From owner-freebsd-hackers  Wed Nov 29 01:58:02 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id BAA26296
          for hackers-outgoing; Wed, 29 Nov 1995 01:58:02 -0800
Received: from cls.net (freeside.cls.de [192.129.50.1])
          by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id BAA26288
          ; Wed, 29 Nov 1995 01:57:54 -0800
Received: by mail.cls.net (Smail3.1.29.1)
	  from allegro.lemis.de (192.109.197.134) with smtp
	  id <m0tKjH6-0011j7C@cls.net>; Wed, 29 Nov 95 09:58 GMT
From: grog@lemis.de (Greg Lehey)
Organisation: LEMIS, Schellnhausen 2, 36325 Feldatal, Germany
Phone: +49-6637-919123
Fax:   +49-6637-919122
Reply-To: grog@lemis.de (Greg Lehey)
Received: (grog@localhost) by allegro.lemis.de (8.6.9/8.6.9) 
	id KAA16680; Wed, 29 Nov 1995 10:37:52 +0100
Message-Id: <199511290937.KAA16680@allegro.lemis.de>
Subject: Re: Documentation..
To: sos@FreeBSD.ORG
Date: Wed, 29 Nov 1995 10:37:51 +0100 (MET)
Cc: hackers@FreeBSD.ORG (FreeBSD Hackers)
In-Reply-To: <199511290900.KAA01221@ra.dkuug.dk> from "sos@FreeBSD.ORG" at Nov 29, 95 10:00:32 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Content-Length: 1775      
Sender: owner-hackers@FreeBSD.ORG
Precedence: bulk

sos@FreeBSD.ORG writes:
> 
> In reply to Julian Elischer who wrote:
> > It'd be interesting to see what they were trying to achieve....
> > anyone know WHY it SEGV's?
> > what does ktrace say?
> > gdb?
> 
> They are probably loading their shared libs....

No, it's definitely looking in the psp structure.  After more careful
analysis, it's not psp->ps_envp, it's *psp->ps_argv.  psp is

struct ps_strings
  {
  char **ps_argv;
  int ps_argc;
  char **ps_envp;
  int ps_nenv;
  };

Here's the code:

0x1020: movl   %ebx,0x67094
0x1026: jmp    0x102c <start>
0x1028: addb   %al,(%eax)
0x102a: addb   %al,(%eax)
0x102c <start>: pushl  %ebp
0x102d <start+1>:       movl   %esp,%ebp
0x102f <start+3>:       pushl  %esi
0x1030 <start+4>:       pushl  %ebx
0x1031 <start+5>:       cmpl   $0x0,0x67094	is __ps_strings initialized?
0x1038 <start+12>:      jne    0x1044 <start+24>  yes, OK
0x103a <start+14>:      movl   $0xefbfdff0,0x67094  no, set to BSD/386 1.1 offset
0x1044 <start+24>:      movl   0x67094,%esi     set %esi to __ps_strings
0x104a <start+30>:      movl   0x8(%esi),%edx   get offset 8 (ps_envp)
0x104d <start+33>:      movl   %edx,0x6a548     store in environ
0x1053 <start+39>:      movl   (%esi),%eax      address of psp->ps_argv
0x1055 <start+41>:      movl   (%eax),%ebx  <- bombs out here

(gdb) i reg
eax            0x0      0		    <- understandable
ecx            0x0      0
edx            0x0      0
ebx            0x0      0
esp            0xefbfd578       0xefbfd578
ebp            0xefbfd580       0xefbfd580
esi            0xefbfdff0       -272637968
edi            0x0      0
eip            0x1055   0x1055
ps             0x246    582
cs             0x1f     31
ss             0x27     39
ds             0x27     39
es             0x27     39

Greg