I have a binary that generates a Bus error (core dumped)
message. When I run it under the debugger ( gdb
) it fails to access a memory location in the .bss
section.
Program received signal SIGBUS, Bus error. 0x0000000000412275 in ?? ()
The code at this location is:
41226f: 0f 8f 33 ff ff ff jg 4121a8 412275: 8b 35 51 b5 22 00 mov 0x22b551(%rip),%esi # 63d7cc 41227b: 85 f6 test %esi,%esi
So its trying to access memory at location 0x63d7cc
which is clearly within the .bss
section: 0x63c4e0 - 0x63d7e0
.
gdb
(along with /proc/$pid/maps) shows this memory as mapped:
(gdb) info proc mappings process 16533 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x43a000 0x3a000 0x0 /somepath/someapp 0x639000 0x63e000 0x5000 0x39000 /somepath/someapp 0x63e000 0x65f000 0x21000 0x0 [heap]
(gdb) info files Symbols from "/somepath/someapp". ... 0x0000000000639c80 - 0x000000000063c498 is .data 0x000000000063c4e0 - 0x000000000063d7e0 is .bss
Both examination of ELF sections:
% readelf -S someapp ... [24] .data PROGBITS 0000000000639c80 00039c80 0000000000002818 0000000000000000 WA 0 0 32 [25] .bss NOBITS 000000000063c4e0 0003c498 0000000000001300 0000000000000000 WA 0 0 32 [26] .gnu_debuglink PROGBITS 0000000000000000 0003c498 000000000000000c 0000000000000000 0 0 1 ...
and Segments shows this memory as mapped:
% readelf -l someapp ... LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000 0x000000000003976c 0x000000000003976c R E 200000 LOAD 0x0000000000039770 0x0000000000639770 0x0000000000639770 0x0000000000004070 0x0000000000004070 RW 200000 ...
But gdb
is unable to access it (and thus why the app fails). Interestingly gdb
is able to access .bss
memory up and until 0x63d000
:
(gdb) x 0x63d7cc 0x63d7cc: Cannot access memory at address 0x63d7cc (gdb) x 0x63cff8 0x63cff8: 0x00000000 (gdb) x 0x63cffc 0x63cffc: 0x00000000 (gdb) x 0x63cffd 0x63cffd: Cannot access memory at address 0x63d000
The questions are:
What could be preventing this access?
What other methods are available to examine runtime memory access permissions?
What else could modify the access rights of a running process?
The code at this location is:
The .bss
is not normally executable, so likely that is why you are getting SIGBUS
when trying to jump to it.
Your readelf
output shows RW
flags (note lack of E
xecutable flag) as well.
You'll need to mprotect
that section to add execute permissions first.
Note that some environments, such as SELinux
, prohibit memory mappings with RWE
, and that changing the mapping to RE
will cause the program to not be able to write into its (normally writable) global data. This is why putting executable code into .bss
is probably not among the best ideas.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.