[PATCH] sha3sum: New applet, v2

Baruch Siach baruch at tkos.co.il
Tue Jan 8 07:34:49 UTC 2013 

Hi Lauri,

On Sun, Jan 06, 2013 at 10:04:36PM +0200, Lauri Kasanen wrote:
> > The content of the r28 register is:
> > 
> > (gdb) info registers
> > ...
> > r28            0x10173010   269955088
> > 
> > The process' /proc/[pid]/maps file shows:
> > 
> > 1014d000-10173000 rwxp 00000000 00:00 0          [heap]
> > 
> > which means that we're trying to read just beyond the process allocated
> > heap.
> > 
> > From the disassembly code I infer that the crash happens before the call
> > to 
> > bb_bswap_64 at address 0x10050b80.
> 
> Thanks.
> 
> Can you also enable CONFIG_PESSIMIZE (disable gcc's optimization) and
> post the backtrace? I wonder if somehow it gets called with wrong
> arguments (end of string, but wrong size for example), those were
> optimized out in the first backtrace.

A pessimized build give the exact same result. Details below:

Program received signal SIGSEGV, Segmentation fault.
0x1009d288 in KeccakF (state=0xbfca1fc0, in=0x101cafd0, laneCount=8)
    at libbb/hash_md5_sha.c:977
977         state[laneCount] ^= SWAP_LE64(in[laneCount]);
(gdb) bt
#0  0x1009d288 in KeccakF (state=0xbfca1fc0, in=0x101cafd0, laneCount=8)
    at libbb/hash_md5_sha.c:977
#1  0x1009dab4 in sha3_hash (state=0xbfca1fc0, data=0x101cafd0 "", bytes=21474836485)
    at libbb/hash_md5_sha.c:1055
#2  0x1007180c in hash_file (filename=0x10169fcc "-") at coreutils/md5_sha1_sum.c:151
#3  0x10071b74 in md5_sha1_sum_main (argc=1, argv=0xbfca23e8)
    at coreutils/md5_sha1_sum.c:247
#4  0x10002980 in run_applet_no_and_exit (applet_no=122, argv=0xbfca23e8)
    at libbb/appletlib.c:755
#5  0x100029c4 in run_applet_and_exit (name=0xbfca2d14 "sha3sum", argv=0xbfca23e8)
    at libbb/appletlib.c:762
#6  0x10002818 in busybox_main (argv=0xbfca23e8) at libbb/appletlib.c:727
#7  0x100029ec in run_applet_and_exit (name=0xbfca2d0c "busybox", argv=0xbfca23e4)
    at libbb/appletlib.c:764
#8  0x10002ad4 in main (argc=2, argv=0xbfca23e4) at libbb/appletlib.c:819

(gdb) p &in[laneCount]
$1 = (const uint64_t *) 0x101cb010

(gdb) disas
Dump of assembler code for function KeccakF:
[...]
   0x1009d258 <+120>:   lwz     r9,72(r1)
   0x1009d25c <+124>:   add     r0,r9,r0
   0x1009d260 <+128>:   mr      r9,r0
   0x1009d264 <+132>:   lwz     r8,0(r9)
   0x1009d268 <+136>:   lwz     r9,4(r9)
   0x1009d26c <+140>:   stw     r8,88(r1)
   0x1009d270 <+144>:   stw     r9,92(r1)
   0x1009d274 <+148>:   lwz     r0,80(r1)
   0x1009d278 <+152>:   rlwinm  r0,r0,3,0,28
   0x1009d27c <+156>:   lwz     r9,76(r1)
   0x1009d280 <+160>:   add     r0,r9,r0
   0x1009d284 <+164>:   mr      r11,r0
=> 0x1009d288 <+168>:   lwz     r9,0(r11)
   0x1009d28c <+172>:   lwz     r10,4(r11)
   0x1009d290 <+176>:   mr      r3,r9
   0x1009d294 <+180>:   mr      r4,r10
   0x1009d298 <+184>:   bl      0x100b0898 <bb_bswap_64>
   0x1009d29c <+188>:   mr      r10,r4
   0x1009d2a0 <+192>:   mr      r9,r3
   0x1009d2a4 <+196>:   lwz     r0,88(r1)
   0x1009d2a8 <+200>:   xor     r0,r0,r9
   0x1009d2ac <+204>:   stw     r0,96(r1)
   0x1009d2b0 <+208>:   lwz     r8,92(r1)
   0x1009d2b4 <+212>:   xor     r8,r8,r10
   0x1009d2b8 <+216>:   stw     r8,100(r1)
   0x1009d2bc <+220>:   lwz     r9,96(r1)
   0x1009d2c0 <+224>:   lwz     r10,100(r1)

(gdb) info reg
[...]
r11            0x101cb010   270315536

# cat /proc/[pid]/maps
[...]
101a5000-101cb000 rwxp 00000000 00:00 0          [heap]

baruch

-- 
     http://baruch.siach.name/blog/                  ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -

More information about the busybox mailing list