Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751295AbaBWODC (ORCPT <rfc822;w@1wt.eu>);
	Sun, 23 Feb 2014 09:03:02 -0500
Received: from mail-qg0-f45.google.com ([209.85.192.45]:42758 "EHLO
	mail-qg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751117AbaBWODA (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 23 Feb 2014 09:03:00 -0500
Date: Sun, 23 Feb 2014 09:05:01 -0500 (EST)
From: Vince Weaver <vincent.weaver@maine.edu>
To: "H. Peter Anvin" <hpa@zytor.com>
cc: Vince Weaver <vincent.weaver@maine.edu>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
        "H.J. Lu" <hjl.tools@gmail.com>
Subject: Re: perf_fuzzer compiled for x32 causes reboot
In-Reply-To: <e0bf16ca-011f-400d-b938-94e4de2fb1a6@email.android.com>
Message-ID: <alpine.DEB.2.10.1402230859560.18653@vincent-weaver-1.um.maine.edu>
References: <alpine.DEB.2.10.1402211521040.6395@vincent-weaver-1.um.maine.edu> <alpine.DEB.2.10.1402211701380.6395@vincent-weaver-1.um.maine.edu> <alpine.DEB.2.10.1402211732290.11615@vincent-weaver-1.um.maine.edu> <alpine.DEB.2.10.1402212342090.17416@vincent-weaver-1.um.maine.edu>
 <53084317.4090304@zytor.com> <alpine.DEB.2.10.1402230012260.18252@vincent-weaver-1.um.maine.edu> <e0bf16ca-011f-400d-b938-94e4de2fb1a6@email.android.com>
User-Agent: Alpine 2.10 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 22 Feb 2014, H. Peter Anvin wrote:

> I'd be interested in how rbp gets set, too.  It might just be a 
> coincidence and the value in rbp has some other meaning here.

The code in question does this:

        i=find_random_active_event();
        if (i<0) return;
        if ((event_data[i].mmap)) {
                value=0xdeadbeef;
                memset(event_data[i].mmap,value,getpagesize());


  [New LWP 10526]
  Core was generated by `./perf_fuzzer -t OCIRMQWPpAi -r 1392938876'.
  Program terminated with signal 11, Segmentation fault.
  #0  0x0041efab in __memset_sse2 ()
  (gdb) bt
  #0  0x0041efab in __memset_sse2 ()
  #1  0x004017ec in trash_random_mmap () at perf_fuzzer.c:808
  #2  main (argc=<optimized out>, argv=<optimized out>) at perf_fuzzer.c:1604


So rbp is set by the imul below, it is the offset into the
event_data[i] array where the elements have size of 0x120

   0x004017bd <+3085>:  callq  0x402ee0 <find_random_active_event>
   0x004017c2 <+3090>:  test   %eax,%eax
   0x004017c4 <+3092>:  js     0x4011e8 <main+1592>
   0x004017ca <+3098>:  imul   $0x120,%eax,%ebp
   0x004017d0 <+3104>:  mov    0x756b2c(%ebp),%eax

   0x004017d7 <+3111>:  test   %eax,%eax
   0x004017d9 <+3113>:  je     0x40183b <main+3211>

   0x004017db <+3115>:  mov    0xc(%esp),%edx
   0x004017e0 <+3120>:  mov    %eax,%edi
   0x004017e2 <+3122>:  mov    $0xdeadbeef,%esi
   0x004017e7 <+3127>:  callq  0x400260
   0x004017ec <+3132>:  testb  $0x20,0x353e76(%rip)        # 0x755669 <logging+$

   400260:       ff 25 ce 0e 2d 00       jmpq   *0x2d0ece(%rip)        # 6d1134 $

   0x6d1134:       0x0041e710

  Dump of assembler code for function __memset_sse2:

   0x0041e710 <+0>:     cmp    $0x1,%rdx
   0x0041e714 <+4>:     mov    %rdi,%rax
   0x0041e717 <+7>:     jne    0x41e71d <__memset_sse2+13>
   0x0041e719 <+9>:     mov    %sil,(%rdi)

and as far as I can tell nothing touches rbp again until the segfault.
Nothing in _memset_sse2 does as far as I can tell.

Vince
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/