利用core 文件查找嵌入式程序中的溢出点

  

2015年8月31日星期一 15:25:10

 

1、GDB工具准备

         确保gdb工具版本在7.3.1以上， 一般使用最新版即可；

         GDB官方下载地址： http://ftp.gnu.org/gnu/gdb/

         相关文档： http://blog.csdn.net/lile777/article/details/48132703

[root@roger ~]#/usr/local/arm-gdb/bin/arm-linux-gdb

GNU gdb (GDB) 7.9.1

Copyright (C) 2015 Free SoftwareFoundation, Inc.

License GPLv3+: GNU GPL version 3 orlater <http://gnu.org/licenses/gpl.html>

This is free software: you are free tochange and redistribute it.

There is NO WARRANTY, to the extentpermitted by law.  Type "showcopying"

and "show warranty" fordetails.

This GDB was configured as"--host=i686-pc-linux-gnu --target=arm-linux".

Type "show configuration" forconfiguration details.

For bug reporting instructions, pleasesee:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and otherdocumentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to searchfor commands related to "word".

(gdb)

 

2、程序的编译

         gcc添加  -funwind-tables -g -rdynamic  参数，可直接在Makefile中修改

        -funwind-tables    嵌入式版本需要添加

        -g                            生成操作系统本地格式的调试信息

        -rdynamic              用来通知链接器将所有符号添加到动态符号表中

CC       = arm-linux-gcc  -funwind-tables -g –rdynamic

CXX      = arm-linux-g++  -funwind-tables -g -rdynamic

 

3、嵌入式程序运行环境的设置

# ulimit -c unlimited  // 设定足够的core空间

# echo  “core.%e.%p” >/proc/sys/kernel/core_pattern  /// 自定义core文件格式

         以下是core文件名参数列表:

    %p - insert pid intofilename 添加pid

    %u - insert current uidinto filename 添加当前uid

    %g - insert current gidinto filename 添加当前gid

    %s - insert signal thatcaused the coredump into the filename 添加导致产生core的信号

    %t - insert UNIX time thatthe coredump occurred into filename 添加生成时的unix时间

    %h - insert hostname wherethe coredump happened into filename 添加主机名

    %e - insert coredumpingexecutable name into filename 添加命令名(执行文件名)

 

/tmp1/chengxu # ulimit -c unlimited

/tmp1/chengxu # ulimit -c

unlimited

 

/tmp1/chengxu # ./tiaoshi1

 

card_buff[2] = FF,card_buff[3] = FF

Segmentation fault (core dumped) //// 此处生产 dum-core文件

 

/tmp1/chengxu # ls -lh cor*

-rw-------    1 root    root         7.7M   Aug 31 14:26 core.tiaoshi1.854  

/tmp1/chengxu #

 

4、core文件的分析

          将生成的core文件拷贝到编译嵌入式程序的主机上， 利用gdb工具查看堆栈信息；

[root@roger]#/usr/local/arm-gdb/bin/arm-linux-gdb ./tiaoshi1

GNU gdb(GDB) 7.9.1

Copyright(C) 2015 Free Software Foundation, Inc.

LicenseGPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This isfree software: you are free to change and redistribute it.

There isNO WARRANTY, to the extent permitted by law. Type "show copying"

and"show warranty" for details.

This GDBwas configured as "--host=i686-pc-linux-gnu --target=arm-linux".

Type"show configuration" for configuration details.

For bugreporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find theGDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help,type "help".

Type"apropos word" to search for commands related to "word"...

Readingsymbols from ./tiaoshi1...done.

(gdb) set    solib-absolute-prefix /mnt/9260/lib/:/root/code/system/libqte  // 自定义库路径

(gdb) set    solib-search-path    /mnt/9260/lib/:/root/code/system/libqte // 自定义库路径

(gdb)core-file ./core.tiaoshi1.854  // 导入core 文件

[New LWP854]

[New LWP869]

[New LWP859]

[New LWP867]

[New LWP868]

Core wasgenerated by `./tiaoshi1'.

Programterminated with signal SIGSEGV, Segmentation fault.

#0  ICcardread () at card_I2c.c:224

224             *ptr = 0x00;

(gdb) l                     /// 打印上下的代码

219             }//end 

220             memset(NowLicense,0,19);

221             memcpy(NowLicense,&(card_buff[32]),18);

222

223             unsigned char *ptr = 0x00;

224             *ptr = 0x00;

225

226             //更新

227             if(NowLicense[0] != 0)

228             {

(gdb)

(gdb)info sharedlibrary

From        To          Syms Read   Shared Object Library

0x401c8fd8  0x4060bda0 Yes        /root/code/system/libqte/libqte-mt.so.3.3.8

0x4075efc8  0x407f884c Yes (*)    /root/code/system/libqte/libstdc++.so.6.0.4

0x408143d4  0x4084bd4c Yes (*)     /mnt/9260/lib/libm-2.3.90.so

0x4088c9fc  0x40892e34 Yes        /mnt/9260/lib/libgcc_s.so.1

0x408b2a00  0x40984964 Yes (*)    /mnt/9260/lib/libc-2.3.90.so

0x409b00a0  0x409ba210 Yes (*)    /mnt/9260/lib/libpthread-0.10.so

0x40a06c8c  0x40a07be0 Yes (*)     /mnt/9260/lib/libdl-2.3.90.so

0x40000ba0  0x400153c8 Yes (*)    /mnt/9260/lib/ld-2.3.90.so

(*):Shared library is missing debugging information.

(gdb) bt

#0  ICcardread () at card_I2c.c:224

#1  0x0000e420 in ontimer_200ms_fun(signal=<optimized out>) at main.c:775

#2  <signal handler called>

#3  0x0000cef8 in main (argc=<optimizedout>, argv=<optimized out>) at main.c:600

(gdb)where

#0  ICcardread () at card_I2c.c:224

#1  0x0000e420 in ontimer_200ms_fun(signal=<optimized out>) at main.c:775

#2  <signal handler called>

#3  0x0000cef8 in main (argc=<optimizedout>, argv=<optimized out>) at main.c:600

(gdb)

 

 至此， 找到了程序的溢出点。 

 That all.