffff7b46af0 - 0x00007ffff7bc241c is .text in /lib/x86_64-linux-gnu/libsystemd.so.0
0x00007ffff7e973d0 - 0x00007ffff7e9a4b6 is .text in /lib/x86_64-linux-gnu/libcap.so.2
0x00007ffff79f7580 - 0x00007ffff7ae0128 is .text in /lib/x86_64-linux-gnu/libgcrypt.so.20
0x00007ffff7e6f510 - 0x00007ffff7e865b2 is .text in /lib/x86_64-linux-gnu/liblzma.so.5
0x00007ffff7934740 - 0x00007ffff79d0636 is .text in /lib/x86_64-linux-gnu/libzstd.so.1
0x00007ffff7e493e0 - 0x00007ffff7e66437 is .text in /lib/x86_64-linux-gnu/liblz4.so.1
0x00007ffff7e206c0 - 0x00007ffff7e3600e is .text in /lib/x86_64-linux-gnu/libgpg-error.so.0
(gdb) find /b 0x0000555555556460, 0x000055555555e8a1, 0x23, 0x00, 0x00, 0xbe, 0x01, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0xc9, 0xe8, 0x46, 0x85, 0xff, 0xff, 0x58, 0x31, 0xc0, 0x5a, 0x5b, 0x5d, 0x41, 0x5c, 0xc3, 0x66, 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x90, 0x41, 0x54, 0x55, 0x53, 0x48, 0x8b, 0x47, 0x10, 0x48, 0x89, 0xfb, 0x48, 0x83, 0xc7, 0x04, 0x48, 0x85, 0xc0, 0x74, 0x44, 0x4c, 0x8b, 0x60, 0x08, 0xe8, 0xb3
0x55555555db3a <print_asset_screen+74>
1 pattern found.
(gdb) b * (0x55555555db3a + 42)
Breakpoint 2 at 0x55555555db64: file ./src/output/output-screen.c, line 115.
(gdb) info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x000055555555db64 in print_arp_asset_screen at ./src/output/output-screen.c:115
(gdb) disassemble /r 0xf7a94b31, 0xf7a94b31 + 62
Dump of assembler code from 0xf7a94b31 to 0xf7a94b6f:
0x00000000f7a94b31:
Cannot access memory at address 0xf7a94b31
(gdb) disassemble /r 0x55555555db3a, 0x55555555db3a + 62
Dump of assembler code from 0x55555555db3a to 0x55555555db78:
0x000055555555db3a <print_asset_screen+74>: 23 00 and (%rax),%eax
0x000055555555db3c <print_asset_screen+76>: 00 be 01 00 00 00 add %bh,0x1(%rsi)
0x000055555555db42 <print_asset_screen+82>: 0f b7 c9 movzwl %cx,%ecx
0x000055555555db45 <print_asset_screen+85>: e8 46 85 ff ff call 0x555555556090 <__fprintf_chk@plt>
0x000055555555db4a <print_asset_screen+90>: 58 pop %rax
0x000055555555db4b <print_asset_screen+91>: 31 c0 xor %eax,%eax
0x000055555555db4d <print_asset_screen+93>: 5a pop %rdx
0x000055555555db4e <print_asset_screen+94>: 5b pop %rbx
0x000055555555db4f <print_asset_screen+95>: 5d pop %rbp
0x000055555555db50 <print_asset_screen+96>: 41 5c pop %r12
0x000055555555db52 <print_asset_screen+98>: c3 ret
0x000055555555db53: 66 66 2e 0f 1f 84 00 00 00 00 00 data16 cs nopw 0x0(%rax,%rax,1)
0x000055555555db5e: 66 90 xchg %ax,%ax
0x000055555555db60 <print_arp_asset_screen+0>: 41 54 push %r12
0x000055555555db62 <print_arp_asset_screen+2>: 55 push %rbp
0x000055555555db63 <print_arp_asset_screen+3>: 53 push %rbx
0x000055555555db64 <print_arp_asset_screen+4>: 48 8b 47 10 mov 0x10(%rdi),%rax <<<<<<<<<<<<<
0x000055555555db68 <print_arp_asset_screen+8>: 48 89 fb mov %rdi,%rbx
0x000055555555db6b <print_arp_asset_screen+11>: 48 83 c7 04 add $0x4,%rdi
0x000055555555db6f <print_arp_asset_screen+15>: 48 85 c0 test %rax,%rax
0x000055555555db72 <print_arp_asset_screen+18>: 74 44 je 0x55555555dbb8 <print_arp_asset_screen+88>
0x000055555555db74 <print_arp_asset_screen+20>: 4c 8b 60 08 mov 0x8(%rax),%r12
End of assembler dump.
(gdb) list output-screen.c:100,125
100
101
102 /* ----------------------------------------------------------
103 * FUNCTION : print_arp_asset_screen
104 * DESCRIPTION : This function will print out the ARP asset
105 * : to the screen and to the report file.
106 * INPUT : 0 - IP Address
107 * : 1 - MAC Address
108 * RETURN : 0 - Success
109 * : -1 - Error
110 * ---------------------------------------------------------- */
111 int
112 print_arp_asset_screen (ArpAsset *rec)
113 {
114 /* Print to Screen */
115 if(rec->mac_resolved != NULL) { <<<<<<<<<<<
116 fprintf(stdout, "[*] Asset Found: IP Address - %s / MAC Address - %s (%s)\n",
117 inet_ntoa(rec->ip_addr), hex2mac(rec->mac_addr), bdata(rec->mac_resolved));
118 } else {
119 fprintf(stdout, "[*] Asset Found: IP Address - %s / MAC Address - %s\n",
120 inet_ntoa(rec->ip_addr), hex2mac(rec->mac_addr));
121 }
122
123 return 0;
124 }
125
(gdb)
Reply to: