Date: Sat, 16 Nov 2002 17:25:41 -0800 (PST) From: Raja Sivaramakrishnan <raja@juniper.net> To: <freebsd-hackers@freebsd.org> Subject: help with stack corruption Message-ID: <20021116170104.F71003-100000@zircon.juniper.net>
next in thread | raw e-mail | index | archive | help
Hello,
I have seen two instances of this problem in the
last 4 months and it is not reproducible, so I was
wondering if somebody could point me to some potential
causes. The problem appears to be that there are 2 extra
stack pops while executing in the kernel in a routine.
This function looks as follows:
push ebp // let's assume value of ebp is X at this point
mov esp, ebp
push esi
push ebx
.....
pop ebx
pop esi
leave
ret
Upon returning from this function, the values of ebx and
esi are not what the values that were pushed on the stack
at the beginning of the function. Instead, the value of ebx
is X (the saved ebp) and the value of esi is the return
address from this function! This appears consistent with
having 2 additional stack pops that removed the callee
saved registers from the stack. This function does not do
any stack operations other than the ones mentioned above,
so perhaps there was an interrupt/exception while executing
in this routine which caused this? This function was
executing due to a call from swi_net_next(), so the kernel
was already in the middle of handling an interrupt. So, one
possibility is that there is a bug in handling nested
interrupts? Any help will be appreciated. This is from the 4.2
code base.
On other curious thing is that after returning from this
function, esi now contains a pointer into the instruction
stream. esi is actually an mbuf pointer and the kernel
dereferences this pointer and succesfully writes
into the instruction stream. There was no protection fault
and the dump (kernel did take a page fault while trying to
free the mbuf after a while) confirms that the instruction
stream was modified. Isn't the code segment write-protected?
Thanks,
Raja
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021116170104.F71003-100000>