DEVHIDE
Login Or Sign up

X86_64 JMP instruction after returned from a function calling cause SIGSEGV

82 Views Asked by At

Application crash and report sig 11 (SIGSEGV) at the hook function calling.

It is a C++ program, pseudocode as below. In my C++ function, it call a hook function with 5 parameters.

param5 is a local pointers, which should the hook function return the pointer value. param 1-4 are int type.

And now it coredump at a hook function statement.

void myfun(..) {
    datastruct*  param5 = NULL;

    param1 = xx;
    param2 = xx;

    hook(param1, param2, param3, param4, &param5);     //GDB reports crash here.

    if (param5 != NULL) {
        ....
    }
}

Below is the coredump and callstack open with GDB.

0x00007f1e0efe5ee0 is the current RIP. In my C++ function, it call the hook function with 5 parameters at 0x00007f1e0efe5ede. Then it returned from the hook. Now it simply JMP to "jmp 0x7f1e0efe5ee3".
But now it caused SIGSEGV. It seems like the hook function calling ( call rbx ) not caused problem. But when it returned in myfun(), it simply jmp the next instruction.

    gdb-> disass

    0x00007f1e0efe5ec6 <+466>:   mov    esi,eax
    0x00007f1e0efe5ec8 <+468>:   mov    rax,QWORD PTR [rbp-0x100]
    0x00007f1e0efe5ecf <+475>:   mov    edi,eax
    0x00007f1e0efe5ed1 <+477>:   lea    rax,[rbp-0x50]
    0x00007f1e0efe5ed5 <+481>:   mov    r8,rax
    0x00007f1e0efe5ed8 <+484>:   mov    rcx,r13
    0x00007f1e0efe5edb <+487>:   mov    rdx,r12
    0x00007f1e0efe5ede <+490>:   call   rbx      // call an hook function which have 5 parameters.
=>  0x00007f1e0efe5ee0 <+492>:   jmp    0x7f1e0efe5ee3 < myfun(Io*, uint64_t)+495>
    0x00007f1e0efe5ee2 <+494>:   nop
    0x00007f1e0efe5ee3 <+495>:   mov    rax,QWORD PTR [rbp-0x50]
    0x00007f1e0efe5ee7 <+499>:   test   rax,rax

Below is the current registers info.

    (gdb) i registers

    rax            0x7f1e0072f220      139766833279520
    rbx            0x0                 0
    rcx            0x1000              4096
    rdx            0x203000            2109440
    rsi            0x2                 2
    rdi            0x0                 0
    rbp            0x7f1e0072f270      0x7f1e0072f270
    rsp            0x7f1e0072f170      0x7f1e0072f170
    r8             0x7f1e0072f220      139766833279520

    rip            0x7f1e0efe5ee0      0x7f1e0efe5ee0 < myfun +492>
    eflags         0x10216             [ PF AF IF RF ]

The five registers to pass the parameters are all valid data. rsi, rdi, rcx, rdx, and r8.

Why did it report SIGSEGV at the JMP instruction? Does the eflags register mean anything? Now GDB show that IP register pointed to 0x00007f1e0efe5ee0. It should be last instruction which caused crash, am I right?

c++ assembly gdb x86-64 coredump
Original Q&A
0

There are 0 best solutions below

Related Questions in C++

Related Questions in ASSEMBLY

Related Questions in GDB

Related Questions in X86-64

Related Questions in COREDUMP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.