Date: Wed, 29 Nov 1995 10:37:51 +0100 (MET) From: grog@lemis.de (Greg Lehey) To: sos@FreeBSD.ORG Cc: hackers@FreeBSD.ORG (FreeBSD Hackers) Subject: Re: Documentation.. Message-ID: <199511290937.KAA16680@allegro.lemis.de> In-Reply-To: <199511290900.KAA01221@ra.dkuug.dk> from "sos@FreeBSD.ORG" at Nov 29, 95 10:00:32 am
next in thread | previous in thread | raw e-mail | index | archive | help
sos@FreeBSD.ORG writes:
>
> In reply to Julian Elischer who wrote:
> > It'd be interesting to see what they were trying to achieve....
> > anyone know WHY it SEGV's?
> > what does ktrace say?
> > gdb?
>
> They are probably loading their shared libs....
No, it's definitely looking in the psp structure. After more careful
analysis, it's not psp->ps_envp, it's *psp->ps_argv. psp is
struct ps_strings
{
char **ps_argv;
int ps_argc;
char **ps_envp;
int ps_nenv;
};
Here's the code:
0x1020: movl %ebx,0x67094
0x1026: jmp 0x102c <start>
0x1028: addb %al,(%eax)
0x102a: addb %al,(%eax)
0x102c <start>: pushl %ebp
0x102d <start+1>: movl %esp,%ebp
0x102f <start+3>: pushl %esi
0x1030 <start+4>: pushl %ebx
0x1031 <start+5>: cmpl $0x0,0x67094 is __ps_strings initialized?
0x1038 <start+12>: jne 0x1044 <start+24> yes, OK
0x103a <start+14>: movl $0xefbfdff0,0x67094 no, set to BSD/386 1.1 offset
0x1044 <start+24>: movl 0x67094,%esi set %esi to __ps_strings
0x104a <start+30>: movl 0x8(%esi),%edx get offset 8 (ps_envp)
0x104d <start+33>: movl %edx,0x6a548 store in environ
0x1053 <start+39>: movl (%esi),%eax address of psp->ps_argv
0x1055 <start+41>: movl (%eax),%ebx <- bombs out here
(gdb) i reg
eax 0x0 0 <- understandable
ecx 0x0 0
edx 0x0 0
ebx 0x0 0
esp 0xefbfd578 0xefbfd578
ebp 0xefbfd580 0xefbfd580
esi 0xefbfdff0 -272637968
edi 0x0 0
eip 0x1055 0x1055
ps 0x246 582
cs 0x1f 31
ss 0x27 39
ds 0x27 39
es 0x27 39
Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290937.KAA16680>