fusfu / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

shellinaboxd crashed on Centos 5.5 #117

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hello,

Really appreciate your wonderful project!!

What steps will reproduce the problem?
Setup for shellinabox on CentOS 5.5 64 bit server:
1. Shell in a box is inited as a service on Centos 5.5. Attached is the init.d 
script for the same
2. The shellinabox daemon was restarted with the machine 2 hours before the 
crash.
3. Just before the crash there were ~10 active sessions.
4. Shell in a box access is being proxied through apache.

I found this error when I viewed 'dmesg':
shellinaboxd[5085] general protection rip:40e013 rsp:7fff18fc5a78 error:0

As per my limited understanding this is could be some illegal pointer / memory 
being accessed which the OS protects against.

Also, could you please guide me, as to where would the shellinabox access / 
debug messaged be logged in, as per such this init.d daemon based setup.

Appreciate your time spent and any help on this.

Regards,
Shamik Datta
deafbeed@gmail.com

Original issue reported on code.google.com by shamik.d...@gmail.com on 17 Mar 2011 at 10:28

Attachments:

GoogleCodeExporter commented 9 years ago
I have the same issue, on Ubuntu 11.10 64-bit. I made a debug build of version 
2.10 to see what is happening, and found the following:

kernel: [148844.721430] shellinaboxd[1601] general protection ip:4121cb 
sp:7fff4aae34f8 error:0 in shellinaboxd[400000+1f000]

   0x00000000004121c0 <serverGetConnection+144>:        leaveq 
   0x00000000004121c1 <serverGetConnection+145>:        jne    0x412142 <serverGetConnection+18>
   0x00000000004121c7 <serverGetConnection+151>:        mov    0x18(%rdi),%rcx
   0x00000000004121cb <serverGetConnection+155>:        cmp    %edx,0x8(%rcx,%r9,8)
   0x00000000004121d0 <serverGetConnection+160>:        jne    0x412142 <serverGetConnection+18>
   0x00000000004121d6 <serverGetConnection+166>:        repz retq 
   0x00000000004121d8 <serverGetConnection+168>:        nopl   0x0(%rax,%rax,1)

0x4121cb is in serverGetConnection (libhttp/server.c:339).
334                                                  int fd) {
335       if (hint &&
336           server->connections <= hint &&
337           server->connections + server->numConnections > hint &&
338           &server->connections[hint - server->connections] == hint &&
339           !hint->deleted &&
340           server->pollFds[hint - server->connections + 1].fd == fd) {
341         return hint;
342       }
343       for (int i = 0; i < server->numConnections; i++) {

That if-statement in the serverGetConnection function looks a bit hairy. I'm 
not able to completely follow the logic but it seems that there is some kind of 
an issue with pointer arithmetic and/or pointer mixup in general.

For me, the crashes don't occur very often but they definitely do occur. I can 
try to do further analysis with the debug build I have if you want to.

Original comment by samuli.s...@gmail.com on 14 Mar 2012 at 10:47

GoogleCodeExporter commented 9 years ago
Try something along these lines and let me know, if that fixes it:

  if (hint &&
      server->connections <= hint &&
      server->connections + server->numConnections > hint) {
    // The compiler would like to optimize the expression:
    //   &server->connections[hint - server->connections]     <=>
    //   server->connections + hint - server->connections     <=>
    //   hint
    // This transformation is correct as far as the language specification is
    // concerned, but it is unintended as we actually want to check whether
    // the alignment is correct. So, instead of comparing
    //   &server->connections[hint - server->connections] == hint
    // we first use memcpy() to break aliasing.
    uintptr_t ptr1, ptr2;
    memcpy(&ptr1, &hint, sizeof(ptr1));
    memcpy(&ptr2, &server->connections, sizeof(ptr2));
    int idx = (ptr1 - ptr2)/sizeof(*server->connections);
    if (&server->connections[idx] == hint &&
        !hint->deleted &&
        server->pollFds[hint - server->connections + 1].fd == fd) {
      return hint;
    }
  }

Original comment by zod...@gmail.com on 14 Mar 2012 at 5:44

GoogleCodeExporter commented 9 years ago
This change was made in commit 13d0448 or svn commit 220 on Sep 3 2010.

Original comment by beewoo...@gmail.com on 6 Apr 2012 at 3:36