进程崩溃打印
ifotond: unhandled page fault (11) at 0x00000000, code 0x017
pgd = c5770000
[00000000] *pgd=85cd8835, *pte=00000000, *ppte=00000000
CPU: 0 PID: 14275 Comm: ifotond Not tainted 4.9.11 #1
Hardware name: Freescale i.MX6 UltraLite (Device Tree)
task: c447aec0 task.stack: c5730000
PC is at 0xb6c46cf8
LR is at 0x63f28
pc : [<b6c46cf8>] lr : [<00063f28>] psr: a0000030
sp : bee21b68 ip : 000781ec fp : bee21c5c
r10: 00077528 r9 : 01d7ec99 r8 : 00000fa8
r7 : 00000000 r6 : 00000001 r5 : 00000001 r4 : 0007ab3c
r3 : 00000000 r2 : b6fad000 r1 : 00000000 r0 : 00000000
Flags: NzCv IRQs on FIQs on Mode USER_32 ISA Thumb Segment user
Control: 10c53c7d Table: 85770059 DAC: 00000055
CPU: 0 PID: 14275 Comm: ifotond Not tainted 4.9.11 #1
Hardware name: Freescale i.MX6 UltraLite (Device Tree)
[<c010e540>] (unwind_backtrace) from [<c010b61c>] (show_stack+0x18/0x1c)
[<c010b61c>] (show_stack) from [<c0113300>] (__do_user_fault+0x84/0xcc)
[<c0113300>] (__do_user_fault) from [<c01135b8>] (do_page_fault+0x270/0x314)
[<c01135b8>] (do_page_fault) from [<c0101324>] (do_DataAbort+0x3c/0xbc)
[<c0101324>] (do_DataAbort) from [<c010c41c>] (__dabt_usr+0x3c/0x40)
Exception stack(0xc5731fb0 to 0xc5731ff8)
1fa0: 00000000 00000000 b6fad000 00000000
1fc0: 0007ab3c 00000001 00000001 00000000 00000fa8 01d7ec99 00077528 bee21c5c
1fe0: 000781ec bee21b68 00063f28 b6c46cf8 a0000030 ffffffff可以看出第一现场的PC值已经被修改,所以只能看下一条LR 63f28地址存放的指令。
00063e08 <remote_upgrade_app>:
63e08: e92d4bf0 push {r4, r5, r6, r7, r8, r9, fp, lr}
63e0c: e28db01c add fp, sp, #28
63e10: e24dd0d8 sub sp, sp, #216 ; 0xd8
63e14: e52de004 push {lr} ; (str lr, [sp, #-4]!)
63e18: fafeb305 blx 10a34 <__gnu_mcount_nc>
63e1c: e30a4b3c movw r4, #43836 ; 0xab3c
63e20: e3404007 movt r4, #7
63e24: e5d45000 ldrb r5, [r4]
63e28: e3550000 cmp r5, #0
63e2c: 0a000002 beq 63e3c <remote_upgrade_app+0x34>
63e30: e3a00000 mov r0, #0
63e34: e24bd01c sub sp, fp, #28
63e38: e8bd8bf0 pop {r4, r5, r6, r7, r8, r9, fp, pc}
63e3c: ebffbdf7 bl 53620 <param_get_binflag>
63e40: e3500000 cmp r0, #0
63e44: 0afffff9 beq 63e30 <remote_upgrade_app+0x28>
63e48: e1a00005 mov r0, r5
63e4c: ebff03e0 bl 24dd4 <tsp_search_record>
63e50: e5d03030 ldrb r3, [r0, #48] ; 0x30
63e54: e3530000 cmp r3, #0
63e58: 0afffff4 beq 63e30 <remote_upgrade_app+0x28>
63e5c: e3a06001 mov r6, #1
63e60: e5c46000 strb r6, [r4]
63e64: ebffbde1 bl 535f0 <param_get_binserver>
63e68: e1a07000 mov r7, r0
63e6c: ebffbdaf bl 53530 <param_get_binport>
63e70: e1a08000 mov r8, r0
63e74: ebffbdd1 bl 535c0 <param_get_binname>
63e78: e1a09000 mov r9, r0
63e7c: ebffbdc3 bl 53590 <param_get_binusr>
63e80: ebffbdb6 bl 53560 <param_get_binpasswd>
63e84: e1a01005 mov r1, r5
63e88: e3a02064 mov r2, #100 ; 0x64
63e8c: e24b00e4 sub r0, fp, #228 ; 0xe4
63e90: ebfe97f8 bl 9e78 <_init+0x1ec>
63e94: e58d9000 str r9, [sp]
63e98: e3061fc4 movw r1, #28612 ; 0x6fc4
63e9c: e1a02007 mov r2, r7
63ea0: e1a03008 mov r3, r8
63ea4: e3401007 movt r1, #7
63ea8: e24b00e4 sub r0, fp, #228 ; 0xe4
63eac: ebfe9911 bl a2f8 <_init+0x66c>
63eb0: e3041560 movw r1, #17760 ; 0x4560
63eb4: e24b00e4 sub r0, fp, #228 ; 0xe4
63eb8: e3401007 movt r1, #7
63ebc: ebfe98aa bl a16c <_init+0x4e0>
63ec0: e2507000 subs r7, r0, #0
63ec4: 0a000002 beq 63ed4 <remote_upgrade_app+0xcc>
63ec8: ebfe9783 bl 9cdc <_init+0x50>
63ecc: e3700001 cmn r0, #1
63ed0: 1a000015 bne 63f2c <remote_upgrade_app+0x124>
63ed4: e3a02064 mov r2, #100 ; 0x64
63ed8: e3a01000 mov r1, #0
63edc: e24b0080 sub r0, fp, #128 ; 0x80
63ee0: e3a05001 mov r5, #1
63ee4: ebfe97e3 bl 9e78 <_init+0x1ec>
63ee8: e24b101c sub r1, fp, #28
63eec: e30307b8 movw r0, #14264 ; 0x37b8
63ef0: e1a02005 mov r2, r5
63ef4: e3a03000 mov r3, #0
63ef8: e56150c9 strb r5, [r1, #-201]! ; 0xc9
63efc: e3400006 movt r0, #6
63f00: ebfef1a7 bl 205a4 <dlyrun_add2list1>
63f04: e3060f48 movw r0, #28488 ; 0x6f48
63f08: e1a02005 mov r2, r5
63f0c: e3a01000 mov r1, #0
63f10: e3400007 movt r0, #7
63f14: ebfe9849 bl a040 <_init+0x3b4>
63f18: e3a03000 mov r3, #0
63f1c: e1a00007 mov r0, r7
63f20: e5c43000 strb r3, [r4]
-> 63f24: ebfe97c4 bl 9e3c <_init+0x1b0>
-> 63f28: eaffffc0 b 63e30 <remote_upgrade_app+0x28>
63f2c: e30a3b44 movw r3, #43844 ; 0xab44
63f30: e3032ca4 movw r2, #15524 ; 0x3ca4
63f34: e3403007 movt r3, #7
63f38: e3402006 movt r2, #6
63f3c: e1a01006 mov r1, r6
63f40: e5830004 str r0, [r3, #4]
63f44: e1a00003 mov r0, r3
63f48: e5832000 str r2, [r3]
63f4c: ebfe989e bl a1cc <_init+0x540>
63f50: eaffffb6 b 63e30 <remote_upgrade_app+0x28>可以看出是bl 9e3c <_init+0x1b0>出现了问题,但由于代码中添加了goto语句,导致反汇编结果不是很明朗,所以需要慢慢来分析一下。
先拿到代码中函数dlyrun_add2list1,然后在remote_upgrade_app中查找,可看到63f14: ebfe9849 bl a040 <_init+0x3b4>是一个printf打印函数,参数r0指向内存地址,r1为0,r2为r5的值是1,代码如下:
printf("ent down! path is %s err is %d\n ", path, error);
下面继续分析,可能是 system(buff);,但是buff数组没有问题,这里很奇怪,执行完系统调用后继续回到remote_upgrade_app函数继续执行,所以就不知道bl 9e3c <_init+0x1b0>指向哪个系统调用函数。
只能用最笨的方法,删除某一个系统调用代码然后反汇编看哪句指令消失,这样就定位出代码是pclose(fp);引起死机,查看代码发现是fp为NULL导致,由于下面代码导致:
FILE *fp = popen(tmp, "r");
if(!fp){
// 执行失败
goto end;
}
end:
file_down_finish(NULL, DOWNLOAD_ERROR);
pclose(fp);这里就真相大白了,popen失败了必死。