Related
I'm using AFL++ 4.0c to fuzz my app. It basically wraps clang compiler too instrument my code with fuzzing shenanigans. As well I provide coverage flags:
--coverage -g -fprofile-instr-generate -fcoverage-mapping
Then I try to launch my app with fuzzer
env PARAM=paramstuff \ # setup some env
afl-fuzz -x dicts/dicts -f file.txt \ # setup afl flags
-i input -o output \ # input and output for afl
-- \
./myapp --flag --flag2 --flag3 # flags for my app
It fuzzes just fine, but coverage profile is written empty.
If some of my configuration is off and fuzzer fails to properly start the profile generated by coverage is not empty as well as .gcda output. How to allow fuzzer to trigger dump coverage as well?
if I launch my app with params profile also generated
Fuzzer works until stopped via CTRL+C. App stops the same way.
In my case AFL used fork server to fuzz parts of my app:
#ifdef __AFL_HAVE_MANUAL_CONTROL
SSH_TRACE(0, ("AFL INIT"));
__AFL_INIT();
while (__AFL_LOOP(1000)) {
#endif
/*
* regular code to fuzz goes here
*/
#ifdef __AFL_HAVE_MANUAL_CONTROL
}
#endif
So proper finalization never triggered and coverage data never dumped to profile.raw. So to force it to dump data manually I called __llvm_profile_write_file(); right after closing bracket of afl loop in the last #ifndef section. For gcc instrumentation exist similar function __gcov_flush().
Couple notes for those who fuzz things:
Don't put dump function inside fuzzing loop - it will drastically slow fuzzing performance and your profile will grow very rapidly. One such loop was able to spam about 1 GiB to profile. It probably will exhaust your disc space before you receive proper fuzzing results.
Put dump function into #ifndef guards otherwise it will mess up with regular coverage dump when you just run app. Unless you close your forked processes with __exit() and know what you are doing.
I am working on Pintos OS project. I get this message:
Page fault at 0xbfffefe0: not present error writing page in user context.
The problem with Pintos OS project is that it won't simply tell the line and method that caused the exception.
I know how to use breakpoints/watchpoints etc. but is there any way to step right to it without going through the WHOLE flow and ALL OS files line by line so that I could jump into line that caused exception and put breakpoint there? I looked at GDB commands but didn't find anything.
When I debug this project I have to step through the whole program until I find that error/exception which is very time consuming. There is probably a faster way to do this.
Thanks.
Whole trace:
nestilll#vdebian:~/Class/pintos/proj-3-bhling-nestilll-nsren/src/vm/build$ pintos -v -k -T 60 --qemu --gdb --filesys-size=2 -p tests/vm/pt-grow-pusha -a pt-grow-pusha --swap-size=4 -- -q -f run pt-grow-pusha
Use of literal control characters in variable names is deprecated at /home/nestilll/Class/pintos/src/utils/pintos line 909.
Prototype mismatch: sub main::SIGVTALRM () vs none at /home/nestilll/Class/pintos/src/utils/pintos line 933.
Constant subroutine SIGVTALRM redefined at /home/nestilll/Class/pintos/src/utils/pintos line 925.
warning: disabling timeout with --gdb
Copying tests/vm/pt-grow-pusha to scratch partition...
qemu -hda /tmp/N2JbACdqyV.dsk -m 4 -net none -nographic -s -S
PiLo hda1
Loading............
Kernel command line: -q -f extract run pt-grow-pusha
Pintos booting with 4,088 kB RAM...
382 pages available in kernel pool.
382 pages available in user pool.
Calibrating timer... 419,020,800 loops/s.
hda: 13,104 sectors (6 MB), model "QM00001", serial "QEMU HARDDISK"
hda1: 205 sectors (102 kB), Pintos OS kernel (20)
hda2: 4,096 sectors (2 MB), Pintos file system (21)
hda3: 98 sectors (49 kB), Pintos scratch (22)
hda4: 8,192 sectors (4 MB), Pintos swap (23)
filesys: using hda2
scratch: using hda3
swap: using hda4
Formatting file system...done.
Boot complete.
Extracting ustar archive from scratch device into file system...
Putting 'pt-grow-pusha' into the file system...
Erasing ustar archive...
Executing 'pt-grow-pusha':
(pt-grow-pusha) begin
Page fault at 0xbfffefe0: not present error writing page in user context.
pt-grow-pusha: dying due to interrupt 0x0e (#PF Page-Fault Exception).
Interrupt 0x0e (#PF Page-Fault Exception) at eip=0x804809c
cr2=bfffefe0 error=00000006
eax=bfffff8c ebx=00000000 ecx=0000000e edx=00000027
esi=00000000 edi=00000000 esp=bffff000 ebp=bfffffa8
cs=001b ds=0023 es=0023 ss=0023
pt-grow-pusha: exit(-1)
Execution of 'pt-grow-pusha' complete.
Timer: 71 ticks
Thread: 0 idle ticks, 63 kernel ticks, 8 user ticks
hda2 (filesys): 62 reads, 200 writes
hda3 (scratch): 97 reads, 2 writes
hda4 (swap): 0 reads, 0 writes
Console: 1359 characters output
Keyboard: 0 keys pressed
Exception: 1 page faults
Powering off...
to have the GDB debugger run and stop at the desired location:
gdb filename <--start debug session
br main <--set a breakpoint at the first line of the main() function
r <--run until that breakpoint is reached
br filename.c:linenumber <--set another breakpoint at the desired line of code
c <--continue until second breakpoint is encuntered
The debugger will stop at the desired location in the file, IF it ever actually gets there,
When I debug this project I have to step through the whole program
until I find what caused error/exception which is very time consuming.
There is probably a faster way to do this.
Normally what you would do is set a breakpoint just before the error. Then your program will run at full speed, without your intervention, until it reaches that point.
There are several wrinkles here.
First, sometimes it is difficult to know where to put the breakpoint. In this case I suppose I would look for the code that is printing the message, then work backward from there. Sometimes you have to stop at the failure point, examine the stack, set a new breakpoint further up, and re-run the program.
Then there is the mechanics of setting the breakpoint. One simple way is to break by function name, like break my_function. Another is to use the file name and line number, like break my_file.c:73.
Finally, sometimes a breakpoint can be hit many times before the failure is seen. You can use ignore counts (see help ignore) or conditional breakpoints (like break my_function if variable = 27) to limit the number of stops.
My NodeMCU program has gone in to infinite reboot loop.
My code is functionally working but any action I try to do, e.g. file.remove("init.lua") or even just =node.heap(), it panics and reboots saying: PANIC: unprotected error in call to Lua API (not enough memory).
Because of this, I'm not able to change any code or delete init.lua to stop automatic code execution.
How do I recover?
I tried re-flashing another version of NodeMCU, but it started emitting garbage in serial port.
Then, I recalled that NodeMCU had two extra files: blank.bin and esp_init_data_default.bin.
I flashed them at 0x7E000 and 0x7C000 respectively.
They are also available as INTERNAL://BLANK and INTERNAL://DEFAULT in the NodeMCU flasher.
This booted the new NodeMCU firmware, all my files were gone and I'm out of infinite reboot loop.
Flash the following files:
0x00000.bin to 0x00000
0x10000.bin to 0x10000
And, the address for esp_init_data_default.bin depends on the size of your module's flash.
0x7c000 for 512 kB, modules like ESP-01, -03, -07 etc.
0xfc000 for 1 MB, modules like ESP8285, PSF-A85
0x1fc000 for 2 MB
0x3fc000 for 4 MB, modules like ESP-12E, NodeMCU devkit 1.0, WeMos D1 mini
Then, after flashing those binaries format its file system (run "file.format()" using ESPlorer) before flashing any other binaries.
Downloads Link
I've just finished working through a similar problem. In my case it was end-user error that caused a need to forcibly wipe init.lua, but I think both problems could be solved similarly. (For completeness, my problem was putting a far-too-short dsleep() call in init.lua, leaving the board resetting itself immediately upon starting init.lua.)
I tried flashing new NodeMCU firmware, writing blank.bin and esp_init_data_default.bin to 0x7E000 and 0x7C000, and also writing 0x00000.bin to 0x00000 and 0x10000.bin to 0x10000. None of these things helped in my case.
My hardware is an Adafruit Huzzah ESP8266 breakout (ESP-12), with 4MB of flash.
What worked for me was:
Download the NONOS SDK from Espressif (I used version 1.5.2 from http://bbs.espressif.com/viewtopic.php?f=46&t=1702).
Unzip it to get at boot_v1.2.bin, user1.1024.new.2.bin, blank.bin, and esp_init_data_default.bin (under bin/ and bin/at/).
Flash the following files to the specified memory locations:
boot_v1.2.bin to 0x00000
user1.1024.new.2.bin to 0x010000
esp_init_data_default.bin to 0xfc000
blank.bin to 0x7e000
Note about flashing:
I used esptool.py 1.2.1.
Because of the nature of my problem, I was only able to write changes to the flash when in programming mode (i.e. after booting with GPIO0 held down to GND).
I found that I needed to reset the board between each step (else invocations of esptool.py after the first would fail).
Erased the flash. esptool.py --port <your/port> erase_flash
Then I was able to write a new firmware. I used a stock nodeMCU 0.9.5 just to isolate variables, but I strongly suspect any firmware would work at this point.
The only think that worked for me was python flash tool esptool in ubuntu, windows flashtool never deleted init.lua and reboot loop.
Commands (ubuntu):
git clone https://github.com/themadinventor/esptool.git
cd esptool
python esptool.py -h
ls -l /dev/tty*
nodemcu_latest.bin can be downloaded from github or anywhere.
sudo python esptool.py -p /dev/ttyUSB0 --baud 460800 write_flash --flash_size=8m 0 nodemcu_latest.bin
I'm trying to attach a program with gdb but it returns:
Attaching to process 29139
Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.
gdb-debugger returns "Failed to attach to process, please check privileges and try again."
strace returns "attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted"
I changed "kernel.yama.ptrace_scope" 1 to 0 and /proc/sys/kernel/yama/ptrace_scope 1 to 0 and tried set environment LD_PRELOAD=./ptrace.so with this:
#include <stdio.h>
int ptrace(int i, int j, int k, int l) {
printf(" ptrace(%i, %i, %i, %i), returning -1\n", i, j, k, l);
return 0;
}
But it still returns the same error. How can I attach it to debuggers?
If you are using Docker, you will probably need these options:
docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined
If you are using Podman, you will probably need its --cap-add option too:
podman run --cap-add=SYS_PTRACE
This is due to kernel hardening in Linux; you can disable this behavior by echo 0 > /proc/sys/kernel/yama/ptrace_scope or by modifying it in /etc/sysctl.d/10-ptrace.conf
See also this article about it in Fedora 22 (with links to the documentation) and this comment thread about Ubuntu and .
I would like to add that I needed --security-opt apparmor=unconfined along with the options that #wisbucky mentioned. This was on Ubuntu 18.04 (both Docker client and host). Therefore, the full invocation for enabling gdb debugging within a container is:
docker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --security-opt apparmor=unconfined
Just want to emphasize a related answer. Let's say that you're root and you've done:
strace -p 700
and get:
strace: attach: ptrace(PTRACE_SEIZE, 700): Operation not permitted
Check:
grep TracerPid /proc/700/status
If you see something like TracerPid: 12, i.e. not 0, that's the PID of the program that is already using the ptrace system call. Both gdb and strace use it, and there can only be one active at a time.
Not really addressing the above use-case but I had this problem:
Problem: It happened that I started my program with sudo, so when launching gdb it was giving me ptrace: Operation not permitted.
Solution: sudo gdb ...
As most of us land here for Docker issues I'll add the Kubernetes answer as it might come in handy for someone...
You must add the SYS_PTRACE capability in your pod's security context
at spec.containers.securityContext:
securityContext:
capabilities:
add: [ "SYS_PTRACE" ]
There are 2 securityContext keys at 2 different places. If it tells you that the key is not recognized than you missplaced it. Try the other one.
You probably need to have a root user too as default. So in the other security context (spec.securityContext) add :
securityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 101
FYI : 0 is root. But the fsGroup value is unknown to me. For what I'm doing I don't care but you might.
Now you can do :
strace -s 100000 -e write=1 -e trace=write -p 16
You won't get the permission denied anymore !
BEWARE : This is the Pandora box. Having this in production it NOT recommended.
I was running my code with higher privileges to deal with Ethernet Raw Sockets by setting set capability command in Debian Distribution. I tried the above solution: echo 0 > /proc/sys/kernel/yama/ptrace_scope
or by modifying it in /etc/sysctl.d/10-ptrace.conf but that did not work for me.
Additionally, I also tried with set capabilities command for gdb in installed directory (usr/bin/gdb) and it works: /sbin/setcap CAP_SYS_PTRACE=+eip /usr/bin/gdb.
Be sure to run this command with root privileges.
Jesup's answer is correct; it is due to Linux kernel hardening. In my case, I am using Docker Community for Mac, and in order to do change the flag I must enter the LinuxKit shell using justin cormack's nsenter (ref: https://www.bretfisher.com/docker-for-mac-commands-for-getting-into-local-docker-vm/ ).
docker run -it --rm --privileged --pid=host justincormack/nsenter1
/ # cat /etc/issue
Welcome to LinuxKit
## .
## ## ## ==
## ## ## ## ## ===
/"""""""""""""""""\___/ ===
{ / ===-
\______ O __/
\ \ __/
\____\_______/
/ # cat /proc/sys/kernel/yama/ptrace_scope
1
/ # echo 0 > /proc/sys/kernel/yama/ptrace_scope
/ # exit
Maybe someone has attached this process with gdb.
ps -ef | grep gdb
can't gdb attach the same process twice.
I was going to answer this old question as it is unaccepted and any other answers are not got the point. The real answer may be already written in /etc/sysctl.d/10-ptrace.conf as it is my case under Ubuntu. This file says:
For applications launching crash handlers that need PTRACE, exceptions can
be registered by the debugee by declaring in the segfault handler
specifically which process will be using PTRACE on the debugee:
prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
So just do the same thing as above: keep /proc/sys/kernel/yama/ptrace_scope as 1 and add prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); in the debugee. Then the debugee will allow debugger to debug it. This works without sudo and without reboot.
Usually, debugee also need to call waitpid to avoid exit after crash so debugger can find the pid of debugee.
If permissions are a problem, you probably will want to use gdbserver. (I almost always use gdbserver when I gdb, docker or no, for numerous reasons.) You will need gdbserver (Deb) or gdb-gdbserver (RH) installed in the docker image. Run the program in docker with
$ sudo gdbserver :34567 myprogram arguments
(pick a port number, 1025-65535). Then, in gdb on the host, say
(gdb) target remote 172.17.0.4:34567
where 172.17.0.4 is the IP address of the docker image as reported by /sbin/ip addr list run in the docker image. This will attach at a point before main runs. You can tb main and c to stop at main, or wherever you like. Run gdb under cgdb, emacs, vim, or even in some IDE, or plain. You can run gdb in your source or build tree, so it knows where everything is. (If it can't find your sources, use the dir command.) This is usually much better than running it in the docker image.
gdbserver relies on ptrace, so you will also need to do the other things suggested above. --privileged --pid=host sufficed for me.
If you deploy to other OSes or embedded targets, you can run gdbserver or a gdb stub there, and run gdb the same way, connecting across a real network or even via a serial port (/dev/ttyS0).
I don't know what you are doing with LD_PRELOAD or your ptrace function.
Why don't you try attaching gdb to a very simple program? Make a program that simply repeatedly prints Hello or something and use gdb --pid [hello program PID] to attach to it.
If that does not work then you really do have a problem.
Another issue is the user ID. Is the program that you are tracing setting itself to another UID? If it is then you cannot ptrace it unless you are using the same user ID or are root.
I have faced the same problem and try a lot of solution but finally, I have found the solution, but really I don't know what the problem was. First I modified the ptrace_conf value and login into Ubuntu as a root but the problem still appears. But the most strange thing that happened is the gdb showed me a message that says:
Could not attach to process. If your uid matches the uid of the target process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try again as the root user.
For more details, see /etc/sysctl.d/10-ptrace.conf
warning: process 3767 is already traced by process 3755 ptrace: Operation not permitted.
With ps command terminal, the process 3755 was not listed.
I found the process 3755 in /proc/$pid but I don't understand what was it!!
Finally, I deleted the target file (foo.c) that I try to attach it vid gdb and tracer c program using PTRACE_ATTACH syscall, and in the other folder, I created another c program and compiled it.
the problem is solved and I was enabled to attach to another process either by gdb or ptrace_attach syscall.
(gdb) attach 4416
Attaching to process 4416
and I send a lot of signals to process 4416. I tested it with both gdb and ptrace, both of them run correctly.
really I don't know the problem what was, but I think it is not a bug in Ubuntu as a lot of sites have referred to it, such https://askubuntu.com/questions/143561/why-wont-strace-gdb-attach-to-a-process-even-though-im-root
Extra information
If you wanna make changes in the interfaces such as add the ovs bridge, you must use --privileged instead of --cap-add NET_ADMIN.
sudo docker run -itd --name=testliz --privileged --cap-add=SYS_PTRACE --security-opt seccomp=unconfined ubuntu
If you are using FreeBSD, edit /etc/sysctl.conf, change the line
security.bsd.unprivileged_proc_debug=0
to
security.bsd.unprivileged_proc_debug=1
Then reboot.
Hope it's OK to jot this down, even if I cannot accept answer immediately (and hope it's OK for SO - as there is a C patch below):
It seems I screwed up the hard disk on my desktop PC ({DRDY err}). So I wanted to run a bootable media to run fsck, but the CD on this desktop is broken, so I can only use USB flash. I have a couple of USB thumbdrives with Ubuntu and Suse - these start booting on the desktop; but during boot, udev tries to detect hard drives, and since the hard disk is screwed, it just loops there, and the respective OS never finishes booting.
So I tried to download SystemRescueCd; I have this USB thumbdrive, on which I tried to install SystemRescueCD:
# lsusb with sudo, to retrieve all info
$ sudo lsusb -v -d 058f:6387 | grep -i 'id\|iManufacturer\|iProduct\|iSerial\|bInterface'
Bus 001 Device 043: ID 058f:6387 Alcor Micro Corp. Transcend JetFlash Flash Drive
idVendor 0x058f Alcor Micro Corp.
idProduct 0x6387 Transcend JetFlash Flash Drive
iManufacturer 1 takeMS
iProduct 2 Mem-drive Mini
iSerial 3 C5E7F0CC
bInterfaceNumber 0
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk (Zip)
# search by serial:
$ find /dev/disk/by-id/ -name '*C5E7F0CC*'
/dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0-part1
/dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0
# list and get device node
$ ls -la /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0
lrwxrwxrwx 1 root root 9 2013-03-25 20:37 /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0 -> ../../sdc
$ ls -la /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0\:0-part1
lrwxrwxrwx 1 root root 10 2013-03-25 20:37 /dev/disk/by-id/usb-takeMS_Mem-drive_Mini_C5E7F0CC-0:0-part1 -> ../../sdc1
# it is /dev/sdc - list disk info
$ sudo fdisk -l /dev/sdc
Disk /dev/sdc: 2108 MB, 2108686336 bytes
94 heads, 29 sectors/track, 1510 cylinders
Units = cylinders of 2726 * 512 = 1395712 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0003e405
Device Boot Start End Blocks Id System
/dev/sdc1 * 1 1511 2059263+ c W95 FAT32 (LBA)
I tried to use my Ubuntu 11.04 Natty netbook to image the thumbdrive - and I used both
the recommended usb_inst.sh installer; and
I tried to use unetbootin (via sudo apt-get install unetbootin);
in both of these cases, when I try to boot the USB thumbdrive on the desktop, the boot procedure fails with:
SYSLINUX 4.02 debian-20101016 CHS Copyright (C) 1993-2010 H. Peter Anvin et al
ERROR: No configuration file found
No DEFAULT or UI configuration directive found!
boot:
.... with prompt at boot. (In fact, unetbootin fails at "Verifying DMI Pool Data", before entering syslinux - probably because it is much older than the .iso I'm trying to image).
First I checked the md5 as mentioned in No Default or UI Configuration Found!
$ md5sum ./systemrescuecd-x86-3.5.0.iso
48552b9e905872bd5061eb112b73ea20 ./systemrescuecd-x86-3.5.0.iso
... but it seems OK, as per Sysresccd-versions.
Then I tried to reformat the drive to FAT16 (via sudo gparted /dev/sdc); and repeated both usb_inst.sh and unetbootin methods - again no dice. Funny enough, in all of these cases, if I try to run the flash USB thumbdrive in the QEMU emulator:
# sudo apt-get install qemu
sudo qemu -hda /dev/sdc
... it boots fine - showing the syslinux menu and so on; however, boot always fails on the desktop.
Here I should mention, that I could write down the following from the boot screen of the problematic desktop PC:
Award Modular BIOS v6.00PG
AMDRS740 BIOS
It has a boot menu accessed via F12, and in the boot menu, among other options, these are for USB:
...
USB-FDD
USB-ZIP
USB-CDROM
USB-HDD
...
Typically, I choose USB-HDD - but I've tried the others; either the procedure freezes before even entering syslinux - or the boot fails as described above.
There is advice to rename directories/files manually from isolinux to syslinux (Trying to boot from usb - Ask Ubuntu) - when I used usb_inst.sh, only syslinux/isolinux.bin would have to be renamed. There is also advice to copy syslinux.cfg to the root of the USB flash thumbdrive (Cannot boot Live USB, Linux - Super User). But still no improvements - syslinux is still complaining that it is missing the configuration file - which apparently is the syslinux.cfg.
Then I tried to look if it is possible to somehow "debug" syslinux; found log tracing/debugging/trouble shooting in syslinux - The Syslinux Project - reboot.pro:
> Do we have specific commands to trace or log syslinux?
Being open source, one is able to compile Syslinux and enable extra debugging output.
also [SOLVED] Stuck on boot: Syslinux Problem [Archive] - Ubuntu Forums: "_
Debugging syslinux is described at http://www.syslinux.org/wiki/index.php/Development/Debugging , but effective debugging (if I recall correctly) requires recompiling it to add the debug hooks._". However, Development/Debugging - Syslinux Wiki talks about something called bochs; and I suspect that is to debug syslinux itself - not necessarily to "debug" (or query) the environment it is in.
Anyways, at last, I could see no way out but to get syslinux from source; basically, this was needed so it builds:
sudo apt-get install nasm
sudo apt-get install uuid-dev
git clone git://git.kernel.org/pub/scm/boot/syslinux/syslinux.git syslinux-git
cd syslinux-git/
make OPTFLAGS+=-DDEBUG=1
Turns out, it isn't really clear how to enable such debugging, that will show what syslinux "sees" when plugged in a given computer; given that I do load into syslinux at boot, the problem is what does it see as a filesystem. I tried to enable the DEBUG environment variable as shown above (after adding override OPTFLAGS := to the Makefile) - but that, in itself, generated no new messages during boot failure. I have used the following command to "burn" the USB thumbdrive (after unmounting it from the Gnome applet):
sudo ./linux/syslinux --stupid --directory /syslinux --install /dev/sdc1
... and I've tried both with stupid and without (and both for the source-built version, and the one from the Ubuntu package repositories for Natty).
Grepping through the source, I realized there is something called rosh (Read-Only SHell) - however, that compiles as a rosh.c32 - and one is supposed to have it as a boot kernel option in syslinux.cfg - which, as noted, I cannot load. So rosh.c32 is unfortunately not much help for my problem.
However, given that rosh implements the ls command, I tried to copy relevant portions into the code of syslinux - and trigger a ls / listing of the root when syslinux scans for the configuration file. With those changes, recorded in syslinux-e40ba60-rosh-ls.patch; now I get the following when I boot:
SYSLINUX 4.06 CHS 5-ge40ba60* Copyright (C) 1993-2010 H. Peter Anvin et al
Listing: "/"
rosh_ls_arg_dir 0 files found
Listing: "/syslinux"
Listing: ""
CurrentDirName: "/syslinux/"
confignamebuf: /syslinux/extlinux.conf; realpath -1
confignamebuf: /syslinux/syslinux.cfg; realpath -1
confignamebuf: /boot/syslinux/extlinux.conf; realpath -1
confignamebuf: /boot/syslinux/syslinux.cfg; realpath -1
confignamebuf: /syslinux/extlinux.conf; realpath -1
confignamebuf: /syslinux/syslinux.cfg; realpath -1
confignamebuf: /extlinux.conf; realpath -1
confignamebuf: /syslinux.cfg; realpath -1
ERROR: No configuration file found
No DEFAULT or UI configuration directive found!
Interestingly; for the root /, the _ls function at least returns "0 files"; the others ("/syslinux", and the empty string "") already fail at the opendir call - and so the _ls function doesn't even get called!
I would have thought that my slapstick copying of the ls function would not work as intended; but running the thumbdrive in qemu on netbook, does in fact provide a full listing of files - and given that at least for /, the function gets called and returns on the desktop - I'd suspect that it does indeed work.
However, that still doesn't solve my problem - why does syslinux, after boot, see 0 files under the root /? What else could I do to debug this problem? I wouldn't mind patching some C code into syslinux - but I just don't know what I should be looking for, that would point me to correct preparation of the USB thumbdrive for booting on the desktop machine...
OK, I got it to boot...
First, I noted there are alternative mbr's in the built git source as per Mbr - Syslinux Wiki and HowTos - Syslinux Wiki, so I tried both mbr.bin and altmbr.bin - altmbr.bin like this:
$ printf '\1' | cat mbr/altmbr.bin - | sudo dd bs=440 count=1 conv=notrunc iflag=fullblock of=/dev/sdc
... but that didn't help much.
Finally, I noted that lsusb says "bInterfaceProtocol 80 Bulk (Zip)"; and I remembered reading something about ZIP drives somewhere, so tried to look it up - and finally found this:
syslinux/doc/usbkey.txt
The proper mode to boot a USB key drive in is "USB-HDD". That is the
ONLY mode in which the C/H/S geometry encoded on the disk itself
doesn't have to match what the BIOS thinks it is. Since geometry on
USB drives is completely arbitrary, and can vary from BIOS to BIOS,
this is the only mode which will work in general.
Some BIOSes have been reported (in particular, certain versions of the
Award BIOS) that cannot boot USB keys in "USB-HDD" mode. This is a
very serious BIOS bug, but it is unfortunately rather typical of the
kind of quality we're seeing out of major BIOS vendors these days. On
these BIOSes, you're generally stuck booting them in USB-ZIP mode.
THIS MEANS THE FILESYSTEM IMAGE ON THE DISK HAS TO HAVE A CORRECT
ZIPDRIVE-COMPATIBLE GEOMETRY.
....
The script "mkdiskimage" which is supplied with the syslinux
distribution can be used to initialize USB keys in a Zip-like fashion.
To do that, calculate the correct number of cylinders (31 in the
example above), and, if your USB key is /dev/sda (CHECK THE KERNEL
MESSAGES CAREFULLY - IF YOU ENTER THE WRONG DISK DRIVE IT CANNOT BE
RECOVERED), run:
mkdiskimage -4 /dev/sda 0 64 32
(The 0 means automatically determine the size of the device, and -4
means mimic a zipdisk by using partition 4.)
So, as recommended there, first I find the number of cylinders for my thumbdrive:
$ grep 512-byte /var/log/syslog | tail -n 1
Mar 25 22:33:34 mypc kernel: [50884.608687] sd 45:0:0:0: [sdc] 4118528 512-byte logical blocks: (2.10 GB/1.96 GiB)
# get number of cylinders:
$ wcalc '4118528/(64*32)'
= 2011
... then I continue with mkdiskimage. After that was done, I tried usb_inst.sh again - and realized that it will overwrite the partition 4 that mkdiskimage made, and make a partition 1 for itself instead. That means, one should copy those files fron usb_inst.sh in a backup elsewhere, then run mkdiskimage - then finally copy the backed up files back to thumbdrive again; here is a command line log:
# mkdiskimage is present in syslinux-git:
$ ./utils/mkdiskimage
Usage: ./utils/mkdiskimage [-doFMz4][-i id] file c h s (max: 1024 256 63)
....
# ... but also in Debian/Ubuntu packaging of syslinux
$ mkdiskimage -4 /dev/sdc 0 64 32
/usr/bin/mkdiskimage: /dev/sdc: don't know how to determine the size of this device
# use sudo - note this command takes a while to complete:
$ sudo mkdiskimage -4 /dev/sdc 0 64 32
Warning: more than 1024 cylinders (2011).
Not all BIOSes will be able to boot this device.
$ ls /dev/sdc*
/dev/sdc /dev/sdc4
$ sudo fdisk -l /dev/sdc
Disk /dev/sdc: 2108 MB, 2108686336 bytes
64 heads, 32 sectors/track, 2011 cylinders
Units = cylinders of 2048 * 512 = 1048576 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x866262cc
Device Boot Start End Blocks Id System
/dev/sdc4 * 1 2011 2059248 e W95 FAT16 (LBA)
# (make sure umounted / ejected)
# cd to usb_inst.sh directory; and
# run usb_inst.sh for /dev/sdc; note it will:
# write MBR and "Creating filesystem on /dev/sdc1..."
# and "installing boot loader on /dev/sdc1";
# regardless of the previous setup on partition 4:
sudo bash ./usb_inst.sh
# now no more partition 4:
$ ls /dev/sdc*
/dev/sdc /dev/sdc1
# ( mount /dev/sdc1 via disk applet )
$ rsync -a /media/SYSRESC /media/backup/
# ... duhh... - again now
# ( umount/eject via disk applet )
$ sudo mkdiskimage -4 /dev/sdc 0 64 32
Warning: more than 1024 cylinders (2011).
Not all BIOSes will be able to boot this device.
$ sudo ./linux/syslinux --install /dev/sdc4
# ( mount via disk applet )
$ rsync -a /media/backup/SYSRESC/ /media/31A8-40E9/
$ sudo qemu -hda /dev/sdc # works
# ( umount/eject via disk applet )
# boot on desktop - works! loads rescue64 and initram.igz...
The interesting thing is - even if there is the warning "Not all BIOSes will be able to boot this device."; somehow this problematic BIOS loads this thumbdrive without a problem (and the _ls function above lists fine). Also interesting - here I choose the USB-HDD boot option (not the USB-ZIP) and it still works ?!
So, as a partial answer - I guess the way to debug this, would be for syslinux to somehow write on the thumbdrive the CHS geometry it sees during the syslinux installation; and on boot, to query the BIOS (I guess) about which CHS geometry the BIOS sees - and then dump these two geometries to screen; if there is a mismatch, then it is likely one should run mkdiskimage (unfortunately, I wouldn't know how to code that into syslinux)
Going back to my original HDD problem - turns out also SystemRescueCD uses udev to probe for devices - and again the boot process cannot complete (even if I choose the boot option "all files to memory (docache)")... So I get messages like:
udevadm settle - timeout of 180 seconds reached, the event queue contains:
Activating dmraid (fake hardware raid) ...
Starting mdadm (linux software raid) ....
udevd[88] worker [91] unexpectedly returned with status 0x0100 ...
udevd[88] worker [91] failed while handling '/devices/pci0000:00/.../sdb/sdb1'
So, I either find a Live USB distro which does not probe for disks using udev - or I better take this HDD out, toss it into a HDD USB enclosure, and try fsck it on another computer (hopefully I'll be able to blacklist this drive from udev on a running system)
Edit Aug 24 2013: Back to this problem, I thought I'd jot down few extra notes:
Since I cannot yet afford the time to fix this PC and its faulty drive, I've used this USB thumbdrive to boot multiple operating systems: PartedMagic and SliTaz did also encounter errors on the hard disk - but apparently use different drivers to access it (so the DRDY ERR loop didn't start), and they could finish booting relatively fast. Then I tried building a custom Ubuntu 12.04 image (using ubuntu-builder) - and this one ended up in a DRDY ERR loop, which may take more than 5 minutes to complete, before the OS finishes booting. I have posted more about this in Bug #1216397 “
It should be possible to ignore (skip probing) a known bad disk partition at boot” : Bugs : “linux” package : Ubuntu.
There are a few interesting things in respect to syslinux, now that this USB thumbdrive is used to boot multiple operating systems. First of all, the thumbdrive is, still, first made bootable with syslinux --install while empty (which places a file ldlinux.sys in the partition's root) - which corresponds to the mkdiskimage step above; and only afterwards are files (like kernel images, and including /boot/syslinux/syslinux.cfg) copied to it.
Now, I'd first build the CD image ISO in ubuntu-builder, and test it using VirtualBox (as qemu on my machine is way too slow for that). Once the ISO image was shown to work as expected, then only the files under its casper directory are relevant for the USB thumbdrive thus prepared; and they can be referenced through a boot menu entry in syslinux.cfg. So, I'd edit the syslinux.cfg on the thumbdrive, and copy the casper image files (e.g. filesystem.squashfs) to the thumbdrive - and test it with qemu as above. Once this qemu step passed, I'd move the USB thumbdrive on the target PC with the broken drive - and interestingly, here I might get syslinux boot failures of multiple sorts (during different boot stages):
"No DEFAULT or UI configuration directive found!" (or sometimes a "Bad <something> ..." message), before the syslinux boot menu is shown - even if the debug, as above, would show that syslinux reads the filesystem on the thumbdrive correctly, and finds the /boot/syslinux/syslinux.cfg (which does have proper directives)!
"Invalid or corrupt kernel image", once the syslinux menu is shown, and the new kernel image (Ubuntu) chosen - even if the other images (found previously on the thumb) boot fine on the broken drive PC; and the new image boots fine from thumb in qemu on a different machine!
"/init: line 7: can't open /dev/sr0: no medium found", once the new (Ubuntu) image is chosen from syslinux menu, and it starts booting; this seems an Ubuntu specific message, appearing a few seconds after it starts booting. I still encounter it even if booting completes succesfully - when it's a problem, this message just loops repeatedly, not allowing the rest of the boot process to complete
It turns out, any of these can appear whenever I try to change and save the syslinux.cfg file on the thumbdrive; or when I make changes in the casper image files, and I rsync or copy them to the thumbdrive. Maybe the copying process (since it may change the sectors where the files are located on the thumb), "confuses" parts of the boot process - although, this shouldn't happen, since also the working procedure above starts from a blanked, syslinux'd thumbdrive, to which files are copied after; so I think this may point to failing sectors on the thumbdrive.
However, even in this state, the working procedure above seemed to be useful - because using it, I could recover the thumb back to a working state! In more detail, it goes like this:
Keep a copy of the thumbdrive files somewhere on a different disk (e.g. ~/thumbcopy) - but without the ldlinux.sys file.
Whenever you want to make a change (to syslinux.cfg or to bootable image files) - make sure this change is saved in ~/thumbcopy first
Now, say I've changed some files on the bootable thumbdrive directly, and I encounter one of the errors above. Then:
First, delete all files but the ldlinux.sys on the thumbdrive, e.g.: rm -rf $(ls -I"ldlinux.sys" /media/31A8-40E9/)
Then, rsync or copy (cp -arv ...) the files in ~/thumbcopy to the thumbdrive, e.g.: rsync -aP ~/thumbcopy/ /media/31A8-40E9/
Now, try boot the thumbdrive in the PC again - it usually boots fine!
I've encountered all three types of errors, because I'd often try to change/copy individual files directly in the thumbdrive: sometimes the change doesn't introduce a problem, so booting is fine - however, in many cases, it does introduce a problem. For some reason, using the above procedure I managed to recover the thumbdrive from either type of abovementioned problems - maybe it has to do with USB Flash delayed writes, maybe with USB Flash failing sectors, I cannot really tell... But in any case: deleting all files, and re-copying them in one go, does seem to be a worthwhile procedure to try in case of errors like that.
It's an ancient post, but in case others stumble upon this, I'll add an answer anyway.
If you're struggling to get syslinux to boot, ROSH (Read-only Shell) can be useful, as you mentioned. To start ROSH, you can simply type rosh at the boot: prompt (if you do have a working graphical menu, press escape to drop back to the boot: prompt.
Inside the shell, you have some basic commands to look around in your environment. For more documentation, see https://wiki.syslinux.org/wiki/index.php?title=Read-Only_SHell(rosh.c32)