Discussion:
Escape stack overflow in noux_bash
Gregory Disney
2016-03-02 01:21:23 UTC
Permalink
Hey,
This seems to be a escape stack overflow, which crashes the kernel. All
that a user has to run cat tmp/bblub, which I believe is a link to
/ram/tmp/bblub to cause the overflow.

Log:
including /home/gdl/genode/tool/run/boot_dir/nova
including /home/gdl/genode/tool/run/power_on/qemu
including /home/gdl/genode/tool/run/log/qemu
including /home/gdl/genode/tool/run/image/iso
including /home/gdl/genode/repos/ports/run/noux_bash.run
building targets: core init drivers/timer noux/minimal lib/libc_noux
drivers/framebuffer drivers/input server/terminal server/ram_fs
test/libports/ncurses drivers/rtc drivers/platform drivers/acpi
server/report_rom drivers/platform/spec/x86/device_pd
spawn make core init drivers/timer noux/minimal lib/libc_noux
drivers/framebuffer drivers/input server/terminal server/ram_fs
test/libports/ncurses drivers/rtc drivers/platform drivers/acpi
server/report_rom drivers/platform/spec/x86/device_pd
make[1]: Entering directory '/home/gdl/genode/build.nova32'
checking library dependencies...
Skip target drivers/framebuffer/spec/exynos because it requires
exynos
Skip target drivers/framebuffer/spec/imx53 because it requires
imx53
Skip target drivers/framebuffer/spec/omap4 because it requires
omap4
Skip target drivers/framebuffer/spec/pl11x/pbxa9 because it requires
pl11x pbxa9
Skip target drivers/framebuffer/spec/rpi because it requires rpi
Skip target drivers/framebuffer/spec/sdl because it requires linux
sdl
Skip target drivers/input/spec/imx53 because it requires imx53
Skip target drivers/input/spec/ps2/pl050 because it requires
pl050
Skip target drivers/platform/spec/arndale because it requires
arndale
Skip target drivers/platform/spec/imx53 because it requires
imx53
Skip target drivers/platform/spec/odroid_x2 because it requires
odroid_x2
Skip target drivers/platform/spec/rpi because it requires rpi
 Library platform
 Library cxx
 Library syscall
 Library startup
 Library base-common
 Library core
 Program core/core
COMPILE version.o
LINK core
 Library base
 Program drivers/acpi/spec/x86/acpi_drv
 Library intel_fb_include
 Library intel_fb_drv
 Library libc-setjmp
 Library server
 Library config
 Library blit
 Program drivers/framebuffer/intel/intel_fb_drv
 Library x86emu
 Program drivers/framebuffer/vesa/fb_drv
 Program drivers/input/dummy/dummy_input_drv
 Program drivers/input/spec/ps2/x86/ps2_drv
 Program drivers/platform/spec/x86/device_pd/device_pd
 Program drivers/platform/spec/x86/platform_drv
 Program drivers/rtc/spec/x86/rtc_drv
 Library alarm
 Library timer
 Program drivers/timer/timer
 Library init_pd_args
 Program init/init
 Library libc-string
 Library libc-locale
 Library libc-stdlib
 Library libc-stdio
 Library libc-gen
 Library libc-gdtoa
 Library libc-inet
 Library libc-stdtime
 Library libc-regex
 Library libc-compat
 Library timed_semaphore
 Library ldso-startup
 Library ld
 Library vfs
 Library libc
 Library libc_noux
 Program lib/libc_noux/libc_noux
 Program noux/minimal/noux
 Program server/ram_fs/ram_fs
 Program server/report_rom/report_rom
 Program server/terminal/terminal
 Library ncurses
 Program test/libports/ncurses/test-ncurses
make[1]: Leaving directory '/home/gdl/genode/build.nova32'
genode build completed
building targets: kernel
spawn make kernel
make[1]: Entering directory '/home/gdl/genode/build.nova32'
checking library dependencies...
 Program kernel/hypervisor
make[1]: Leaving directory '/home/gdl/genode/build.nova32'
genode build completed
using NOVA kernel at /home/gdl/genode/build.nova32/kernel/hypervisor
install bootloader
creating ISO image...
spawn qemu-system-x86_64 -no-kvm -cpu core2duo -serial mon:stdio -cdrom
var/run/noux_bash.iso
Bender: Hello World.

Need 0275d000 bytes to relocate modules.

Relocating to 05883000:

Copying 358824 bytes...

Copying 423916 bytes...

Copying 341432 bytes...

Copying 489700 bytes...

Copying 599440 bytes...

Copying 435020 bytes...

Copying 415620 bytes...

Copying 19947520 bytes...

Copying 9267200 bytes...

Copying 3553280 bytes...

Copying 293864 bytes...

Copying 93584 bytes...

Copying 157940 bytes...

Copying 1039868 bytes...

Copying 423236 bytes...

Copying 494852 bytes...

Copying 423300 bytes...

Copying 624504 bytes...

Copying 401468 bytes...

Copying 416192 bytes...

Copying 4299 bytes...

Copying 910712 bytes...

Copying 110084 bytes...



NOVA Microhypervisor v7-c852537 (x86_32): Feb 28 2016 22:48:23 [gcc 4.9.2]



[ 0] CORE:0:0:0 6:f:b:0 [0] Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz

Hypervisor reports 1x1 CPU - boot CPU is 0

CPU has no invariant TSC.

Hypervisor info page contains 29 memory descriptors:

detected physical memory: 0x0000000000000000 - size: 0x9fc00

use physical memory: 0x0000000000000000 - size: 0x9f000

detected physical memory: 0x0000000000100000 - size: 0x7ee0000

use physical memory: 0x0000000000100000 - size: 0x7ee0000

map multi-boot module: physical 0x0589e000+0x000de578 - core

map multi-boot module: physical 0x0597d000+0x000010cb - config

map multi-boot module: physical 0x0597f000+0x000659c0 - init

map multi-boot module: physical 0x059e5000+0x0006203c - timer

map multi-boot module: physical 0x05a48000+0x00098778 - ld.lib.so

map multi-boot module: physical 0x05ae1000+0x00067584 - noux

map multi-boot module: physical 0x05b49000+0x00078d04 - terminal

map multi-boot module: physical 0x05bc2000+0x00067544 - ram_fs

map multi-boot module: physical 0x05c2a000+0x000fddfc - libc.lib.so

map multi-boot module: physical 0x05d28000+0x000268f4 - libm.lib.so

map multi-boot module: physical 0x05d4f000+0x00016d90 - libc_noux.lib.so

map multi-boot module: physical 0x05d66000+0x00047be8 - ncurses.lib.so

map multi-boot module: physical 0x05dae000+0x00363800 - bash.tar

map multi-boot module: physical 0x06112000+0x008d6800 - coreutils.tar

map multi-boot module: physical 0x069e9000+0x01306000 - vim.tar

map multi-boot module: physical 0x07cf0000+0x00065784 - rtc_drv

map multi-boot module: physical 0x07d56000+0x0006a34c - ps2_drv

map multi-boot module: physical 0x07dc1000+0x00092590 - fb_drv

map multi-boot module: physical 0x07e54000+0x000778e4 - platform_drv

map multi-boot module: physical 0x07ecc000+0x000535b8 - acpi_drv

map multi-boot module: physical 0x07f20000+0x000677ec - report_rom

map multi-boot module: physical 0x07f88000+0x000579a8 - device_pd

:virt_alloc: Allocator 18f91c dump:

Block: [00002000,00069000) size=00067000 avail=00067000 max_avail=00067000

Block: [00069000,0006a000) size=00001000 avail=00000000 max_avail=00067000

Block: [0006a000,0007c000) size=00012000 avail=00012000 max_avail=00067000

Block: [0007c000,0007d000) size=00001000 avail=00000000 max_avail=00000000

Block: [0007d000,0007e000) size=00001000 avail=00000000 max_avail=00067000

Block: [0007e000,0007f000) size=00001000 avail=00000000 max_avail=00000000

Block: [0007f000,00080000) size=00001000 avail=00000000 max_avail=00000000

Block: [00080000,00081000) size=00001000 avail=00000000 max_avail=00000000

Block: [00081000,00082000) size=00001000 avail=00000000 max_avail=00000000

Block: [00082000,00083000) size=00001000 avail=00000000 max_avail=00000000

Block: [00083000,00084000) size=00001000 avail=00000000 max_avail=00067000

Block: [00084000,00086000) size=00002000 avail=00000000 max_avail=00000000

Block: [00086000,00087000) size=00001000 avail=00000000 max_avail=00000000

Block: [00087000,00088000) size=00001000 avail=00000000 max_avail=00000000

Block: [00088000,00089000) size=00001000 avail=00000000 max_avail=00000000

Block: [00089000,0008a000) size=00001000 avail=00000000 max_avail=00000000

Block: [0008a000,0008b000) size=00001000 avail=00000000 max_avail=00000000

Block: [0008b000,0008c000) size=00001000 avail=00000000 max_avail=00000000

Block: [0008c000,0008d000) size=00001000 avail=00000000 max_avail=00000000

Block: [0008d000,0008e000) size=00001000 avail=00000000 max_avail=00067000

Block: [0008e000,0008f000) size=00001000 avail=00000000 max_avail=00000000

Block: [0008f000,00090000) size=00001000 avail=00000000 max_avail=00000000

Block: [00090000,00091000) size=00001000 avail=00000000 max_avail=00007000

Block: [00091000,00092000) size=00001000 avail=00000000 max_avail=00000000

Block: [00092000,00093000) size=00001000 avail=00000000 max_avail=00000000

Block: [00093000,00094000) size=00001000 avail=00000000 max_avail=00007000

Block: [00094000,00095000) size=00001000 avail=00000000 max_avail=00000000

Block: [00095000,0009c000) size=00007000 avail=00007000 max_avail=00007000

Block: [0009c000,0009d000) size=00001000 avail=00000000 max_avail=00000000

Block: [0009d000,0009e000) size=00001000 avail=00000000 max_avail=00007000

Block: [0009e000,0009f000) size=00001000 avail=00000000 max_avail=00000000

Block: [0009f000,000a0000) size=00001000 avail=00000000 max_avail=00000000

Block: [000a0000,000a1000) size=00001000 avail=00000000 max_avail=00000000

Block: [000a1000,000a2000) size=00001000 avail=00000000 max_avail=00000000

Block: [000a2000,000a3000) size=00001000 avail=00000000 max_avail=9fd40000

Block: [000a3000,000bb000) size=00018000 avail=00018000 max_avail=00018000

Block: [000bb000,000bc000) size=00001000 avail=00000000 max_avail=00018000

Block: [000bc000,000bd000) size=00001000 avail=00000000 max_avail=00000000

Block: [000bd000,000cb000) size=0000e000 avail=0000e000 max_avail=0000e000

Block: [000cb000,000cc000) size=00001000 avail=00000000 max_avail=00033000

Block: [000cc000,000cd000) size=00001000 avail=00000000 max_avail=00000000

Block: [000cd000,00100000) size=00033000 avail=00033000 max_avail=00033000

Block: [001de000,001df000) size=00001000 avail=00000000 max_avail=00000000

Block: [001df000,001e0000) size=00001000 avail=00000000 max_avail=00033000

Block: [001e0000,001e1000) size=00001000 avail=00000000 max_avail=00000000

Block: [001e1000,001e2000) size=00001000 avail=00000000 max_avail=00000000

Block: [001e2000,001e3000) size=00001000 avail=00000000 max_avail=9fd40000

Block: [001e3000,001e4000) size=00001000 avail=00000000 max_avail=00000000

Block: [001e4000,00246000) size=00062000 avail=00062000 max_avail=00062000

Block: [00246000,00247000) size=00001000 avail=00000000 max_avail=00077000

Block: [00247000,002be000) size=00077000 avail=00077000 max_avail=00077000

Block: [002be000,002bf000) size=00001000 avail=00000000 max_avail=9fd40000

Block: [002bf000,002c0000) size=00001000 avail=00000000 max_avail=00000000

Block: [002c0000,a0000000) size=9fd40000 avail=9fd40000 max_avail=9fd40000

Block: [b0000000,bfeff000) size=0feff000 avail=0feff000 max_avail=0feff000

Block: [bff04000,bfffd000) size=000f9000 avail=000f9000 max_avail=000f9000

=> mem_size=2951839744 (2815 MB) / mem_avail=2951651328 (2814 MB)

:phys_alloc: Allocator 18e8b8 dump:

Block: [00001000,00002000) size=00001000 avail=00000000 max_avail=00000000

Block: [00002000,00003000) size=00001000 avail=00000000 max_avail=00000000

Block: [00003000,00004000) size=00001000 avail=00000000 max_avail=00000000

Block: [00004000,00005000) size=00001000 avail=00000000 max_avail=00000000

Block: [00005000,00006000) size=00001000 avail=00000000 max_avail=00000000

Block: [00006000,00007000) size=00001000 avail=00000000 max_avail=00000000

Block: [00007000,00008000) size=00001000 avail=00000000 max_avail=00000000

Block: [00008000,00009000) size=00001000 avail=00000000 max_avail=00000000

Block: [00009000,0000a000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000a000,0000b000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000b000,0000c000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000c000,0000d000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000d000,0000e000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000e000,0000f000) size=00001000 avail=00000000 max_avail=00000000

Block: [0000f000,00010000) size=00001000 avail=00000000 max_avail=00000000

Block: [00010000,00011000) size=00001000 avail=00000000 max_avail=00000000

Block: [00011000,00012000) size=00001000 avail=00000000 max_avail=00000000

Block: [00012000,00013000) size=00001000 avail=00000000 max_avail=00000000

Block: [00013000,00014000) size=00001000 avail=00000000 max_avail=00000000

Block: [00014000,00015000) size=00001000 avail=00000000 max_avail=00000000

Block: [00015000,00016000) size=00001000 avail=00000000 max_avail=00000000

Block: [00016000,00017000) size=00001000 avail=00000000 max_avail=00000000

Block: [00017000,00018000) size=00001000 avail=00000000 max_avail=00000000

Block: [00018000,00019000) size=00001000 avail=00000000 max_avail=0309e000

Block: [00019000,0001a000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001a000,0001b000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001b000,0001c000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001c000,0001d000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001d000,0001e000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001e000,0001f000) size=00001000 avail=00000000 max_avail=00000000

Block: [0001f000,00020000) size=00001000 avail=00000000 max_avail=00000000

Block: [00020000,00021000) size=00001000 avail=00000000 max_avail=00000000

Block: [00021000,00022000) size=00001000 avail=00000000 max_avail=00000000

Block: [00022000,00023000) size=00001000 avail=00000000 max_avail=00000000

Block: [00023000,00024000) size=00001000 avail=00000000 max_avail=00000000

Block: [00024000,00025000) size=00001000 avail=00000000 max_avail=0309e000

Block: [00025000,00026000) size=00001000 avail=00000000 max_avail=00000000

Block: [00026000,00027000) size=00001000 avail=00000000 max_avail=00000000

Block: [00027000,00028000) size=00001000 avail=00000000 max_avail=00000000

Block: [00028000,00029000) size=00001000 avail=00000000 max_avail=00000000

Block: [00029000,0002a000) size=00001000 avail=00000000 max_avail=00000000

Block: [0002a000,0002b000) size=00001000 avail=00000000 max_avail=0309e000

Block: [0002b000,0002c000) size=00001000 avail=00000000 max_avail=00000000

Block: [0002c000,0009f000) size=00073000 avail=00073000 max_avail=00073000

Block: [00100000,00101000) size=00001000 avail=00000000 max_avail=0309e000

Block: [00101000,00102000) size=00001000 avail=00000000 max_avail=00000000

Block: [00102000,00400000) size=002fe000 avail=002fe000 max_avail=0309e000

Block: [02800000,0589e000) size=0309e000 avail=0309e000 max_avail=0309e000

=> mem_size=54771712 (52 MB) / mem_avail=54587392 (52 MB)

:io_mem_alloc: Allocator 19098c dump:

Block: [00000000,00001000) size=00001000 avail=00001000 max_avail=00001000

Block: [0009f000,00100000) size=00061000 avail=00061000 max_avail=f801f000

Block: [07fe0000,fffff000) size=f801f000 avail=f801f000 max_avail=f801f000

=> mem_size=4161277952 (3968 MB) / mem_avail=4161277952 (3968 MB)

Genode 15.11-141-g2936cbe <local changes>

int main(): --- create local services ---

int main(): --- start init ---

int main(): transferred 51 MB to init

[init] parent provides

[init] service "ROM"

[init] service "LOG"

[init] service "CAP"

[init] service "RAM"

[init] service "RM"

[init] service "CPU"

[init] service "PD"

[init] service "IRQ"

[init] service "IO_PORT"

[init] service "IO_MEM"

[init] service "SIGNAL"

[init] child "timer"

[init] RAM quota: 876544

[init] ELF binary: timer

[init] priority: 0

[init] provides service Timer

[init] child "rtc_drv"

[init] RAM quota: 876544

[init] ELF binary: rtc_drv

[init] priority: 0

[init] provides service Rtc

[init] child "acpi_drv"

[init] RAM quota: 1925120

[init] ELF binary: acpi_drv

[init] priority: 0

Quota exceeded! amount=24576, size=4096, consumed=24576

[init] upgrading quota donation for Env::CPU (8192 bytes)

[init] child "acpi_report_rom"

[init] RAM quota: 1925120

[init] ELF binary: report_rom

[init] priority: 0

[init] provides service ROM

[init] provides service Report

[init] child "platform_drv"

[init] RAM quota: 4022272

[init] ELF binary: platform_drv

[init] priority: 0

[init] provides service Platform

Quota exceeded! amount=32768, size=4096, consumed=32768

[init] upgrading quota donation for Env::CPU (8192 bytes)

[init] child "fb_drv"

[init] RAM quota: 4022272

[init] ELF binary: fb_drv

[init] priority: 0

[init] provides service Framebuffer

[init] child "ps2_drv"

[init] RAM quota: 876544

[init] ELF binary: ps2_drv

[init] priority: 0

[init] provides service Input

Quota exceeded! amount=40960, size=4096, consumed=40960

[init] upgrading quota donation for Env::CPU (8192 bytes)

[init] child "terminal"

[init] RAM quota: 1925120

[init] ELF binary: terminal

[init] priority: 0

[init] provides service Terminal

[init] child "ram_fs"

[init] RAM quota: 10313728

[init] ELF binary: ram_fs

[init] priority: 0

[init] provides service File_system

[init] Warning: Specified quota exceeds available quota.

[init] Proceeding with a quota of 24858624.

Quota exceeded! amount=49152, size=4096, consumed=49152

[init] upgrading quota donation for Env::CPU (8192 bytes)

[init] child "noux"

[init] RAM quota: 24686592

[init] ELF binary: noux

[init] priority: 0

[init] child "timer" announces service "Timer"

[init -> terminal] int main(int, char**): --- terminal service started
---

[init] child "acpi_report_rom" announces service "Report"

[init] child "acpi_report_rom" announces service "ROM"

[init -> platform_drv] platform driver started

[init -> acpi_report_rom] parsing legacy <rom> policies

[init -> noux] --- noux started ---

[init -> acpi_drv] void Acpi_table::_parse_tables(T*, Genode::uint32_t)
[with T = unsigned int; Genode::uint32_t = unsigned int]: Found
MADT

[init -> acpi_drv] MADT IRQ 0 -> GSI 2 flags: 0

[init -> acpi_drv] MADT IRQ 5 -> GSI 5 flags: d

[init -> acpi_drv] MADT IRQ 9 -> GSI 9 flags: d

[init -> acpi_drv] MADT IRQ 10 -> GSI 10 flags: d

[init -> acpi_drv] MADT IRQ 11 -> GSI 11 flags: d

[init] child "ram_fs" announces service "File_system"

[init -> noux] tar archive 'coreutils.tar' local at 100000, size is
9269248

[init -> noux] tar archive 'vim.tar' local at b0000000, size is
19947520

[init] child "rtc_drv" announces service "Rtc"

[init] child "platform_drv" announces service "Platform"

[init -> fb_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t,
Genode::size_t, bool, void**, Genode::addr_t,
Genode::Dataspace_capability*): fb mapped to 1000

[init] child "fb_drv" announces service "Framebuffer"

[init -> fb_drv] Could not open ROM session for module "config"

[init -> fb_drv] Could not obtain config file

[init -> ps2_drv] Could not open ROM session for module "config"

[init -> ps2_drv] Could not obtain config file

[init -> ps2_drv] Using keyboard with scan code set 1 (xlate).

[init -> ps2_drv] Detected ExPS/2 mouse - activating scroll-wheel and
5-button support.

[init -> platform_drv] PS2 uses IRQ, vector 0x1

[init -> noux] tar archive 'bash.tar' local at a00000, size is
3555328

[init -> platform_drv] PS2 uses IRQ, vector 0xc

[init] child "ps2_drv" announces service "Input"

[init -> noux] stdin VFS path not defined, connecting to Terminal
session

[init -> fb_drv] Found: VESA BIOS version 3.0

[init -> fb_drv] OEM: SeaBIOS VBE(C) 2011

[init -> fb_drv] Found: physical frame buffer at 0xfd000000 size: 0x01000000

[init -> fb_drv] int Framebuffer_drv::map_io_mem(Genode::addr_t,
Genode::size_t, bool, void**, Genode::addr_t,
Genode::Dataspace_capability*): fb mapped to b0000000

[init -> fb_drv] Using video mode: 2560 x 1600 x 16

[init -> terminal] cell size is 6x14

[init] child "terminal" announces service "Terminal"

[init -> terminal] create terminal session

[init -> terminal] new terminal session:

[init -> terminal] framebuffer has 2560x1600 pixels

[init -> terminal] character size is 6x14 pixels

[init -> terminal] terminal size is 426x114 characters

[init -> noux] stdout VFS path not defined, connecting to Terminal
session

[init -> noux] stderr VFS path not defined, connecting to Terminal
session

int main(): --- init created, waiting for exit condition ---

Quota exceeded! amount=24576, size=4096, consumed=24576

[init -> noux] upgrading quota donation for Env::CPU (8192 bytes)

[init -> terminal] Error: escape stack overflow

[init -> terminal] --- escape stack follows ---

[init -> terminal] CODE 141 (0x8d '')

[init -> terminal] CODE 78 (0x4e 'N')

[init -> terminal] CODE 1 (0x1 '')

[init -> terminal] CODE 141 (0x8d '')

[init -> terminal] CODE 92 (0x5c '\')

[init -> terminal] CODE 30 (0x1e '')

[init -> terminal] CODE 255 (0xff 'ÿ')

[init -> terminal] CODE 141 (0x8d '')

[init -> terminal] CODE 116 (0x74 't')

[init -> terminal] CODE 38 (0x26 '&')

[init -> terminal] CODE 0 (0x0 '

[init -> terminal] CODE 64 (0x40 '@')

[init -> terminal] NUMBER 9 (0x9 ' ')

[init -> terminal] CODE 217 (0xd9 'Makefile:246: recipe for target
'run/noux_bash' failed
e***@vfemail.net
2016-03-02 09:03:14 UTC
Permalink
Post by Gregory Disney
Hey,
This seems to be a escape stack overflow, which crashes the kernel. All
that a user has to run cat tmp/bblub, which I believe is a link to
/ram/tmp/bblub to cause the overflow.
An 'escape stack overflow' isn't too serious, the terminal has a fixed
size buffer of terminal escape sequences and it can't keep up when it
gets the random assortment of escape characters in /tmp/bblub.

But if it is crashing the terminal or something else then that would
be bad.

Emery

Loading...