Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FDP: segfault while reading physical memory in std::__atomic_base<bool>::store #38

Open
Wenzel opened this issue Sep 6, 2021 · 3 comments
Open

FDP: segfault while reading physical memory in std::__atomic_base<bool>::store #38

Wenzel opened this issue Sep 6, 2021 · 3 comments

Comments

@Wenzel
Copy link

Wenzel commented Sep 6, 2021

Hi,

I'm facing a segfault while trying to read physical memory:

#0  std::__atomic_base<bool>::store (__m=std::memory_order_release, __i=false, this=0x370f1a00370f190) at /usr/include/c++/9/bits/atomic_base.h:397
#1  std::atomic<bool>::store (this=0x370f1a00370f190, __i=false, __m=std::memory_order_release) at /usr/include/c++/9/atomic:105
#2  0x00007ffff75a8be4 in (anonymous namespace)::ttas_spinlock_unlock (flag=0x370f1a00370f190) at FDP.cpp:97
#3  (anonymous namespace)::UnlockSHM (FDPShm=0x370f1a00370f190) at FDP.cpp:107
#4  RunCmdBuffer (pFDP=0x7ffff4bbf010, pDst=0x7ffff45bd04f, pSrc=0x7fffffffb9b0, szSize=24) at FDP.cpp:353
#5  0x00007ffff75a8d82 in FDP_ReadPhysicalMemoryInternal (pFDP=0x7ffff4bbf010, pDstBuffer=0x7ffff45bd04f "t", ReadSize=10485759, 
    PhysicalAddress=11534335) at FDP.cpp:399
#6  0x00007ffff75a8e1b in FDP_ReadPhysicalMemory (pFDP=0x7ffff4bbf010, 
    pDstBuffer=0x7ffff3bbd050 "\002\260\001\213~8\215M\370\210E\364\213E\364\211E\374\211]\370\213\207p\a", ReadSize=15728640, 
    PhysicalAddress=1048576) at FDP.cpp:413
#7  0x00007ffff769496e in fdp::FDP::read_physical_memory () from /lib/libmicrovmi.so
#8  0x00007ffff760d010 in <microvmi::driver::virtualbox::VBox as microvmi::api::Introspectable>::read_physical () from /lib/libmicrovmi.so
#9  0x00007ffff760b157 in microvmi_read_physical () from /lib/libmicrovmi.so
#10 0x00007ffff7e942e9 in DeviceMicrovmi_ReadContigious () from /home/mtarral/local/memprocfs/leechcore_device_microvmi.so
#11 0x00007ffff7c16260 in LcReadContigious_DeviceRead () from /home/mtarral/local/memprocfs/leechcore.so
#12 0x00007ffff7c1649d in LcReadContigious_Read () from /home/mtarral/local/memprocfs/leechcore.so
#13 0x00007ffff7c1670d in LcReadContigious_ReadScatterGather () from /home/mtarral/local/memprocfs/leechcore.so
#14 0x00007ffff7c16ca8 in LcReadScatter () from /home/mtarral/local/memprocfs/leechcore.so
#15 0x00007ffff7c1706e in LcRead () from /home/mtarral/local/memprocfs/leechcore.so
#16 0x00007ffff7ecde04 in VmmWinInit_DTB_FindValidate () from /home/mtarral/local/memprocfs/vmm.so
#17 0x00007ffff7eceae4 in VmmWinInit_TryInitialize () from /home/mtarral/local/memprocfs/vmm.so
#18 0x00007ffff7ecbc32 in VmmProcInitialize () from /home/mtarral/local/memprocfs/vmm.so
#19 0x00007ffff7eb04e6 in VMMDLL_InitializeEx () from /home/mtarral/local/memprocfs/vmm.so
#20 0x00007ffff7eb066d in VMMDLL_Initialize () from /home/mtarral/local/memprocfs/vmm.so
#21 0x000055555555894d in main ()

I initialized FDP with:

The last call in FDP is here

My memory dump example is still working though:
Capture d’écran de 2021-09-06 13-57-44

But this time I'm trying to bridge libmicrovmi with MemProcFS.

I wanted to check with you if this was a bug somewhere in FDP ?

Thanks !
@Wenzel
Copy link
Author

Wenzel commented Sep 6, 2021

From what I can see from the LeechCore call, it's trying to read 0xf00000 bytes at physical address 0x100000

#10 0x00007ffff7e942e9 in DeviceMicrovmi_ReadContigious (ctxRC=0x7ffff3bbd010) at leechcore_device_microvmi.c:14
14        if (!microvmi_read_physical(driver, ctxRC->paBase, ctxRC->pb, ctxRC->cb, &bytes_read)) {
(gdb) driver
Undefined command: "driver".  Try "help".
(gdb) p driver
$1 = (void *) 0x555555568880
(gdb) l
9       {
10        // read contigious physical memory
11        PLC_CONTEXT ctxLC = ctxRC->ctxLC;
12        void* driver = ctxLC->hDevice;
13        uint64_t bytes_read = 0;
14        if (!microvmi_read_physical(driver, ctxRC->paBase, ctxRC->pb, ctxRC->cb, &bytes_read)) {
15          lcprintfvvv(ctxLC, "Failed to read physical memory at 0x%llx\n", ctxRC->paBase);
16        }
17        ctxRC->cbRead = (DWORD)bytes_read;
18      }
(gdb) p/x ctxRC->paBase
$2 = 0x100000
(gdb) p/x ctxRC->cb
$3 = 0xf00000

This was referenced Sep 6, 2021
Open
Merged
@Wenzel
Copy link
Author

Wenzel commented Sep 6, 2021

As a workaround I'm splitting the read by 4K, and it seems to work.
So the 0xf00000 read size was definitely the issue ! 😉

@bamiaux
Copy link
Contributor

bamiaux commented Sep 8, 2021

Icebox does split into aligned chunks before reading and we don't get segfaults.
However, reading the virtualbox implementation, it's supposed to support reading physical memory mapping multiple contiguous pages so something is definitely wrong

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wenzel @bamiaux