Home Segmentation fault in _dl_lookup_symbol_x
Reply: 0

Segmentation fault in _dl_lookup_symbol_x

user16899
1#
user16899 Published in May 25, 2018, 11:12 am

I'm trying to manually load a shared library into another process (implemented in Rust, reference: https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf).

For single thread targets it works fine but as soon as the target has more than one thread I get a segmentaion fault at "_dl_lookup_symbol_x". The shared library seems to be loaded (according to /proc/maps/).

The segfault happens (at least that is what I am thinking) during the loading process when dl_look_up_symbol is used to retrieve the function of my simple test library (which has a function called "loadMsg" annotated with attribute((constructor) so it gets executed as soon as the library is loaded).

Backtrace

[Current thread is 1 (Thread 0x7f1f94bf9700 (LWP 14244))]
(gdb) bt full
#0  _dl_lookup_symbol_x (undef_name=0x7f1f9321b39b "loadMsg", undef_map=undef_map@entry=0xf59430, ref=ref@entry=0x7ffc40553a38, symbol_scope=symbol_scope@entry=0xf59788, version=0x0, type_class=0, flags=1, skip_map=0x0)
    at dl-lookup.c:813
        old_hash = 4294967295
        current_value = {s = 0x7f1f94435906, m = 0x7f1f944a5984 <__GI___libc_malloc+84>}
        scope = <optimized out>
        __PRETTY_FUNCTION__ = "_dl_lookup_symbol_x"
        i = <optimized out>
        protected = <optimized out>
#1  0x00007f1f94a108dd in elf_machine_rela (skip_ifunc=0, reloc_addr_arg=0x7f1f9341be00, version=<optimized out>, sym=<optimized out>, reloc=0x7f1f9321b460, map=0xf59430) at ../sysdeps/x86_64/dl-machine.h:325
        _lr = <optimized out>
        _tc = <optimized out>
        v = <optimized out>
        refsym = 0x7f1f9321b278
        sym_map = <optimized out>
        value = <optimized out>
        reloc_addr = 0x7f1f9341be00
        r_type = 1
#2  elf_dynamic_do_Rela (skip_ifunc=0, lazy=<optimized out>, nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>, map=0xf59430) at do-rel.h:137
        ndx = <optimized out>
        version = <optimized out>
        symtab = <optimized out>
        relative = <optimized out>
        end = <optimized out>
        l_addr = <optimized out>
        r2 = 0x0
        r = 0x7f1f9321b460
        end2 = 0x0
#3  _dl_relocate_object (scope=<optimized out>, reloc_mode=reloc_mode@entry=1, consider_profiling=<optimized out>, consider_profiling@entry=0) at dl-reloc.c:259
        ranges = {{start = 139773589173272, size = 216, nrelative = 3, lazy = 0}, {start = 139773589173488, size = 48, nrelative = 0, lazy = 1}}
        textrels = <optimized out>
        errstring = 0x0
        lazy = <optimized out>
        skip_ifunc = 0
#4  0x00007f1f94a19c41 in dl_open_worker (a=a@entry=0x7ffc40553cf8) at dl-open.c:435
        i = <optimized out>
        args = 0x7ffc40553cf8
        file = <optimized out>
        mode = 1
        call_map = <optimized out>
        dst = <optimized out>
        new = 0xf59430
        __PRETTY_FUNCTION__ = "dl_open_worker"
        r = 0x7f1f94c2b140 <_r_debug>
        reloc_mode = 1
        nmaps = <optimized out>
        l = <optimized out>
        maps = 0x7ffc40553ac8
        relocation_in_progress = 1
        any_tls = <optimized out>
        first_static_tls = <optimized out>
#5  0x00007f1f94a14874 in _dl_catch_error (objname=objname@entry=0x7ffc40553ce8, errstring=errstring@entry=0x7ffc40553cf0, mallocedp=mallocedp@entry=0x7ffc40553ce7, operate=operate@entry=0x7f1f94a19720 <dl_open_worker>, 
    args=args@entry=0x7ffc40553cf8) at dl-error.c:187
        errcode = 32764
        c = {objname = 0x7ffc40553ce8, errstring = 0x7ffc40553cf0, malloced = 0x7ffc40553ce7, errcode = 0x7ffc40553bc4, env = {{__jmpbuf = {140721387814392, 4523004415124770447, 1, 16094096, 4194370, 139773616496704, 
                4523004415057661583, 4540571143190023823}, __mask_was_saved = 4195225, __saved_mask = {__val = {4195016, 140721387814056, 359345080, 5614766, 139771120713784, 139773608132664, 140721387814272, 139773608078736, 
                  140721387814052, 140721387814256, 139773616488368, 139771120713728, 4, 140721387814064, 2491322442, 0}}}}}
        catchp = 0x7f1f94bf96f8
        old = <optimized out>
#6  0x00007f1f94a19059 in _dl_open (file=0xf59390 "/home/user/sample-library.so", mode=1, caller_dlopen=0x400042, nsid=-2, argc=<optimized out>, argv=<optimized out>, env=0x7ffc405540d8)
    at dl-open.c:660
        args = {file = 0xf59390 "/home/user/sample-library.so", mode = 1, caller_dlopen = 0x400042, caller_dl_open = 0x7f1f945651fd <do_dlopen+61>, map = 0xf59430, nsid = 0, argc = 1, 
          argv = 0x7ffc405540c8, env = 0x7ffc405540d8}
        objname = 0x7f1f94a0eb91 <_dl_lookup_symbol_x+337> "H\203\304\060\203", <incomplete sequence \370>
---Type <return> to continue, or q <return> to quit---
        errstring = 0x2 <error: Cannot access memory at address 0x2>
        malloced = false
        errcode = <optimized out>
        __PRETTY_FUNCTION__ = "_dl_open"
#7  0x00007f1f945651fd in do_dlopen (ptr=ptr@entry=0x7ffc40553f18) at dl-libc.c:87
        args = 0x7ffc40553f18
#8  0x00007f1f94a14874 in _dl_catch_error (objname=0x7ffc40553f08, errstring=0x7ffc40553f10, mallocedp=0x7ffc40553f07, operate=0x7f1f945651c0 <do_dlopen>, args=0x7ffc40553f18) at dl-error.c:187
        errcode = 0
        c = {objname = 0x7ffc40553f08, errstring = 0x7ffc40553f10, malloced = 0x7ffc40553f07, errcode = 0x7ffc40553df4, env = {{__jmpbuf = {0, 4523004415188733583, 4195664, 140721387815104, 0, 0, 4523004415118478991, 
                4540571143190023823}, __mask_was_saved = 1079328447, __saved_mask = {__val = {4195664, 140721387815104, 0, 18446603352321737025, 1, 210453397509, 0, 0, 472446402651, 0, 0, 532575944823, 0, 139773612092717, 1, 
                  13}}}}}
        catchp = 0x7f1f94bf96f8
        old = <optimized out>
#9  0x00007f1f945652b4 in dlerror_run (args=0x7ffc40553f18, operate=0x7f1f945651c0 <do_dlopen>) at dl-libc.c:46
        objname = 0x0
        last_errstring = 0x0
        malloced = false
        result = <optimized out>
#10 __GI___libc_dlopen_mode (name=<optimized out>, mode=<optimized out>) at dl-libc.c:163
        args = {name = 0xf59390 "/home/user/sample-library.so", mode = 1, caller_dlopen = 0x400042, map = 0x7ffc40553f90}
#11 0x0000000000400042 in ?? ()
No symbol table info available.
#12 0x000000000000000d in ?? ()
No symbol table info available.
#13 0x00007f1f944a5ce0 in ?? () at hooks.c:545 from /lib/x86_64-linux-gnu/libc.so.6
        check_action = 3
        mp_ = {trim_threshold = 131072, top_pad = 131072, mmap_threshold = 131072, arena_test = 8, arena_max = 0, n_mmaps = 0, n_mmaps_max = 65536, max_n_mmaps = 0, no_dyn_threshold = 0, mmapped_mem = 0, max_mmapped_mem = 0, 
          sbrk_base = 0xf59000 ""}
        list_lock = 0
        dumped_main_arena_end = 0x0
        global_max_fast = 128
        free_list = 0x0
        __elf_set___libc_thread_subfreeres_element_arena_thread_freeres__ = 0x7f1f94592280 <arena_thread_freeres>
        disallow_malloc_check = 0
        dumped_main_arena_start = 0x0
        using_malloc_checking = 0
        free_list_lock = 0
        perturb_byte = 0
        thread_arena = 0x7f1f947e0b00 <main_arena>
        main_arena = {mutex = 0, flags = 1, fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, top = 0xf599e0, last_remainder = 0x0, bins = {0x7f1f947e0b58 <main_arena+88>, 0x7f1f947e0b58 <main_arena+88>, 
            0x7f1f947e0b68 <main_arena+104>, 0x7f1f947e0b68 <main_arena+104>, 0x7f1f947e0b78 <main_arena+120>, 0x7f1f947e0b78 <main_arena+120>, 0x7f1f947e0b88 <main_arena+136>, 0x7f1f947e0b88 <main_arena+136>, 
            0x7f1f947e0b98 <main_arena+152>, 0x7f1f947e0b98 <main_arena+152>, 0x7f1f947e0ba8 <main_arena+168>, 0x7f1f947e0ba8 <main_arena+168>, 0x7f1f947e0bb8 <main_arena+184>, 0x7f1f947e0bb8 <main_arena+184>, 
            0x7f1f947e0bc8 <main_arena+200>, 0x7f1f947e0bc8 <main_arena+200>, 0x7f1f947e0bd8 <main_arena+216>, 0x7f1f947e0bd8 <main_arena+216>, 0x7f1f947e0be8 <main_arena+232>, 0x7f1f947e0be8 <main_arena+232>, 
            0x7f1f947e0bf8 <main_arena+248>, 0x7f1f947e0bf8 <main_arena+248>, 0x7f1f947e0c08 <main_arena+264>, 0x7f1f947e0c08 <main_arena+264>, 0x7f1f947e0c18 <main_arena+280>, 0x7f1f947e0c18 <main_arena+280>, 
            0x7f1f947e0c28 <main_arena+296>, 0x7f1f947e0c28 <main_arena+296>, 0x7f1f947e0c38 <main_arena+312>, 0x7f1f947e0c38 <main_arena+312>, 0x7f1f947e0c48 <main_arena+328>, 0x7f1f947e0c48 <main_arena+328>, 
            0x7f1f947e0c58 <main_arena+344>, 0x7f1f947e0c58 <main_arena+344>, 0x7f1f947e0c68 <main_arena+360>, 0x7f1f947e0c68 <main_arena+360>, 0x7f1f947e0c78 <main_arena+376>, 0x7f1f947e0c78 <main_arena+376>, 
            0x7f1f947e0c88 <main_arena+392>, 0x7f1f947e0c88 <main_arena+392>, 0x7f1f947e0c98 <main_arena+408>, 0x7f1f947e0c98 <main_arena+408>, 0x7f1f947e0ca8 <main_arena+424>, 0x7f1f947e0ca8 <main_arena+424>, 
            0x7f1f947e0cb8 <main_arena+440>, 0x7f1f947e0cb8 <main_arena+440>, 0x7f1f947e0cc8 <main_arena+456>, 0x7f1f947e0cc8 <main_arena+456>, 0x7f1f947e0cd8 <main_arena+472>, 0x7f1f947e0cd8 <main_arena+472>, 
            0x7f1f947e0ce8 <main_arena+488>, 0x7f1f947e0ce8 <main_arena+488>, 0x7f1f947e0cf8 <main_arena+504>, 0x7f1f947e0cf8 <main_arena+504>, 0x7f1f947e0d08 <main_arena+520>, 0x7f1f947e0d08 <main_arena+520>, 
            0x7f1f947e0d18 <main_arena+536>, 0x7f1f947e0d18 <main_arena+536>, 0x7f1f947e0d28 <main_arena+552>, 0x7f1f947e0d28 <main_arena+552>, 0x7f1f947e0d38 <main_arena+568>, 0x7f1f947e0d38 <main_arena+568>, 
            0x7f1f947e0d48 <main_arena+584>, 0x7f1f947e0d48 <main_arena+584>, 0x7f1f947e0d58 <main_arena+600>, 0x7f1f947e0d58 <main_arena+600>, 0x7f1f947e0d68 <main_arena+616>, 0x7f1f947e0d68 <main_arena+616>, 
            0x7f1f947e0d78 <main_arena+632>, 0x7f1f947e0d78 <main_arena+632>, 0x7f1f947e0d88 <main_arena+648>, 0x7f1f947e0d88 <main_arena+648>, 0x7f1f947e0d98 <main_arena+664>, 0x7f1f947e0d98 <main_arena+664>, 
            0x7f1f947e0da8 <main_arena+680>, 0x7f1f947e0da8 <main_arena+680>, 0x7f1f947e0db8 <main_arena+696>, 0x7f1f947e0db8 <main_arena+696>, 0x7f1f947e0dc8 <main_arena+712>, 0x7f1f947e0dc8 <main_arena+712>, 
            0x7f1f947e0dd8 <main_arena+728>, 0x7f1f947e0dd8 <main_arena+728>, 0x7f1f947e0de8 <main_arena+744>, 0x7f1f947e0de8 <main_arena+744>, 0x7f1f947e0df8 <main_arena+760>, 0x7f1f947e0df8 <main_arena+760>, 
            0x7f1f947e0e08 <main_arena+776>, 0x7f1f947e0e08 <main_arena+776>, 0x7f1f947e0e18 <main_arena+792>, 0x7f1f947e0e18 <main_arena+792>, 0x7f1f947e0e28 <main_arena+808>, 0x7f1f947e0e28 <main_arena+808>, 
            0x7f1f947e0e38 <main_arena+824>, 0x7f1f947e0e38 <main_arena+824>, 0x7f1f947e0e48 <main_arena+840>, 0x7f1f947e0e48 <main_arena+840>, 0x7f1f947e0e58 <main_arena+856>, 0x7f1f947e0e58 <main_arena+856>, 
            0x7f1f947e0e68 <main_arena+872>, 0x7f1f947e0e68 <main_arena+872>, 0x7f1f947e0e78 <main_arena+888>, 0x7f1f947e0e78 <main_arena+888>, 0x7f1f947e0e88 <main_arena+904>, 0x7f1f947e0e88 <main_arena+904>, 
            0x7f1f947e0e98 <main_arena+920>, 0x7f1f947e0e98 <main_arena+920>, 0x7f1f947e0ea8 <main_arena+936>, 0x7f1f947e0ea8 <main_arena+936>, 0x7f1f947e0eb8 <main_arena+952>, 0x7f1f947e0eb8 <main_arena+952>, 
            0x7f1f947e0ec8 <main_arena+968>, 0x7f1f947e0ec8 <main_arena+968>, 0x7f1f947e0ed8 <main_arena+984>, 0x7f1f947e0ed8 <main_arena+984>, 0x7f1f947e0ee8 <main_arena+1000>, 0x7f1f947e0ee8 <main_arena+1000>, 
            0x7f1f947e0ef8 <main_arena+1016>, 0x7f1f947e0ef8 <main_arena+1016>, 0x7f1f947e0f08 <main_arena+1032>, 0x7f1f947e0f08 <main_arena+1032>, 0x7f1f947e0f18 <main_arena+1048>, 0x7f1f947e0f18 <main_arena+1048>, 
            0x7f1f947e0f28 <main_arena+1064>, 0x7f1f947e0f28 <main_arena+1064>, 0x7f1f947e0f38 <main_arena+1080>, 0x7f1f947e0f38 <main_arena+1080>, 0x7f1f947e0f48 <main_arena+1096>, 0x7f1f947e0f48 <main_arena+1096>, 
            0x7f1f947e0f58 <main_arena+1112>, 0x7f1f947e0f58 <main_arena+1112>, 0x7f1f947e0f68 <main_arena+1128>, 0x7f1f947e0f68 <main_arena+1128>, 0x7f1f947e0f78 <main_arena+1144>, 0x7f1f947e0f78 <main_arena+1144>, 
            0x7f1f947e0f88 <main_arena+1160>, 0x7f1f947e0f88 <main_arena+1160>, 0x7f1f947e0f98 <main_arena+1176>, 0x7f1f947e0f98 <main_arena+1176>, 0x7f1f947e0fa8 <main_arena+1192>, 0x7f1f947e0fa8 <main_arena+1192>, 
---Type <return> to continue, or q <return> to quit---
            0x7f1f947e0fb8 <main_arena+1208>, 0x7f1f947e0fb8 <main_arena+1208>, 0x7f1f947e0fc8 <main_arena+1224>, 0x7f1f947e0fc8 <main_arena+1224>, 0x7f1f947e0fd8 <main_arena+1240>, 0x7f1f947e0fd8 <main_arena+1240>, 
            0x7f1f947e0fe8 <main_arena+1256>, 0x7f1f947e0fe8 <main_arena+1256>, 0x7f1f947e0ff8 <main_arena+1272>, 0x7f1f947e0ff8 <main_arena+1272>, 0x7f1f947e1008 <main_arena+1288>, 0x7f1f947e1008 <main_arena+1288>, 
            0x7f1f947e1018 <main_arena+1304>, 0x7f1f947e1018 <main_arena+1304>, 0x7f1f947e1028 <main_arena+1320>, 0x7f1f947e1028 <main_arena+1320>, 0x7f1f947e1038 <main_arena+1336>, 0x7f1f947e1038 <main_arena+1336>, 
            0x7f1f947e1048 <main_arena+1352>, 0x7f1f947e1048 <main_arena+1352>, 0x7f1f947e1058 <main_arena+1368>, 0x7f1f947e1058 <main_arena+1368>, 0x7f1f947e1068 <main_arena+1384>, 0x7f1f947e1068 <main_arena+1384>, 
            0x7f1f947e1078 <main_arena+1400>, 0x7f1f947e1078 <main_arena+1400>, 0x7f1f947e1088 <main_arena+1416>, 0x7f1f947e1088 <main_arena+1416>, 0x7f1f947e1098 <main_arena+1432>, 0x7f1f947e1098 <main_arena+1432>, 
            0x7f1f947e10a8 <main_arena+1448>, 0x7f1f947e10a8 <main_arena+1448>, 0x7f1f947e10b8 <main_arena+1464>, 0x7f1f947e10b8 <main_arena+1464>, 0x7f1f947e10c8 <main_arena+1480>, 0x7f1f947e10c8 <main_arena+1480>, 
            0x7f1f947e10d8 <main_arena+1496>, 0x7f1f947e10d8 <main_arena+1496>, 0x7f1f947e10e8 <main_arena+1512>, 0x7f1f947e10e8 <main_arena+1512>, 0x7f1f947e10f8 <main_arena+1528>, 0x7f1f947e10f8 <main_arena+1528>, 
            0x7f1f947e1108 <main_arena+1544>, 0x7f1f947e1108 <main_arena+1544>, 0x7f1f947e1118 <main_arena+1560>, 0x7f1f947e1118 <main_arena+1560>, 0x7f1f947e1128 <main_arena+1576>, 0x7f1f947e1128 <main_arena+1576>, 
            0x7f1f947e1138 <main_arena+1592>, 0x7f1f947e1138 <main_arena+1592>, 0x7f1f947e1148 <main_arena+1608>, 0x7f1f947e1148 <main_arena+1608>, 0x7f1f947e1158 <main_arena+1624>, 0x7f1f947e1158 <main_arena+1624>, 
            0x7f1f947e1168 <main_arena+1640>, 0x7f1f947e1168 <main_arena+1640>, 0x7f1f947e1178 <main_arena+1656>, 0x7f1f947e1178 <main_arena+1656>, 0x7f1f947e1188 <main_arena+1672>, 0x7f1f947e1188 <main_arena+1672>...}, 
          binmap = {0, 0, 0, 0}, next = 0x7f1f7c000020, next_free = 0x0, attached_threads = 1, system_mem = 135168, max_system_mem = 135168}
        narenas = 4
        aligned_heap_area = 0x7f1f80000000 <error: Cannot access memory at address 0x7f1f80000000>
        __morecore = 0x7f1f944a8c10 <__GI___default_morecore>
        __after_morecore_hook = 0x0
        __malloc_initialize_hook = 0x0
        __free_hook = 0x0
        __malloc_hook = 0x0
        __memalign_hook = 0x7f1f944a7680 <memalign_hook_ini>
        __libc_malloc_initialized = 1
        __realloc_hook = 0x7f1f944a7260 <realloc_hook_ini>
#14 0x00007ffc40553f90 in ?? ()
No symbol table info available.
#15 0x0000000000000000 in ?? ()
No symbol table info available.

If you need any more information for debugging please just ask. Thanks.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.31638 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO