SEGV running binary - how to debug further?

Question

SEGV running binary - how to debug further?

tmm1 opened this issue 4 years ago · comments

Aman Gupta Karmani commented 4 years ago

I'm trying to run headless chromium via proot. It works on arm64-v8a devices, but on armeabi-v7a I'm getting a segfault:

# uname -a
Linux localhost 4.9.113 #1 SMP PREEMPT Fri Apr 17 19:28:59 CST 2020 armv8l Android

# PROOT_NO_SECCOMP=1 LD_PRELOAD= proot --link2symlink -0 -r $PREFIX/share/TermuxAlpine/ -b /dev -b /sys -b /proc -w / /usr/lib/chromium/chrome --version
proot info: vpid 1: terminated with signal 11

# startalpine
[root@localhost home]# /usr/lib/chromium/chrome --version
Segmentation fault

proot info: exe = /usr/lib/chromium/chrome
proot info: argv = /usr/lib/chromium/chrome --version
proot info: initial cwd = /
proot info: verbose level = 999
proot info: pid 28492: access to "/dev/pts/3" (fd 0) won't be translated until closed
proot info: pid 28492: access to "/dev/pts/3" (fd 1) won't be translated until closed
proot info: pid 28492: access to "/dev/pts/3" (fd 2) won't be translated until closed
proot info: pid 28492: access to "/proc/28492/fd" (fd 3) won't be translated until closed
proot info: vpid 1: sysenter start: execve(0xec91d0d0, 0xff820660, 0xff82066c, 0x2f, 0xec910030, 0xff820660) = 0xec91d0d0 [0xff81e550, 0]
proot info: vpid 1: translate("/" + "/usr/lib/chromium/chrome")
proot info: vpid 1:          -> "/data/data/com.termux/files/usr/share/TermuxAlpine/usr/lib/chromium/chrome"
proot info: vpid 1: translate("/" + "/lib/ld-musl-armhf.so.1")
proot info: vpid 1:          -> "/data/data/com.termux/files/usr/share/TermuxAlpine/lib/ld-musl-armhf.so.1"
proot info: vpid 1: sysenter end: execve(0xff81e51b, 0xff820660, 0xff82066c, 0x2f, 0xec910030, 0xff820660) = 0xff81e51b [0xff81e51b, 0]
proot info: vpid 1: sysexit start: restart_syscall(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) = 0x0 [0xff8143f0, 0]
proot info: vpid 1: sysexit end: restart_syscall(0xff8142fc, 0x0, 0x0, 0x0, 0x0, 0x0) = 0xff8142fc [0xff8142fc, 0]
proot info: vpid 1: sysenter start: open(0xff8143bc, 0x0, 0x0, 0x0, 0x0, 0x0) = 0xff8143bc [0xff8142f8, 0]
proot info: vpid 1: translate("/" + "/usr/lib/chromium/chrome")
proot info: vpid 1:          -> "/data/data/com.termux/files/usr/share/TermuxAlpine/usr/lib/chromium/chrome"
proot info: vpid 1: sysenter end: open(0xff8142ad, 0x0, 0x0, 0x0, 0x0, 0x0) = 0xff8142ad [0xff8142ad, 0]
proot info: vpid 1: sysexit start: open(0x3, 0x0, 0x0, 0x0, 0x0, 0x0) = 0x3 [0xff8142ad, 0]
proot info: vpid 1: sysexit end: open(0x3, 0x0, 0x0, 0x0, 0x0, 0x0) = 0x3 [0xff8142f8, 0]
proot info: vpid 1: sysenter start: mmap2(0xf000000, 0x595e000, 0x5, 0x12, 0x3, 0x0) = 0xf000000 [0xff8142f8, 0]
proot info: vpid 1: sysenter end: mmap2(0xf000000, 0x595e000, 0x5, 0x12, 0x3, 0x0) = 0xf000000 [0xff8142f8, 0]
proot info: vpid 1: sysexit start: mmap2(0xf000000, 0x595e000, 0x5, 0x12, 0x3, 0x0) = 0xf000000 [0xff8142f8, 0]
proot info: vpid 1: sysexit end: mmap2(0xf000000, 0x595e000, 0x5, 0x12, 0x3, 0x0) = 0xf000000 [0xff8142f8, 0]
proot info: vpid 1: translate("/" + "/usr/lib/chromium/chrome")
proot info: vpid 1:          -> "/data/data/com.termux/files/usr/share/TermuxAlpine/usr/lib/chromium/chrome"
proot info: vpid 1: terminated with signal 11

michalbednarski · Answer 1 · Tue May 19 2020 00:18:10 GMT+0800 (China Standard Time)

Looks like loaded binary mapping has clashed with loader (loader address is defined in arch.h, this value is referenced from GNUMakefile).

Probably either LOADER_ADDRESS should be raised or EXEC_PIC_ADDRESS should be lowered, but I don't know what these values should actually be.

Aman Gupta Karmani · Answer 2 · Tue May 19 2020 02:38:54 GMT+0800 (China Standard Time)

Thanks! Really appreciate the pointer.

I see the EXEC_PIC_ADDRESS being mmap'd in the verbose output above, but no indication of LOADER_ADDRESS. Did you see something in there that suggested overlap, or just a hunch based on the segv that the binary was being corrupted?

Either way, you were correct and the following works for me now:

--- a/src/arch.h
+++ b/src/arch.h
@@ -101,7 +101,7 @@ typedef unsigned char byte_t;
     #define OFFSETOF_STAT_GID_32 0
     #define EM_ARM 40

-    #define LOADER_ADDRESS 0x10000000
+    #define LOADER_ADDRESS 0x20000000

     #define EXEC_PIC_ADDRESS   0x0f000000
     #define INTERP_PIC_ADDRESS 0x1f000000

Not sure if this is something that should be merged, or if there would be other unintended consequences. Now that the binary runs maybe I can look at /proc/pid/maps and see where the overlap was and how much extra space is actually needed..

Aman Gupta Karmani · Answer 3 · Fri Jul 17 2020 08:17:38 GMT+0800 (China Standard Time)

I discovered there is an old WIP branch upstream that tries to remove LOADER_ADDRESS: https://github.com/proot-me/proot/compare/position_independant

Deleted user · Answer 4 · Mon May 10 2021 11:33:51 GMT+0800 (China Standard Time)

Hi, i pointed to this issue where i needed to run Chromium on 32-bit environment, and it got segfaults, somehow running chromium works by setting LOADER_ADDRESS to 0x20000000 in proot's source, so far i didn't get any strange side effects from time to time when using armhf distro and it only fixes chromium segfaults after using armhf distro for like a month now

I guess it's time that LOADER_ADDRESS should be set to 0x20000000?

Zhymabek Roman · Answer 5 · Mon May 10 2021 12:20:03 GMT+0800 (China Standard Time)

@wmcb-tech, may be best to apply changes from the position_independant branch to the Termux proot repository?

Deleted user · Answer 6 · Mon May 10 2021 12:31:53 GMT+0800 (China Standard Time)

just to be safe then probably yes