From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15538 invoked by alias); 12 Aug 2008 21:26:40 -0000 Received: (qmail 15528 invoked by uid 22791); 12 Aug 2008 21:26:39 -0000 X-Spam-Check-By: sourceware.org Received: from main.gmane.org (HELO ciao.gmane.org) (80.91.229.2) by sourceware.org (qpsmtpd/0.31) with ESMTP; Tue, 12 Aug 2008 21:25:52 +0000 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1KT1ND-00079o-R0 for gdb-patches@sources.redhat.com; Tue, 12 Aug 2008 21:25:47 +0000 Received: from mobius.qnx.com ([209.226.137.108]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 12 Aug 2008 21:25:47 +0000 Received: from aristovski by mobius.qnx.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 12 Aug 2008 21:25:47 +0000 To: gdb-patches@sources.redhat.com From: Aleksandar Ristovski Subject: Re: [patch] nto target: fix null pointer dereference Date: Tue, 12 Aug 2008 21:26:00 -0000 Message-ID: <48A1FFD4.1080109@qnx.com> References: <200808121832.m7CIWcIw018392@d12av02.megacenter.de.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) In-Reply-To: <200808121832.m7CIWcIw018392@d12av02.megacenter.de.ibm.com> X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2008-08/txt/msg00332.txt.bz2 Ulrich Weigand wrote: > Aleksandar Ristovski wrote: > >> diff -u -p -r1.25 nto-tdep.c >> --- gdb/nto-tdep.c 23 Jul 2008 13:36:00 -0000 1.25 >> +++ gdb/nto-tdep.c 12 Aug 2008 16:33:18 -0000 >> @@ -266,6 +266,8 @@ LM_ADDR (struct so_list *so) >> { >> struct link_map_offsets *lmo = nto_fetch_link_map_offsets (); >> >> + if (so->lm_info->lm == NULL) >> + return 0; >> return extract_typed_address (so->lm_info->lm + lmo->l_addr_offset, >> builtin_type_void_data_ptr); >> } > > I'm wondering how this can ever be NULL ... I understand nto > reuses the solib-svr4.c version of current_sos, which seems > to always initalize the lm member. > > Can you explain what the situation is that leads to a NULL > pointer here? > Your question made me go through the issue again. To create inferior, we use spawnp. spawnp will do something like mmap the binary and that's pretty much it (DT_DEBUG in .dynamic will contain NULL pointer). in procfs_create_inferior we call solib_create_inferior_hook, which will end up trying to determine loader base by reading inferior's memory at DT_DEBUG pointer. In our case, before the executable actually started executing, it will successfully read 0s, because dynamic loader has not been invoked yet, and the pointer to r_debug structure is not initialized. Thanks, Aleksandar