I discovered that using mangle.c to corrupt an ELF executable
can crash the NetBSD 5.0 kernel.
I recompiled a
kernel with full debug and tried to debug the crashdump.
Gdb was unable to get a backtrace of the corrupted ELF
process -- I got a bad address error instead.
Next, I tried to debug the kernel using GDB over a serial port. Setting this
up look longer than I had originally planned:
- Read the HOWTO.
- Run pkg_add gdb to get gdb6 on my remote system.
- Review the Debugging Kernel Problems paper. I actually took this
tutorial.
- Step through the exec() code while having gdb lose its connection.
This bug appears to be already fixed in kern/subr_kobj.c. I think that
bug would have taken me a long time to solve.
Here is the script I used to fuzz the ELF executable:
#
# Create a small ELF executable as a base.
#
rm -f true.c a.out
printf "int main() { return 0; }\n" > true.c
cc -o a.out true.c
#
# Loop forever.
# Create a corrupted ELF exeutable.
# Run this executable.
#
typeset -i acount
let acount=0
while true
do
#
# setup working directory
#
let acount=acount+1
DIRNAME=f${acount}s"$(date +'%s')"
echo $DIRNAME
mkdir $DIRNAME
cd $DIRNAME
#
# setup this ELF image
#
cp -f ../a.out ./curr.img
mangle curr.img "$( wc -c < ./curr.img)"
md5 curr.img > curr.img.md5
sync ; sync ; sync
#
# Run corrupted executable in a sub-shell.
# Prevent the generation of core files.
# Limit run time, in case executable has endless loop.
#
(
ulimit -c 0
ulimit -t 1
exec ./curr.img
) > /dev/null 2> /dev/null < /dev/null
cd ..
#
# kernel did not crash, try again
#
rm -rf $DIRNAME
done
