When sbrk() returns a pointer to an address that is the beginning of the heap, are the addresses ascending or descending? For example, if I had a 10 byte heap from addresses 1 to 10, would sbrk() return a pointer to address 10 or 1?
On a similar note, heap addresses tend to grow "down"... but how can I figure out whether the addresses increase or decrease on my computer?
The man page on Mac OS X says:
The brk and sbrk functions are historical curiosities left over from earlier days before the
advent of virtual memory management.
The current value of the program break is reliably returned by sbrk(0).
The sbrk function returns a pointer to the base of the
new storage if successful; otherwise -1 with errno set to indicate why the allocation failed.
Suppose you use:
void *base = sbrk(1024);
After that, assuming no error, base will contain the starting address of a 1024 byte (minimum) block of memory; (char *)base + 1024 will be beyond what you requested, though it may still be valid since the page size may be larger than 1024.
It doesn't say directly whether a subsequent allocation will have a larger or smaller address than another. However, it is likely to be in increasing order of addresses.
The brk() function sets the break or lowest address of a
process's data segment (uninitialized data) to addr (immediately above bss). Data addressing
is restricted between addr and the lowest stack pointer to the stack segment. Memory is allocated by brk in page size pieces; if addr is not evenly divisible by the system page size, it
is increased to the next page boundary.
This implies that the extra space is after the data and bss segments, and grows up towards the stack (which grows downwards in memory). However, relying on that would probably be foolhardy. You'd do best to use sbrk(0) to establish the current end after calling sbrk(extra) to get extra space; this will tell you what you really got and the two addresses tell you where it was made available.
If you are on Linux, you can examine /proc/$PID/maps to see how the virtual address space is utilized for each process.
Sample code: mappingTest.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int foo(int depth) {
char buf[8192];
if (0 == depth)
printf("%p\n", buf);
if (1000 < depth) {
printf("%p\n", buf);
return getchar();
} else {
return 1 + foo(depth + 1);
}
}
int main() {
const size_t SIZE = 1000 * 1000 * 1000;
getchar();
char * const p = malloc(SIZE);
printf("%p\n", p);
getchar();
free(p);
getchar();
foo(0);
return 0;
}
Note: char buf[8192] and recursion of 1000 times assume that the maximum stack size is 8 MB (you can confirm with ulimit -s.)
$ gcc mappingTest.c -o mappingTest -Wall -Wextra -Wno-missing-field-initializers -std=c89 -O0 -g3 && echo OK
OK
$ ./mappingTest
At the 1st getchar(), we see the following memory mappings for the process:
$ cat /proc/`pidof mappingTest`/maps
00400000-00401000 r-xp 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00600000-00601000 r--p 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00601000-00602000 rw-p 00001000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
7f2e96e8a000-7f2e9703f000 r-xp 00000000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9703f000-7f2e9723f000 ---p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9723f000-7f2e97243000 r--p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97243000-7f2e97245000 rw-p 001b9000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97245000-7f2e9724a000 rw-p 00000000 00:00 0
7f2e9724a000-7f2e9726c000 r-xp 00000000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e97443000-7f2e97446000 rw-p 00000000 00:00 0
7f2e97469000-7f2e9746c000 rw-p 00000000 00:00 0
7f2e9746c000-7f2e9746d000 r--p 00022000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e9746d000-7f2e9746f000 rw-p 00023000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7fffa6d43000-7fffa6d64000 rw-p 00000000 00:00 0 [stack]
7fffa6dff000-7fffa6e00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
We hit Enter and proceed to the 2nd getchar().
I got 0x7f2e5b4dd010 on my terminal as the value of p and it falls within the first anonymous mapping region 7f2e5b4dd000-7f2e96e8a000 in the below listing, but it didin't exist in the above listing.
$ cat /proc/`pidof mappingTest`/maps
00400000-00401000 r-xp 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00600000-00601000 r--p 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00601000-00602000 rw-p 00001000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
7f2e5b4dd000-7f2e96e8a000 rw-p 00000000 00:00 0
7f2e96e8a000-7f2e9703f000 r-xp 00000000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9703f000-7f2e9723f000 ---p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9723f000-7f2e97243000 r--p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97243000-7f2e97245000 rw-p 001b9000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97245000-7f2e9724a000 rw-p 00000000 00:00 0
7f2e9724a000-7f2e9726c000 r-xp 00000000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e97443000-7f2e97446000 rw-p 00000000 00:00 0
7f2e97468000-7f2e9746c000 rw-p 00000000 00:00 0
7f2e9746c000-7f2e9746d000 r--p 00022000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e9746d000-7f2e9746f000 rw-p 00023000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7fffa6d43000-7fffa6d64000 rw-p 00000000 00:00 0 [stack]
7fffa6dff000-7fffa6e00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
We hit Enter and proceed to the 3rd getchar().
In the below listing, we see the anonymous mapping region disappeared due to free().
$ cat /proc/`pidof mappingTest`/maps
00400000-00401000 r-xp 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00600000-00601000 r--p 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00601000-00602000 rw-p 00001000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
7f2e96e8a000-7f2e9703f000 r-xp 00000000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9703f000-7f2e9723f000 ---p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9723f000-7f2e97243000 r--p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97243000-7f2e97245000 rw-p 001b9000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97245000-7f2e9724a000 rw-p 00000000 00:00 0
7f2e9724a000-7f2e9726c000 r-xp 00000000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e97443000-7f2e97446000 rw-p 00000000 00:00 0
7f2e97468000-7f2e9746c000 rw-p 00000000 00:00 0
7f2e9746c000-7f2e9746d000 r--p 00022000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e9746d000-7f2e9746f000 rw-p 00023000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7fffa6d43000-7fffa6d64000 rw-p 00000000 00:00 0 [stack]
7fffa6dff000-7fffa6e00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
We hit Enter and proceed to the 4th getchar() in the deeply nested calls of foo().
I got 0x7fffa6d60ba0 and 0x7fffa6582ff0 on my terminal as the addresses of buf in the 1st and 1001st recursive call of foo(). Both of them fall within the [stack] region (7fffa6582000-7fffa6d64000; 0x7e2000 == 8 MB) now. But note that it was previously 7fffa6d43000-7fffa6d64000; 0x21000 == 132 KB.
$ cat /proc/`pidof mappingTest`/maps
00400000-00401000 r-xp 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00600000-00601000 r--p 00000000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
00601000-00602000 rw-p 00001000 08:05 21687266 /home/nodakai/prog/exp/mappingTest
7f2e96e8a000-7f2e9703f000 r-xp 00000000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9703f000-7f2e9723f000 ---p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e9723f000-7f2e97243000 r--p 001b5000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97243000-7f2e97245000 rw-p 001b9000 08:05 14314431 /lib/x86_64-linux-gnu/libc-2.15.so
7f2e97245000-7f2e9724a000 rw-p 00000000 00:00 0
7f2e9724a000-7f2e9726c000 r-xp 00000000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e97443000-7f2e97446000 rw-p 00000000 00:00 0
7f2e97468000-7f2e9746c000 rw-p 00000000 00:00 0
7f2e9746c000-7f2e9746d000 r--p 00022000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7f2e9746d000-7f2e9746f000 rw-p 00023000 08:05 14314443 /lib/x86_64-linux-gnu/ld-2.15.so
7fffa6582000-7fffa6d64000 rw-p 00000000 00:00 0 [stack]
7fffa6dff000-7fffa6e00000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
You may have more fun with inline assembly like this:
#define PEEK_ESP(reg) \
__asm__ __volatile__ ( \
"movq %%rsp, %0" \
: "=r"(reg) \
)
...
void *p;
PEEK_ESP(p);
Related
I have a program, where I am injecting a fault and I am expecting this to cause a segmentation fault. The problem I am facing is that for a fault such as:
char *str = malloc(sizeof(char)*10);
free(str+1);
I get the following printed in the shell:
*** Error in `./tests': free(): invalid pointer: 0x0000000002442574 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x80996)[0x2abd5ff5b996]
./tests[0x401558]
./tests[0x401735]
./tests[0x402211]
./tests[0x402c1b]
./tests[0x4013fd]
./tests[0x4014a2]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x2abd5fefcde5]
./tests[0x4011c9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:05 13109176 /home/jay/Desktop/Mutate/Mutate/CMeanQueue-master/tests
00606000-00607000 r--p 00006000 08:05 13109176 /home/jay/Desktop/Mutate/Mutate/CMeanQueue-master/tests
00607000-00608000 rw-p 00007000 08:05 13109176 /home/jay/Desktop/Mutate/Mutate/CMeanQueue-master/tests
00608000-0060a000 rw-p 00000000 00:00 0
02440000-02461000 rw-p 00000000 00:00 0 [heap]
2abd5fcb7000-2abd5fcd8000 r-xp 00000000 08:05 11274438 /lib64/ld-2.17.so
2abd5fcd8000-2abd5fcdb000 rw-p 00000000 00:00 0
2abd5fcef000-2abd5fcf2000 rw-p 00000000 00:00 0
2abd5fed8000-2abd5fed9000 r--p 00021000 08:05 11274438 /lib64/ld-2.17.so
2abd5fed9000-2abd5fedb000 rw-p 00022000 08:05 11274438 /lib64/ld-2.17.so
2abd5fedb000-2abd60098000 r-xp 00000000 08:05 6164261 /lib/x86_64-linux-gnu/libc-2.17.so
2abd60098000-2abd60298000 ---p 001bd000 08:05 6164261 /lib/x86_64-linux-gnu/libc-2.17.so
2abd60298000-2abd6029c000 r--p 001bd000 08:05 6164261 /lib/x86_64-linux-gnu/libc-2.17.so
2abd6029c000-2abd6029e000 rw-p 001c1000 08:05 6164261 /lib/x86_64-linux-gnu/libc-2.17.so
2abd6029e000-2abd602a3000 rw-p 00000000 00:00 0
2abd602a3000-2abd602b8000 r-xp 00000000 08:05 6160389 /lib/x86_64-linux-gnu/libgcc_s.so.1
2abd602b8000-2abd604b7000 ---p 00015000 08:05 6160389 /lib/x86_64-linux-gnu/libgcc_s.so.1
2abd604b7000-2abd604b8000 r--p 00014000 08:05 6160389 /lib/x86_64-linux-gnu/libgcc_s.so.1
2abd604b8000-2abd604b9000 rw-p 00015000 08:05 6160389 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fffee8c6000-7fffee8e7000 rw-p 00000000 00:00 0 [stack]
7fffee993000-7fffee995000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Now, what I am looking to do is hide this from the display, since I am making a fault injection tool, I am aware of this happening and do not want such an output to ruin the GUI for the user. I have tried to redirect the stderror to file 2) change unlimit to 0 and nothing works.
NOTE:: I am injecting this problem into a code myself, hence please do not suggest to fix the error. My aim is to hide this from printing on the shell.
THanks
Solved for the above example using:
#export MALLOC_CHECK_=0
http://kb.parallels.com/en/4611
Try changing your kernel log level to limit what it prints.
something like:
bash$ echo "0 0 0 0" > /proc/sys/kernel/printk
Great write up here: Change default console loglevel during boot up
In a complex program, I am encountering a stack smashing error, pasted below. I'm having trouble to find out where it happens. I located the function using printf-debugging, and noticed that the check actually happens during function return (the printf just before the return is executed, the one just after the function call is not).
However, it's a huge function; I've read it all, but didn't notice any stack overflow opportunities in it. I therefore need a better estimate of where the bug is. How can I debug this further?
I think it would be easiest if I could add a debugger watchpoint on the stack smashing detection memory, so it interrupts execution at the time of smashing instead of at function return. If so, how can I know which memory this is?
For those who want to see source, I recommend looking at any of the stack smashing questions here on Stack Overflow. If you really want to see the code I'm using, get the freedink source (the offending function is updateFrame).
Update
On the gcc-patches list, this issue was discussed in 2009. It doesn't seem to have reached a conclusion though. At least I don't see any name come up when I say "info locals" in gdb (as is suggested somewhere in that thread). If someone can tell me how to find this __stack_guard__ (which isn't working, as it was sort-of rejected), that would answer my question.
Next update
Ok, after lots of searching, I found something completely unexpected. As you can see from the stack backtrace, the stack smashing is detected when exiting a libSDL function. Now normally SDL functions work fine, and freedink is full of bugs. So I didn't even think I could have hit a bug in SDL. However, it seems I did. It is trying to play a midi file. If I copy a different midi file to its place, the program works fine.
So my current problem is solved, but my question is still not answered. Although the stack backtrace does point to the function where the stack is smashed (so it is more useful than I thought), it doesn't provide an address for the guard, which may be useful as well (for setting a watchpoint).
*** stack smashing detected ***: freedink terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb754c3f0]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xea39a)[0xb754c39a]
/usr/lib/i386-linux-gnu/libSDL_mixer-1.2.so.0(+0x1c524)[0xb771f524]
/usr/lib/i386-linux-gnu/libSDL_mixer-1.2.so.0(+0x17443)[0xb771a443]
======= Memory map: ========
08048000-0808b000 r-xp 00000000 08:02 4333161 /usr/games/freedink
0808b000-0808c000 rw-p 00042000 08:02 4333161 /usr/games/freedink
0808c000-0841d000 rw-p 00000000 00:00 0
09fa9000-0b2de000 rw-p 00000000 00:00 0 [heap]
afda8000-b09e5000 rw-p 00000000 00:00 0
b0a00000-b0a21000 rw-p 00000000 00:00 0
b0a21000-b0b00000 ---p 00000000 00:00 0
b0ba7000-b0bc3000 r-xp 00000000 08:02 6422698 /lib/i386-linux-gnu/libgcc_s.so.1
b0bc3000-b0bc4000 rw-p 0001b000 08:02 6422698 /lib/i386-linux-gnu/libgcc_s.so.1
b0bea000-b0bec000 rw-p 00000000 00:00 0
b0bec000-b0bed000 r--p 00000000 08:02 4361451 /usr/share/locale/nl/LC_MESSAGES/freedink.mo
b0bed000-b0e69000 rw-p 00000000 00:00 0
b0ea2000-b127f000 rw-p 00000000 00:00 0
b12d7000-b12f0000 rw-p 00000000 00:00 0
b130e000-b1330000 r--p 00000000 08:02 4348594 /usr/share/locale/nl/LC_MESSAGES/libc.mo
b13a1000-b13dd000 rw-p 00000000 00:00 0
b13fa000-b13fb000 ---p 00000000 00:00 0
b13fb000-b1bfb000 rw-p 00000000 00:00 0
b1bfb000-b1c05000 r--p 00000000 08:02 4355730 /usr/share/locale/nl/LC_MESSAGES/pulseaudio.mo
b1c05000-b5c06000 rw-s 00000000 00:11 1297260 /run/shm/pulse-shm-3619928632
b5c06000-b5c9f000 rw-p 00000000 00:00 0
b5c9f000-b5dcb000 rw-s 00000000 00:04 1900555 /SYSV00000000 (deleted)
b5dcb000-b5e22000 rw-p 00000000 00:00 0
b5e35000-b5ecd000 rw-p 00000000 00:00 0
b5ecd000-b5ed2000 r-xp 00000000 08:02 4332397 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b5ed2000-b5ed3000 rw-p 00004000 08:02 4332397 /usr/lib/i386-linux-gnu/libXfixes.so.3.1.0
b5ed3000-b5edb000 r-xp 00000000 08:02 4342806 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5edb000-b5edc000 rw-p 00008000 08:02 4342806 /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b5edc000-b5ee5000 r-xp 00000000 08:02 4336027 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5ee5000-b5ee6000 rw-p 00009000 08:02 4336027 /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b5ee6000-b5ee7000 ---p 00000000 00:00 0
b5ee7000-b66e7000 rw-p 00000000 00:00 0
b66e7000-b685e000 r--p 00000000 08:02 4338396 /usr/lib/locale/locale-archive
b685e000-b6862000 rw-p 00000000 00:00 0
b6862000-b6872000 r-xp 00000000 08:02 6554164 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so
b6872000-b6873000 r--p 00010000 08:02 6554164 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so
b6873000-b6874000 rw-p 00011000 08:02 6554164 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so
b6874000-b6876000 rw-p 00000000 00:00 0
b6876000-b69dc000 r-xp 00000000 08:02 4327161 /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b69dc000-b69ed000 r--p 00165000 08:02 4327161 /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b69ed000-b69ee000 rw-p 00176000 08:02 4327161 /usr/lib/i386-linux-gnu/libvorbisenc.so.2.0.8
b69ee000-b69ef000 rw-p 00000000 00:00 0
b69ef000-b6a02000 r-xp 00000000 08:02 6554172 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b6a02000-b6a03000 r--p 00012000 08:02 6554172 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b6a03000-b6a04000 rw-p 00013000 08:02 6554172 /lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b6a04000-b6a06000 rw-p 00000000 00:00 0
b6a06000-b6a14000 r-xp 00000000 08:02 4334619 /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b6a14000-b6a15000 rw-p 0000d000 08:02 4334619 /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b6a15000-b6a19000 r-xp 00000000 08:02 6422575 /lib/i386-linux-gnu/libuuid.so.1.3.0
b6a19000-b6a1a000 r--p 00003000 08:02 6422575 /lib/i386-linux-gnu/libuuid.so.1.3.0
b6a1a000-b6a1b000 rw-p 00004000 08:02 6422575 /lib/i386-linux-gnu/libuuid.so.1.3.0
b6a1b000-b6a20000 r-xp 00000000 08:02 4331837 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6a20000-b6a21000 rw-p 00004000 08:02 4331837 /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b6a21000-b6a23000 r-xp 00000000 08:02 4330387 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6a23000-b6a24000 rw-p 00001000 08:02 4330387 /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6a24000-b6a25000 rw-p 00000000 00:00 0
b6a25000-b6a29000 r-xp 00000000 08:02 6423604 /lib/i386-linux-gnu/libattr.so.1.1.0
b6a29000-b6a2a000 r--p 00003000 08:02 6423604 /lib/i386-linux-gnu/libattr.so.1.1.0
b6a2a000-b6a2b000 rw-p 00004000 08:02 6423604 /lib/i386-linux-gnu/libattr.so.1.1.0
b6a2b000-b6a30000 r-xp 00000000 08:02 4331630 /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b6a30000-b6a31000 rw-p 00004000 08:02 4331630 /usr/lib/i386-linux-gnu/libasyncns.so.0.3.1
b6a31000-b6a9e000 r-xp 00000000 08:02 4375323 /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b6a9e000-b6aa0000 r--p 0006c000 08:02 4375323 /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b6aa0000-b6aa1000 rw-p 0006e000 08:02 4375323 /usr/lib/i386-linux-gnu/libsndfile.so.1.0.25
b6aa1000-b6aa5000 rw-p 00000000 00:00 0
b6aa5000-b6aad000 r-xp 00000000 08:02 6422615 /lib/i386-linux-gnu/libwrap.so.0.7.6
b6aad000-b6aae000 r--p 00007000 08:02 6422615 /lib/i386-linux-gnu/libwrap.so.0.7.6
b6aae000-b6aaf000 rw-p 00008000 08:02 6422615 /lib/i386-linux-gnu/libwrap.so.0.7.6
b6aaf000-b6ab4000 r-xp 00000000 08:02 4331851 /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b6ab4000-b6ab5000 rw-p 00004000 08:02 4331851 /usr/lib/i386-linux-gnu/libXtst.so.6.1.0
b6ab5000-b6ab6000 rw-p 00000000 00:00 0
b6ab6000-b6abd000 r-xp 00000000 08:02 4332239 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b6abd000-b6abe000 rw-p 00006000 08:02 4332239 /usr/lib/i386-linux-gnu/libSM.so.6.0.1
b6abe000-b6ad4000 r-xp 00000000 08:02 4332225 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b6ad4000-b6ad6000 rw-p 00015000 08:02 4332225 /usr/lib/i386-linux-gnu/libICE.so.6.3.0
b6ad6000-b6ad7000 rw-p 00000000 00:00 0
b6ad7000-b6ad8000 r-xp 00000000 08:02 4326690 /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b6ad8000-b6ad9000 rw-p 00000000 08:02 4326690 /usr/lib/i386-linux-gnu/libX11-xcb.so.1.0.0
b6ad9000-b6af6000 r-xp 00000000 08:02 6423599 /lib/i386-linux-gnu/libtinfo.so.5.9
b6af6000-b6af8000 r--p 0001c000 08:02 6423599 /lib/i386-linux-gnu/libtinfo.so.5.9
b6af8000-b6af9000 rw-p 0001e000 08:02 6423599 /lib/i386-linux-gnu/libtinfo.so.5.9
b6af9000-b6b2a000 r-xp 00000000 08:02 6423581 /lib/i386-linux-gnu/libncursesw.so.5.9
b6b2a000-b6b2b000 r--p 00030000 08:02 6423581 /lib/i386-linux-gnu/libncursesw.so.5.9
b6b2b000-b6b2c000 rw-p 00031000 08:02 6423581 /lib/i386-linux-gnu/libncursesw.so.5.9
b6b2c000-b6b2d000 rw-p 00000000 00:00 0
b6b2d000-b6c15000 r-xp 00000000 08:02 6423605 /lib/i386-linux-gnu/libslang.so.2.2.4
b6c15000-b6c17000 r--p 000e8000 08:02 6423605 /lib/i386-linux-gnu/libslang.so.2.2.4
b6c17000-b6c26000 rw-p 000ea000 08:02 6423605 /lib/i386-linux-gnu/libslang.so.2.2.4
b6c26000-b6c60000 rw-p 00000000 00:00 0
b6c60000-b6c81000 r-xp 00000000 08:02 4331073 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6c81000-b6c82000 r--p 00020000 08:02 4331073 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6c82000-b6c83000 rw-p 00021000 08:02 4331073 /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6c83000-b6ccc000 r-xp 00000000 08:02 6422562 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6ccc000-b6ccd000 ---p 00049000 08:02 6422562 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6ccd000-b6cce000 r--p 00049000 08:02 6422562 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6cce000-b6ccf000 rw-p 0004a000 08:02 6422562 /lib/i386-linux-gnu/libdbus-1.so.3.7.2
b6ccf000-b6cd7000 r-xp 00000000 08:02 4327592 /usr/lib/i386-linux-gnu/libjson.so.0.1.0
b6cd7000-b6cd8000 r--p 00007000 08:02 4327592 /usr/lib/i386-linux-gnu/libjson.so.0.1.0
b6cd8000-b6cd9000 rw-p 00008000 08:02 4327592 /usr/lib/i386-linux-gnu/libjson.so.0.1.0
b6cd9000-b6cdd000 r-xp 00000000 08:02 6423193 /lib/i386-linux-gnu/libcap.so.2.22
b6cdd000-b6cde000 rw-p 00003000 08:02 6423193 /lib/i386-linux-gnu/libcap.so.2.22
b6cde000-b6cdf000 rw-p 00000000 00:00 0
b6cdf000-b6d45000 r-xp 00000000 08:02 4339765 /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b6d45000-b6d46000 r--p 00065000 08:02 4339765 /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b6d46000-b6d47000 rw-p 00066000 08:02 4339765 /usr/lib/i386-linux-gnu/pulseaudio/libpulsecommon-2.0.so
b6d47000-b6d4e000 r-xp 00000000 08:02 6554189 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
b6d4e000-b6d4f000 r--p 00006000 08:02 6554189 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
b6d4f000-b6d50000 rw-p 00007000 08:02 6554189 /lib/i386-linux-gnu/i686/cmov/librt-2.13.so
b6d50000-b6d5b000 r-xp 00000000 08:02 4330586 /usr/lib/i386-linux-gnu/libjbig.so.0.0.0
b6d5b000-b6d5e000 rw-p 0000b000 08:02 4330586 /usr/lib/i386-linux-gnu/libjbig.so.0.0.0
b6d5e000-b6d64000 r-xp 00000000 08:02 4333085 /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b6d64000-b6d65000 rw-p 00005000 08:02 4333085 /usr/lib/i386-linux-gnu/libogg.so.0.8.0
b6d65000-b6d66000 rw-p 00000000 00:00 0
b6d66000-b6d8c000 r-xp 00000000 08:02 6426268 /lib/i386-linux-gnu/libexpat.so.1.6.0
b6d8c000-b6d8d000 ---p 00026000 08:02 6426268 /lib/i386-linux-gnu/libexpat.so.1.6.0
b6d8d000-b6d8f000 r--p 00026000 08:02 6426268 /lib/i386-linux-gnu/libexpat.so.1.6.0
b6d8f000-b6d90000 rw-p 00028000 08:02 6426268 /lib/i386-linux-gnu/libexpat.so.1.6.0
b6d90000-b6da5000 r-xp 00000000 08:02 6553829 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
b6da5000-b6da6000 r--p 00014000 08:02 6553829 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
b6da6000-b6da7000 rw-p 00015000 08:02 6553829 /lib/i386-linux-gnu/i686/cmov/libpthread-2.13.so
b6da7000-b6da9000 rw-p 00000000 00:00 0
b6da9000-b6dab000 r-xp 00000000 08:02 4338554 /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b6dab000-b6dac000 rw-p 00001000 08:02 4338554 /usr/lib/i386-linux-gnu/libts-0.0.so.0.1.1
b6dac000-b6e73000 r-xp 00000000 08:02 4326574 /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
b6e73000-b6e74000 rw-p 000c6000 08:02 4326574 /usr/lib/i386-linux-gnu/libcaca.so.0.99.18
b6e74000-b6e79000 rw-p 00000000 00:00 0
b6e79000-b6e8f000 r-xp 00000000 08:02 4353038 /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
b6e8f000-b6e90000 rw-p 00016000 08:02 4353038 /usr/lib/i386-linux-gnu/libdirect-1.2.so.9.0.1
b6e90000-b6e91000 rw-p 00000000 00:00 0
b6e91000-b6e9a000 r-xp 00000000 08:02 4353034 /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
b6e9a000-b6e9b000 rw-p 00008000 08:02 4353034 /usr/lib/i386-linux-gnu/libfusion-1.2.so.9.0.1
b6e9b000-b6f1e000 r-xp 00000000 08:02 4353040 /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
b6f1e000-b6f21000 rw-p 00082000 08:02 4353040 /usr/lib/i386-linux-gnu/libdirectfb-1.2.so.9.0.1
b6f21000-b6f32000 r-xp 00000000 08:02 4325458 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b6f32000-b6f33000 rw-p 00010000 08:02 4325458 /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b6f33000-b7067000 r-xp 00000000 08:02 4327567 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b7067000-b706b000 rw-p 00133000 08:02 4327567 /usr/lib/i386-linux-gnu/libX11.so.6.3.0
b706b000-b70b9000 r-xp 00000000 08:02 4339764 /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b70b9000-b70ba000 r--p 0004d000 08:02 4339764 /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b70ba000-b70bb000 rw-p 0004e000 08:02 4339764 /usr/lib/i386-linux-gnu/libpulse.so.0.14.2
b70bb000-b70bc000 rw-p 00000000 00:00 0
b70bc000-b70bf000 r-xp 00000000 08:02 4330214 /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b70bf000-b70c0000 r--p 00002000 08:02 4330214 /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b70c0000-b70c1000 rw-p 00003000 08:02 4330214 /usr/lib/i386-linux-gnu/libpulse-simple.so.0.0.3
b70c1000-b71b4000 r-xp 00000000 08:02 4328460 /usr/lib/i386-linux-gnu/libasound.so.2.0.0
b71b4000-b71b8000 r--p 000f2000 08:02 4328460 /usr/lib/i386-linux-gnu/libasound.so.2.0.0
b71b8000-b71b9000 rw-p 000f6000 08:02 4328460 /usr/lib/i386-linux-gnu/libasound.so.2.0.0
b71b9000-b7250000 r-xp 00000000 08:02 4330930 /usr/lib/i386-linux-gnu/libfreetype.so.6.8.1
b7250000-b7254000 r--p 00096000 08:02 4330930 /usr/lib/i386-linux-gnu/libfreetype.so.6.8.1
b7254000-b7255000 rw-p 0009a000 08:02 4330930 /usr/lib/i386-linux-gnu/libfreetype.so.6.8.1
b7255000-b7283000 r-xp 00000000 08:02 4327431 /usr/lib/i386-linux-gnu/libwebp.so.2.0.0
b7283000-b7284000 r--p 0002d000 08:02 4327431 /usr/lib/i386-linux-gnu/libwebp.so.2.0.0
b7284000-b7285000 rw-p 0002e000 08:02 4327431 /usr/lib/i386-linux-gnu/libwebp.so.2.0.0
b7285000-b7288000 rw-p 00000000 00:00 0
b7288000-b729f000 r-xp 00000000 08:02 6422674 /lib/i386-linux-gnu/libz.so.1.2.7
b729f000-b72a0000 r--p 00016000 08:02 6422674 /lib/i386-linux-gnu/libz.so.1.2.7
b72a0000-b72a1000 rw-p 00017000 08:02 6422674 /lib/i386-linux-gnu/libz.so.1.2.7
b72a1000-b72a2000 rw-p 00000000 00:00 0
b72a2000-b7304000 r-xp 00000000 08:02 4328894 /usr/lib/i386-linux-gnu/libtiff.so.4.3.6
b7304000-b7305000 ---p 00062000 08:02 4328894 /usr/lib/i386-linux-gnu/libtiff.so.4.3.6
b7305000-b7307000 r--p 00062000 08:02 4328894 /usr/lib/i386-linux-gnu/libtiff.so.4.3.6
b7307000-b7308000 rw-p 00064000 08:02 4328894 /usr/lib/i386-linux-gnu/libtiff.so.4.3.6
b7308000-b7340000 r-xp 00000000 08:02 4325500 /usr/lib/i386-linux-gnu/libjpeg.so.8.4.0
b7340000-b7341000 rw-p 00037000 08:02 4325500 /usr/lib/i386-linux-gnu/libjpeg.so.8.4.0
b7341000-b7369000 r-xp 00000000 08:02 6422719 /lib/i386-linux-gnu/libpng12.so.0.49.0
b7369000-b736a000 r--p 00027000 08:02 6422719 /lib/i386-linux-gnu/libpng12.so.0.49.0
b736a000-b736b000 rw-p 00028000 08:02 6422719 /lib/i386-linux-gnu/libpng12.so.0.49.0
b736b000-b7381000 r-xp 00000000 08:02 4334103 /usr/lib/libmad.so.0.2.1
b7381000-b7382000 rw-p 00015000 08:02 4334103 /usr/lib/libmad.so.0.2.1
b7382000-b73d0000 r-xp 00000000 08:02 4331056 /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b73d0000-b73d1000 r--p 0004d000 08:02 4331056 /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b73d1000-b73d2000 rw-p 0004e000 08:02 4331056 /usr/lib/i386-linux-gnu/libFLAC.so.8.2.0
b73d2000-b73d3000 rw-p 00000000 00:00 0
b73d3000-b73fd000 r-xp 00000000 08:02 4328031 /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b73fd000-b73fe000 r--p 00029000 08:02 4328031 /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b73fe000-b73ff000 rw-p 0002a000 08:02 4328031 /usr/lib/i386-linux-gnu/libvorbis.so.0.4.5
b73ff000-b7407000 r-xp 00000000 08:02 4328022 /usr/lib/i386-linux-gnu/libvorbisfile.so.3.3.4
You may want to try this easy step. Pad the stack at both ends with buffers and then examine the contents of the overwritten buffers. Often, examing the contents of the buffers gives a pretty good clue as to where the problem may be.
#include <stdio.h>
#include <string.h>
#define DEBUG 1
/*
* If stack is getting corrupted then this buf should change.
* Looking at the contents of the buf should give a hint at
* what is causing it.
*/
#if DEBUG
#define PAD_SIZE 1024
#define PAD_CHAR 0xE5
static void
check_buf(char *name, char *s)
{
int j, count = 0;
for (j = 0; j < PAD_SIZE; j++) {
if ((unsigned char)*s != PAD_CHAR) {
count++;
}
s++;
}
if (count != 0) {
printf("%s corrupted by %d bytes\n", name, count);
}
}
#endif
/*
* Stack smashing happens when attempting to return from foo.
*/
int
foo(/* some calling args go here */)
{
#if DEBUG
char pad_a[PAD_SIZE];
#endif
/*
* Rest of your ALL auto variables go here.
*/
#if DEBUG
char pad_b[PAD_SIZE];
memset(pad_a, PAD_CHAR, PAD_SIZE);
memset(pad_b, PAD_CHAR, PAD_SIZE);
#endif
/*
* foo does its work and somehow ends up corrupting the
* stack. We normally learn about the problem when the
* function attempts to return.
*/
#if DEBUG
check_buf("foo():pad_a", pad_a);
check_buf("foo():pad_b", pad_b);
#endif
return(1);
}
Let us know how it goes.
Have you used the exp-sgcheck tool for Valgrind or just the memcheck tool? It sounds like sgcheck may do what you want. From the Valgrind docs:
SGCheck and Memcheck are complementary: their capabilities do not overlap. Memcheck
performs bounds checks and use-after-free checks for heap arrays. It also finds uses of
uninitialised values created by heap or stack allocations. But it does not perform bounds
checking for stack or global arrays.
SGCheck, on the other hand, does do bounds checking for stack or global arrays, but it
doesn't do anything else.
There are some caveats about how exactly exp-sgcheck find potential errors (and it is considered experimental) so read the docs carefully before trying it out.
Edit:
Here's another idea to try. If you break on function entry can you determine an address that will be corrupted by the time the function exits? Perhaps by getting the address of a stack variable or something? If so you could set a gdb watch point on that address. gdb will stop the program whenever this memory location gets modified. This can be pretty annoying if it's an address that's modified often but can, in a pinch, function as a poor man's stack guard. Here's a link to the docs.
You don't have to have a special stack guard, you just need to watch something on the stack which you know will be corrupted. For example, given the following program:
void bar(int j) {
int *addr = (&j) - 20;
for(int i = 0; i <= 1000; i++) {
*(addr + i) = 0xDEADBEEF;
}
}
int main() {
bar(10);
return 0;
}
If you break on entry to bar and set watch j then continue you should get a break when i == 20 inside the loop. If j is supposed to be changed inside the function this is obviously pretty annoying. If you have just an address you can watch that by dereferencing it watch *(int*)0x40051f.
You may want to try Address Sanitizer : http://clang.llvm.org/docs/AddressSanitizer.html
It requires to be able to compile your code with clang, but ASAN is very good at finding stack smashing bugs.
I have a program that has to use mmf to map a ppm image to memory and then, each child, will have to invert row by row the mmf. It says :"the MMF version will first have to create a copy of the image (and rename it to the destiny filename) and then execute the inversion on that copy." The semaphores are in the correct order too and according to the assignment too.
From this, I've coded and it gives me the correct output but this happens :S. I don't understand why but it's clearly not right:
(...)
Inverting row...
Done ||
Inverting row...
Done ||
Cleaning up...
Closing file pointers.
*** glibc detected *** ./MMF_inverter: double free or corruption (!prev): 0x093a0170 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x28e591]
/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0x28fde8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x292ecd]
/lib/tls/i686/cmov/libc.so.6(fclose+0x14a)[0x27eaaa]
./MMF_inverter[0x80497d5]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x239bd6]
./MMF_inverter[0x8048d01]
======= Memory map: ========
00110000-00125000 r-xp 00000000 08:05 1569987 /lib/tls/i686/cmov/libpthread-2.11.1.so
00125000-00126000 r--p 00014000 08:05 1569987 /lib/tls/i686/cmov/libpthread-2.11.1.so
00126000-00127000 rw-p 00015000 08:05 1569987 /lib/tls/i686/cmov/libpthread-2.11.1.so
00127000-00129000 rw-p 00000000 00:00 0
00129000-00146000 r-xp 00000000 08:05 1439060 /lib/libgcc_s.so.1
00146000-00147000 r--p 0001c000 08:05 1439060 /lib/libgcc_s.so.1
00147000-00148000 rw-p 0001d000 08:05 1439060 /lib/libgcc_s.so.1
00223000-00376000 r-xp 00000000 08:05 1569962 /lib/tls/i686/cmov/libc-2.11.1.so
00376000-00377000 ---p 00153000 08:05 1569962 /lib/tls/i686/cmov/libc-2.11.1.so
00377000-00379000 r--p 00153000 08:05 1569962 /lib/tls/i686/cmov/libc-2.11.1.so
00379000-0037a000 rw-p 00155000 08:05 1569962 /lib/tls/i686/cmov/libc-2.11.1.so
0037a000-0037d000 rw-p 00000000 00:00 0
00459000-0045a000 r-xp 00000000 00:00 0 [vdso]
00471000-0048c000 r-xp 00000000 08:05 1440096 /lib/ld-2.11.1.so
0048c000-0048d000 r--p 0001a000 08:05 1440096 /lib/ld-2.11.1.so
0048d000-0048e000 rw-p 0001b000 08:05 1440096 /lib/ld-2.11.1.so
00905000-0090c000 r-xp 00000000 08:05 1569989 /lib/tls/i686/cmov/librt-2.11.1.so
0090c000-0090d000 r--p 00006000 08:05 1569989 /lib/tls/i686/cmov/librt-2.11.1.so
0090d000-0090e000 rw-p 00007000 08:05 1569989 /lib/tls/i686/cmov/librt-2.11.1.so
08048000-0804b000 r-xp 00000000 08:05 1458241 /home/neverMind/Desktop/SO-TP2/MMF/MMF_inverter
0804b000-0804c000 r--p 00002000 08:05 1458241 /home/neverMind/Desktop/SO-TP2/MMF/MMF_inverter
0804c000-0804d000 rw-p 00003000 08:05 1458241 /home/neverMind/Desktop/SO-TP2/MMF/MMF_inverter
093a0000-093c1000 rw-p 00000000 00:00 0 [heap]
b7700000-b7721000 rw-p 00000000 00:00 0
b7721000-b7800000 ---p 00000000 00:00 0
b781c000-b7855000 rw-s 00000000 08:05 1458172 /home/neverMind/Desktop/SO-TP2/MMF/out.ppm
b7855000-b7857000 rw-p 00000000 00:00 0
b7862000-b7863000 rw-s 00000000 00:04 52069041 /SYSV00000000 (deleted)Aborted
Here is the code (run as ./invert input_filename.ppm output_filename.ppm) it has to be ppm:
main
functions c file
header file
makefile
You can test it with this for example: ppm image with p6 header
I'm only mapping the file in the master process, before spawn children and make each child invert a row on that mapped file. Is this correct?
Among other things, you are closing your file handles twice. Run your program under valgrind, as Drakosha suggested.
I am getting a stack overflow in one of the recursive functions i am running..
Here is the code..
void* buddyMalloc(int req_size)
{
// Do something here
return buddy_findout(original_index,req_size); // This is the recursive call
}
void *buddy_findout(int current_index,int req_size)
{
char *selected = NULL;
if(front!=NULL)
{
if(current_index==original_index)
{
// Do something here
return selected;
}
else
{
// Do Something here
return buddy_findout(current_index+1,req_size);
}
}
else
{
return buddy_findout(current_index-1,req_size);
}
}
Consider the initial value of index to be 4. and it first do index-1 till it reaches 0 index. and then it comes back to index 4 by incrementing..This is wht i want to implement.
But it gives a stack overflow with memory map in the command prompt :
Here is the output from my shell :
*** glibc detected *** ./473_mem: free(): invalid pointer: 0x00c274c0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb50ff1]
/lib/tls/i686/cmov/libc.so.6[0xb526f2]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xb557cd]
./473_mem[0x8048b44]
./473_mem[0x8048b74]
./473_mem[0x8048b74]
./473_mem[0x8048944]
./473_mem[0x8048c87]
./473_mem[0x8048d31]
./473_mem[0x8048f79]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xafcb56]
./473_mem[0x8048671]
======= Memory map: ========
0017c000-00198000 r-xp 00000000 08:01 5224 /lib/libgcc_s.so.1
00198000-00199000 r--p 0001b000 08:01 5224 /lib/libgcc_s.so.1
00199000-0019a000 rw-p 0001c000 08:01 5224 /lib/libgcc_s.so.1
00260000-00284000 r-xp 00000000 08:01 1927 /lib/tls/i686/cmov/libm-2.10.1.so
00284000-00285000 r--p 00023000 08:01 1927 /lib/tls/i686/cmov/libm-2.10.1.so
00285000-00286000 rw-p 00024000 08:01 1927 /lib/tls/i686/cmov/libm-2.10.1.so
006cd000-006e8000 r-xp 00000000 08:01 6662 /lib/ld-2.10.1.so
006e8000-006e9000 r--p 0001a000 08:01 6662 /lib/ld-2.10.1.so
006e9000-006ea000 rw-p 0001b000 08:01 6662 /lib/ld-2.10.1.so
00aa9000-00aaa000 r-xp 00000000 00:00 0 [vdso]
00ae6000-00c24000 r-xp 00000000 08:01 1900 /lib/tls/i686/cmov/libc-2.10.1.so
00c24000-00c25000 ---p 0013e000 08:01 1900 /lib/tls/i686/cmov/libc-2.10.1.so
00c25000-00c27000 r--p 0013e000 08:01 1900 /lib/tls/i686/cmov/libc-2.10.1.so
00c27000-00c28000 rw-p 00140000 08:01 1900 /lib/tls/i686/cmov/libc-2.10.1.so
00c28000-00c2b000 rw-p 00000000 00:00 0
08048000-0804a000 r-xp 00000000 00:14 2176 /media/windows-share/OS/Project2/473_mem
0804a000-0804b000 r--p 00001000 00:14 2176 /media/windows-share/OS/Project2/473_mem
0804b000-0804c000 rw-p 00002000 00:14 2176 /media/windows-share/OS/Project2/473_mem
08483000-084a4000 rw-p 00000000 00:00 0 [heap]
b7600000-b7621000 rw-p 00000000 00:00 0
b7621000-b7700000 ---p 00000000 00:00 0
b7716000-b7819000 rw-p 00000000 00:00 0
b7827000-b782a000 rw-p 00000000 00:00 0
bfb96000-bfbab000 rw-p 00000000 00:00 0 [stack]
Aborted
Thanks in advance
adi
Look at your compiler docs to see if it has "tail recursion" optimization.
(Though now your stack overflow problem becomes an infinite loop problem!)
gcc -foptimize-sibling-calls ...
Where is front set?
In call:
else
{
return buddy_findout(current_index-1,req_size);
}
}
When front is NULL You just come back to same function with smaller current_index and keep looping and looping. There's no stop condition for current_index == 0
I'm tackling a trivial buffer overflow (yes, exploitation; but unrelated to the problem) I'm trying to figure out the fields in the memory map, when GCC's stack protector is enabled. As an illustration:
$ ./overflow
*** stack smashing detected ***: ./overflow terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f67da8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7f67d60]
./overflow[0x804845c]
[0x41414141]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:06 3704767 /home/hatred/w0rk/bugz
08049000-0804a000 r--p 00000000 08:06 3704767 /home/hatred/w0rk/bugz
0804a000-0804b000 rw-p 00001000 08:06 3704767 /home/hatred/w0rk/bugz
0804b000-0806c000 rw-p 0804b000 00:00 0 [heap]
b7e5a000-b7e67000 r-xp 00000000 08:06 368705 /lib/libgcc_s.so.1
b7e67000-b7e68000 r--p 0000c000 08:06 368705 /lib/libgcc_s.so.1
b7e68000-b7e69000 rw-p 0000d000 08:06 368705 /lib/libgcc_s.so.1
b7e69000-b7e6a000 rw-p b7e69000 00:00 0
b7e6a000-b7fc6000 r-xp 00000000 08:06 386037 /lib/tls/i686/cmov/libc-2.9.so
b7fc6000-b7fc7000 ---p 0015c000 08:06 386037 /lib/tls/i686/cmov/libc-2.9.so
b7fc7000-b7fc9000 r--p 0015c000 08:06 386037 /lib/tls/i686/cmov/libc-2.9.so
b7fc9000-b7fca000 rw-p 0015e000 08:06 386037 /lib/tls/i686/cmov/libc-2.9.so
b7fca000-b7fcd000 rw-p b7fca000 00:00 0
b7fdf000-b7fe1000 rw-p b7fdf000 00:00 0
b7fe1000-b7fe2000 r-xp b7fe1000 00:00 0 [vdso]
b7fe2000-b7ffe000 r-xp 00000000 08:06 368654 /lib/ld-2.9.so
b7ffe000-b7fff000 r--p 0001b000 08:06 368654 /lib/ld-2.9.so
b7fff000-b8000000 rw-p 0001c000 08:06 368654 /lib/ld-2.9.so
bffeb000-c0000000 rw-p bffeb000 00:00 0 [stack]
Aborted
So, as you can see; There's the backtrace, and then there's the memory map, with 5 fields, and then an optional sixth one which may include a .so.1 (shared libraries?) I'm asking about what these fields are, and what they mean, like the hex fields, and what rw-p means, etc.
I've gone on google and searched but nothing like this comes up.
Thanks.
Check out the man page for the /proc filesystem, it has all the info you need:
/proc/[number]/maps
A file containing the currently mapped memory regions and their access
permissions.
The format is:
address perms offset dev inode pathname
08048000-08056000 r-xp 00000000 03:0c 64593 /usr/sbin/gpm
08056000-08058000 rw-p 0000d000 03:0c 64593 /usr/sbin/gpm
08058000-0805b000 rwxp 00000000 00:00 0
40000000-40013000 r-xp 00000000 03:0c 4165 /lib/ld-2.2.4.so
40013000-40015000 rw-p 00012000 03:0c 4165 /lib/ld-2.2.4.so
4001f000-40135000 r-xp 00000000 03:0c 45494 /lib/libc-2.2.4.so
40135000-4013e000 rw-p 00115000 03:0c 45494 /lib/libc-2.2.4.so
4013e000-40142000 rw-p 00000000 00:00 0
bffff000-c0000000 rwxp 00000000 00:00 0
where address is the address space in the process that it occupies, perms
is a set of permissions:
r = read
w = write
x = execute
s = shared
p = private (copy on write)
offset is the offset into the file/whatever, dev is the device
(major:minor), and inode is the inode
on that device. 0 indicates that no
inode is associated with the memory
region, as the case would be with bss.