[ktap] [PATCH] symbol: fix segmentation fault at sdt_note_addr()

From: Azat Khuzhin <a3at.mail@xxxxxxxxx>
To: ktap@xxxxxxxxxxxxx
Date: Thu, 14 Nov 2013 00:08:08 +0400

Because dst.d_buf must be 24 bytes long (on x86-64) while there is only
8 bytes (allocated on stack).

return address was at: 0x7fffffffdd88
dst.d_buf:             0x7fffffffdd78

And after elf64_xlatetom() executed, it called memmove() into dst.d_buf,
and overwrite return address for sdt_note_addr(), and after retq
executed it jumps to 0x0.

Signed-off-by: Azat Khuzhin <a3at.mail@xxxxxxxxx>
---
 userspace/symbol.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/userspace/symbol.c b/userspace/symbol.c
index f3d5fc6..789611e 100644
--- a/userspace/symbol.c
+++ b/userspace/symbol.c
@@ -172,11 +172,20 @@ static vaddr_t sdt_note_addr(Elf *elf, const char *data, 
size_t len, int type)
        vaddr_t vaddr;
 
        /*
+        * Three addresses need to be obtained :
+        * Marker location, address of base section and semaphore location
+        */
+       union {
+               Elf64_Addr a64[3];
+               Elf32_Addr a32[3];
+       } buf;
+
+       /*
         * dst and src are required for translation from file to memory
         * representation
         */
        Elf_Data dst = {
-               .d_buf = &vaddr, .d_type = ELF_T_ADDR, .d_version = EV_CURRENT,
+               .d_buf = &buf, .d_type = ELF_T_ADDR, .d_version = EV_CURRENT,
                .d_size = gelf_fsize(elf, ELF_T_ADDR, SDT_NOTE_COUNT, 
EV_CURRENT),
                .d_off = 0, .d_align = 0
        };
@@ -199,6 +208,8 @@ static vaddr_t sdt_note_addr(Elf *elf, const char *data, 
size_t len, int type)
                          elf_getident(elf, NULL)[EI_DATA]) == NULL)
                return 0; /* TODO */
 
+       memcpy(&vaddr, &buf, sizeof(vaddr));
+
        return vaddr;
 }
 
-- 
1.8.4.rc3

[ktap] [PATCH] symbol: fix segmentation fault at sdt_note_addr()

Other related posts: