Segmentation fault
radare opened this issue · comments
Trying to unsquash a slightly modified ddwrt squashfs image:
http://lolcathost.org/b/out.fs
$ $ gdb --args /tmp/sasquatch out.fs
GNU gdb (GDB) 7.8
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /tmp/sasquatch...done.
(gdb) r
Starting program: /tmp/sasquatch out.fs
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
SquashFS version [3.0] / inode count [554] suggests a SquashFS image of the same endianess
[New Thread 0x7ffff6bba700 (LWP 5583)]
[New Thread 0x7ffff63b9700 (LWP 5584)]
[New Thread 0x7ffff5bb8700 (LWP 5585)]
[New Thread 0x7ffff53b7700 (LWP 5586)]
[New Thread 0x7ffff4bb6700 (LWP 5587)]
[New Thread 0x7ffff43b5700 (LWP 5588)]
[New Thread 0x7ffff3bb4700 (LWP 5589)]
[New Thread 0x7ffff33b3700 (LWP 5590)]
[New Thread 0x7ffff2bb2700 (LWP 5591)]
[New Thread 0x7ffff23b1700 (LWP 5592)]
[New Thread 0x7ffff1bb0700 (LWP 5593)]
[New Thread 0x7ffff13af700 (LWP 5594)]
[New Thread 0x7ffff0bae700 (LWP 5595)]
[New Thread 0x7ffff03ad700 (LWP 5596)]
[New Thread 0x7fffefbac700 (LWP 5597)]
[New Thread 0x7fffef3ab700 (LWP 5598)]
Parallel unsquashfs: Using 12 processors
Trying to decompress using default gzip decompressor...
Trying to decompress with lzma...
Trying to decompress with lzma-adaptive...
Program received signal SIGSEGV, Segmentation fault.
0x000000000041dfaf in NCompress::NLZMA::CDecoder::CodeReal(ISequentialInStream*, ISequentialOutStream*, unsigned long long const*, unsigned long long const*, ICompressProgressInfo*) ()
(gdb) disassemble $rip, $rip+20
Dump of assembler code from 0x41dfaf to 0x41dfc3:
=> 0x000000000041dfaf <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+367>: callq *0x10(%rax)
0x000000000041dfb2 <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+370>: movq $0x0,0x68(%rbx)
0x000000000041dfba <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+378>: add $0x10,%rsp
0x000000000041dfbe <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+382>: mov %ebp,%eax
0x000000000041dfc0 <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+384>: pop %rbx
0x000000000041dfc1 <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+385>: pop %rbp
0x000000000041dfc2 <_ZN9NCompress5NLZMA8CDecoder8CodeRealEP19ISequentialInStreamP20ISequentialOutStreamPKyS7_P21ICompressProgressInfo+386>: pop %r12
End of assembler dump.
(gdb) info registers
rax 0xdcdcdcdcdcdcdcdc -2531906049332683556
rbx 0x7e0b40 8260416
rcx 0x800000 8388608
rdx 0x29a 666
rsi 0x29a 666
rdi 0x7e0ac0 8260288
rbp 0x1 0x1
rsp 0x7fffffffe260 0x7fffffffe260
r8 0x7e0830 8259632
r9 0x800 2048
r10 0x7e0830 8259632
r11 0x10 16
r12 0x7e0b58 8260440
r13 0x7fffffffe2d8 140737488347864
r14 0x7e0b00 8260352
r15 0x0 0
rip 0x41dfaf 0x41dfaf <NCompress::NLZMA::CDecoder::CodeReal(ISequentialInStream*, ISequentialOutStream*, unsigned long long const*, unsigned long long const*, ICompressProgressInfo*)+367>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) bt
#0 0x000000000041dfaf in NCompress::NLZMA::CDecoder::CodeReal(ISequentialInStream*, ISequentialOutStream*, unsigned long long const*, unsigned long long const*, ICompressProgressInfo*) ()
#1 0x000000000041ab0a in NCompress::NLZMA::CDecoder::Code(ISequentialInStream*, ISequentialOutStream*, unsigned long long const*, unsigned long long const*, ICompressProgressInfo*) ()
#2 0x000000000041a2d9 in lzmaspec_uncompress ()
#3 0x0000000000410011 in lzma_adaptive_uncompress (dest=0x7e06e0, src=0x7fffffffe420, size=144, outsize=640,
error=0x7fffffffe4dc) at lzma_wrapper.c:292
#4 0x000000000040ef76 in compressor_uncompress (comp=0x6473c0 <lzma_adaptive_comp_ops>, dest=dest@entry=0x7e06e0,
src=src@entry=0x7fffffffe420, size=144, block_size=block_size@entry=320, error=error@entry=0x7fffffffe4dc)
at compressor.c:193
#5 0x0000000000408144 in read_block (fd=3, start=2149509, next=next@entry=0x0, expected=expected@entry=320,
block=0x7e06e0) at unsquashfs.c:703
#6 0x000000000040c575 in read_fragment_table_3 (directory_table_end=0x7fffffffe5d8) at unsquash-3.c:78
#7 0x0000000000402a83 in main (argc=<optimized out>, argv=0x7fffffffe6f8) at unsquashfs.c:2953
This was caused by a type casting bug which affected 64-bit platforms. Fixed in latest HEAD, tested on Ubuntu 14.04 x86_64. Thanks!
Awesome, that was quick! It works with other squashfs i wasnt able to extract. Thanks!
On 21 Oct 2014, at 18:38, devttys0 notifications@github.com wrote:
This was caused by a type casting bug which affected 64-bit platforms. Fixed in latest HEAD, tested on Ubuntu 14.04 x86_64. Thanks!
—
Reply to this email directly or view it on GitHub.