Context Navigation

Back to Ticket #245

Ticket #245: SHLNotes.txt

File SHLNotes.txt, 15.0 KB (added by Steven Levine, 13 years ago)
Analysis notes

Line
1	Massimo zombie
2	2011-05-26 SHL
3	2011-06-02 SHL
4
5	Running:
6
7	I:\sla_dev2\stunnel\stunnel-4.34\0-zips\0\stunnel.exe
8	1-14-11 20:09 775,694 0 stunnel.exe
9
10	a73b0119d7ae0e094e57412bbe330f72 *stunnel.exe
11
12	IBM OS/2 Dump Formatter for a retail or an hstrict SMP kernel.
13	Formatter is --> Internal revision 14.105_SMP
14	Dump file is --> Internal revision 14.104a_SMP (process dump)
15
16	Symbol (d:\devtools\pmdf\14_104a_smp_massimo\os2krnlr.sym) linked
17
18	# .p
19	Slot Pid Ppid Csid Ord Sta Pri pTSD pPTDA pTCB Disp SG Name
20	*0179# 5f39 0010 5f39 0001 crt 0200 f9178000 fe625c38 f9735afc 0f1c 26 STUNNEL
21	019d 5f39 0010 5f39 0002 blk 0200 f919c000 fe625c38 f973c78c 0ebc 26 STUNNEL
22
23	# .pu
24	Slot Pid Ord pPTDA Name pstkframe CS:EIP SS:ESP cbargs
25	*0179# 5f39 0001 fe625c38 STUNNEL %f9178f48 005b:1f05921e 0053:002afd58 0000
26	019d 5f39 0002 fe625c38 STUNNEL %f919cf40 005b:1f057f55 0053:0270fb3c 0000
27
28	# .pb
29	Slot Sta BlockID Name Type Addr Symbol
30	019d blk fd43b904 STUNNEL Sem32 0001 0050 Event
31
32	# Checking call gates for all slots
33	Slot STUNNEL 179:
34	* Not in a call *
35	Slot STUNNEL 19d:
36	is in a call to:
37	%1ffc08e8 DOSCALL1 DOS32WAITEVENTSEM
38
39	# .s (ord 1)
40	Current slot number: 0179
41
42	eax=00000000 ebx=006ceff8 ecx=00000db1 edx=006b0078 esi=006cf000 edi=006d4040
43	eip=1f05921e esp=002afd58 ebp=002afda8 iopl=0 rf -- -- nv up ei pl nz na po nc
44	cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
45	005b:1f05921e f3ab repe stosd es:006d4040=00000000
46
47	# ln
48	%1f059210 LIBC063 _std_bzero + e
49
50	# k
51	005b:1f05a846 006b0000 00008704 00000010 00000002 [LIBC063 _um_alloc_no_lock + 86]
52	005b:1f05c9f3 006b0000 00008704 00000010 00000002 [LIBC063 _ucalloc + 9f]
53	005b:1f09b6e7 006b0000 00000001 00008704 1bc00050 [LIBC063 _std_calloc + 27]
54	005b:00013696 00000001 00008704 002afe58 1f09d0e5 [STUNNEL alloc_client_session + 1a]
55	005b:0002071c 006cb9e0 0000000c 0000000c 0000000c [STUNNEL main_execute + 188]
56	005b:00020bc4 00000002 0001ff70 002aff68 00000001 [STUNNEL main + c8]
57	005b:00010021 00000002 002aff7c 20030180 ffffffff [STUNNEL _text + 21]
58	005b:1f07854b 00000000 1ffece38 00001a2f 00000000 [LIBC063 __init_app + b]
59
60	# u _um_alloc_no_lock + 86-5 l1
61	%1f05a841 e85b010000 call %1f05a9a1
62
63	# ln %1f05a9a1
64	%1f05a874 LIBC063 _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
65
66	# dd esp
67	eip
68	0053:002afd58 00008704 1f05abcc 006cf000 00008704
69	0053:002afd68 006b0078 006b0078 20035320 0000000c
70	0053:002afd78 002afd98 00008720 006ceff8 0000000f
71	0053:002afd88 00008720 006b0150 006cf000 00008720
72	0053:002afd98 0000000a 00008704 006b0000 00000002
73	eip h size
74	0053:002afda8 002afdd8 1f05a846 006b0000 00008704
75	round flags
76	0053:002afdb8 00000010 00000002 20035320 0000000c
77	0053:002afdc8 00000002 006b0000 006b013c 00008704
78
79	# ln %1f05abcc
80	%1f05a874 LIBC063 _um_lump_alloc + 358 (_um_lump_alloc_noexpand?)
81
82	# u _um_lump_alloc + 358-5
83	%1f05abc7 e844e6ffff call %1f059210 ; _std_bzero
84
85	# ln %1f059210
86	%1f059210 LIBC063 _std_bzero
87
88	# ln %1f05a846
89	%1f05a7c0 LIBC063 _um_alloc_no_lock + 86
90
91	# u %1f05a846-5 l1
92	%1f05a841 e85b010000 call %1f05a9a1
93
94	# ln %1f05a9a1
95	%1f05a874 LIBC063 _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
96
97	# u _um_alloc_no_lock _um_alloc_no_lock + 86 ( code does not seem to match source )
98	LIBC063 _um_alloc_no_lock:
99	%1f05a7c0 55 push ebp
100	%1f05a7c1 89e5 mov ebp,esp
101	%1f05a7c3 57 push edi
102	%1f05a7c4 56 push esi
103	%1f05a7c5 53 push ebx
104	%1f05a7c6 83ec0c sub esp,+0c
105	%1f05a7c9 8b7508 mov esi,dword ptr [ebp+08]
106	%1f05a7cc 8b5d0c mov ebx,dword ptr [ebp+0c]
107	%1f05a7cf 8b7d14 mov edi,dword ptr [ebp+14]
108	%1f05a7d2 8b86e8000000 mov eax,dword ptr [esi+000000e8]
109	; if...
110	%1f05a7d8 85c0 test eax,eax
111	%1f05a7da 7e4e jle %1f05a82a
112
113	%1f05a7dc c1e004 shl eax,04
114	%1f05a7df 3b9c06dc000000 cmp ebx,dword ptr [esi+eax+000000dc]
115	%1f05a7e6 7742 ja %1f05a82a
116
117	%1f05a7e8 31d2 xor edx,edx
118	; while...
119	%1f05a7ea 3b9eec000000 cmp ebx,dword ptr [esi+000000ec]
120	%1f05a7f0 760e jbe %1f05a800
121	%1f05a7f2 8d86ec000000 lea eax,[esi+000000ec]
122	%1f05a7f8 83c010 add eax,+10
123	%1f05a7fb 42 inc edx
124	%1f05a7fc 3b18 cmp ebx,dword ptr [eax]
125	%1f05a7fe 77f8 ja %1f05a7f8
126
127	%1f05a800 83ec0c sub esp,+0c
128	%1f05a803 8b4d10 mov ecx,dword ptr [ebp+10]
129	%1f05a806 c1e204 shl edx,04
130	%1f05a809 57 push edi
131	%1f05a80a 51 push ecx
132	%1f05a80b 8d8c32ec000000 lea ecx,[edx+esi+000000ec]
133	%1f05a812 53 push ebx
134	%1f05a813 51 push ecx
135	%1f05a814 56 push esi
136	%1f05a815 e8ab040000 call %1f05acc5 ; _um_lump_alloc + 451 (_um_crateset_alloc)
137	%1f05a81a 83c420 add esp,+20 ;' '
138	%1f05a81d 85c0 test eax,eax
139	%1f05a81f 7409 jz %1f05a82a
140	%1f05a821 90 nop
141
142	; exit
143	%1f05a822 8d65f4 lea esp,[ebp-0c]
144	%1f05a825 5b pop ebx
145	%1f05a826 5e pop esi
146	%1f05a827 5f pop edi
147	%1f05a828 5d pop ebp
148	%1f05a829 c3 retd
149
150	%1f05a82a 8d4b2b lea ecx,[ebx+2b]
151	%1f05a82d 31d2 xor edx,edx
152	%1f05a82f 83e1e0 and ecx,-20
153	%1f05a832 39d9 cmp ecx,ebx
154	%1f05a834 7304 jnc %1f05a83a
155
156	%1f05a836 89d0 mov eax,edx
157	%1f05a838 ebe8 jmp %1f05a822
158
159	%1f05a83a 8b4510 mov eax,dword ptr [ebp+10]
160	%1f05a83d 57 push edi
161	%1f05a83e 50 push eax
162	%1f05a83f 53 push ebx
163	%1f05a840 56 push esi
164	%1f05a841 e85b010000 call %1f05a9a1 ; _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
165	%1f05a846 83c410 add esp,+10
166	%1f05a849 89c2 mov edx,eax
167	%1f05a84b 85c0 test eax,eax
168	%1f05a84d 75e7 jnz %1f05a836
169	%1f05a84f 52 push edx
170	%1f05a850 52 push edx
171	%1f05a851 53 push ebx
172	%1f05a852 56 push esi
173	%1f05a853 e811040000 call %1f05ac69 ; _um_lump_alloc + 3f5 (_um_crateset_alloc?)
174	%1f05a858 83c410 add esp,+10
175	%1f05a85b 31d2 xor edx,edx
176	%1f05a85d 85c0 test eax,eax
177	%1f05a85f 74d5 jz %1f05a836
178	%1f05a861 8b5510 mov edx,dword ptr [ebp+10]
179	%1f05a864 57 push edi
180	%1f05a865 52 push edx
181	%1f05a866 53 push ebx
182	%1f05a867 56 push esi
183	%1f05a868 e834010000 call %1f05a9a1 ; _um_lump_alloc + 12d (_um_lump_alloc_noexpand?)
184	%1f05a86d 83c410 add esp,+10
185	%1f05a870 89c2 mov edx,eax
186	%1f05a872 ebc2 jmp %1f05a836
187
188	LIBC063 _um_lump_alloc:
189	%1f05a874 55 push ebp
190	%1f05a875 89e5 mov ebp,esp
191
192	# ln %1f05a9a1
193	%1f05a874 LIBC063 _um_lump_alloc + 12d
194
195	# ln %1f05acc5
196	%1f05a874 LIBC063 _um_lump_alloc + 451
197
198	# ln %1f05ac69
199	%1f05a874 LIBC063 _um_lump_alloc + 3f5
200
201	# ln %1f05acc5
202	%1f05a874 LIBC063 _um_lump_alloc + 451 (_um_crateset_alloc)
203
204	_um_alloc_no_lock ->
205	_um_lump_alloc_noexpand->
206	_std_bzero
207
208	Looks OK, but can't run because ORD2 in critical section
209
210	-------------------------------------------------------------------------
211
212	# .s19d
213	Current slot number: 019d (ord 2)
214
215	# r
216	eax=00000000 ebx=006b013c ecx=00010050 edx=00000bb8 esi=00000001 edi=0270fb4c
217	eip=1f057f55 esp=0270fb3c ebp=0270fb64 iopl=0 -- -- -- nv up ei pl nz na pe nc
218	cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
219	005b:1f057f55 83c410 add esp,+10
220
221	# ln
222	%1f057e14 LIBC063 __fmutex_request_internal + 141
223
224	# k
225	005b:1f05a758 006b013c 00000001 00000002 00000000 [LIBC063 _umalloc + 134]
226	005b:1f05a675 006b013c 00000001 006b0000 006b0000 [LIBC063 _umalloc + 51]
227	005b:1f060394 006b0000 00000064 000521d0 000521d0 [LIBC063 _std_malloc + 24]
228	005b:000521e4 00000064 0000001e 00115fcb 00000148 [STUNNEL TLSv1_server_method + a7]
229	005b:0005270d 00000064 00082f03 000000ce 00000000 [STUNNEL CRYPTO_malloc + 82]
230	005b:0008317d 00000064 00082f03 000000ce 00000000 [STUNNEL EVP_DigestInit_ex + 209]
231	005b:000b67d5 0270fca4 000843d0 00000000 00000101 [STUNNEL RAND_SSLeay + 2ae]
232	005b:000596cb 0270fd64 00000004 00000000 00000000 [STUNNEL RAND_add + 4d]
233	005b:00035b57 0270fd64 00000004 00000000 00000000 [STUNNEL ssl23_accept + 48]
234	005b:00022c6d 00715540 00000000 00000000 00000000 [STUNNEL SSL_accept + 2c]
235	005b:0001159e 00715540 0000012c 00000000 00000000
236	005b:00012c5a 006fc0e0 00011928 006c9aa8 006fc0e4
237	005b:00013616 006fc0e0 00013597 006c9aa8 20034800 [STUNNEL client + 6a]
238	005b:1f0899f3 006fc0e0 00000000 00000000 00000000 [LIBC063 _endthread + 7f]
239	005b:1ffece38 20034800 00000000 00000000 00000000
240
241	# u _umalloc + 134-5 l1
242	%1f05a753 e8bcd6ffff call %1f057e14
243
244	# ln %1f057e14
245	%1f057e14 LIBC063 __fmutex_request_internal
246
247	--------------------------------------------------------------------------------
248
249	# .pb
250	Slot Sta BlockID Name Type Addr Symbol
251	019d blk fd43b904 STUNNEL Sem32 0001 0050 Event
252
253	# .d sem32 %fd43b904
254
255	00 00
256	----- -------- --------
257	SP-FF 00050020
258	IN 00050020
259	SP 00050020
260
261	RE-FF 00050020
262	IN 00050020
263	SP 00050020
264
265	FT-FF 00050020
266	IN 00050020
267	SP 00050020
268
269	UP-FF 00050020
270	IN 00050020
271	SP 00050020
272
273	VP-FF 00050020
274	IN 00050020
275	SP 00050020
276
277	GT-FF 00050020
278	IN 00050020
279	SP 00050020
280
281	ST-FF 00050020
282	IN 00050020
283	SP 00050020
284
285	Type: Private Event
286	Flags: Reset
287	pMuxQ: 00000000
288	Post Count: 0000
289	Open Count: 0002
290	Create Addr: 0010fd43
291	Caller Addr: 0010ffc2
292
293	# dw %fd43b904
294	%fd43b904 0010 0000 0000 0000 0002 fd43 0010 ffc2
295	%fd43b914 0010 0000 0000 0000 0001 fd43 0010 ffc2
296
297	... .d sem32 looks broken - try another way
298
299	# .pu
300	Slot Pid Ord pPTDA Name pstkframe CS:EIP SS:ESP cbargs
301	*0179# 5f39 0001 fe625c38 STUNNEL %f9178f48 005b:1f05921e 0053:002afd58 0000
302	019d 5f39 0002 fe625c38 STUNNEL %f919cf40 005b:1f057f55 0053:0270fb3c 0000
303
304	# ln %1f057f55
305	%1f057e14 LIBC063 __fmutex_request_internal + 141
306
307	# u %1f057f55-5 l1
308	%1f057f50 e89389f600 call %1ffc08e8 ; DOS32WAITEVENTSEM
309
310	# ln %1ffc08e8
311	%1ffc08e8 DOSCALL1 DOS32WAITEVENTSEM
312
313	# u %1f057f36 1f057f55
314	%1f057f36 50 push eax
315	%1f057f37 50 push eax
316	%1f057f38 f6430501 test byte ptr [ebx+05],01
317	%1f057f3c 0f94c2 sete dl
318	%1f057f3f 81e2ff000000 and edx,000000ff
319	%1f057f45 4a dec edx
320	%1f057f46 81cab80b0000 or edx,00000bb8 ; 3000
321	%1f057f4c 52 push edx
322	%1f057f4d 8b0b mov ecx,dword ptr [ebx]
323	%1f057f4f 51 push ecx
324	%1f057f50 e89389f600 call %1ffc08e8 ; DOS32WAITEVENTSEM
325	%1f057f55 83c410 add esp,+10
326
327	# r
328	hsem timeout
329	eax=00000000 ebx=006b013c ecx=00010050 edx=00000bb8 esi=00000001 edi=0270fb4c
330	eip=1f057f55 esp=0270fb3c ebp=0270fb64 iopl=0 -- -- -- nv up ei pl nz na pe nc
331	cs=005b ss=0053 ds=0053 es=0053 fs=150b gs=0000 cr2=00000000 cr3=00000000 p=**
332	005b:1f057f55 83c410 add esp,+10
333
334	# dd ebx
335	flfs pid tid
336	0053:006b013c 00010050 6d660003 5f390001 1f059c40
337
338	03 = _FMS_OWNED_HARD
339
340	# da 1f059c40
341	0053:1f059c40 LIBC Heap
342
343	# dd esp hsem timeout
344	0053:0270fb3c 00010050 00000bb8 00000000 00000000
345
346	Probably deadlock
347	Possible that ORD2 neglected to exit critical section
348	Possible that _FMC_MUST_COMPLETE sem held
349
350	02 = _FMC_MUST_COMPLETE
351
352	Try to find locked _FMC_MUST_COMPLETE sem
353
354	Find gmtxWait
355
356	LIBC063 __libc_back_processWaitNotifyExec:
357	%1f07bbf4 55 push ebp
358	%1f07bbf5 89e5 mov ebp,esp
359	%1f07bbf7 56 push esi
360	%1f07bbf8 53 push ebx
361	%1f07bbf9 8b15a0ca7e18 mov edx,dword ptr [187ecaa0] ; gpChildrenFree
362	%1f07bbff 8b7508 mov esi,dword ptr [ebp+08] ; pid
363	%1f07bc02 85d2 test edx,edx
364	%1f07bc04 0f85ae000000 jnz %1f07bcb8
365
366	%1f07bcb8 50 push eax
367	%1f07bcb9 50 push eax
368	%1f07bcba 6a00 push +00
369	%1f07bcbc 6830ba7e18 push 187eba30
370	%1f07bcc1 e80e060000 call %1f07c2d4 ; _fmutex_request?
371	%1f07bcc6 83c410 add esp,+10
372	%1f07bcc9 85c0 test eax,eax
373
374	# dd %187eba30
375	%187eba30 0001004d 6d660201 00000000 1f07b6f0
376
377	# da %1f07b6f0
378	%1f07b6f0 b_processWait.c: gmtxWait
379
380	Check gmtx
381
382	# dd gmtx
383	%187d88c0 00010008 6d660201 00000000 1f05b100
384
385	# da 1f05b100
386	%1f05b100 LIBC SYS Filehandle Mutex
387
388	Find g_mtxFSInfoVolumes
389
390	# u __libc_back_fsInfoObjByDev
391
392	LIBC063 __libc_back_fsInfoObjByDev:
393	%1f1381a9 55 push ebp
394	%1f1381aa 89e5 mov ebp,esp
395	%1f1381ac 57 push edi
396	%1f1381ad 56 push esi
397	%1f1381ae 31f6 xor esi,esi
398	%1f1381b0 53 push ebx
399	%1f1381b1 83ec0c sub esp,+0c
400	%1f1381b4 8b5d08 mov ebx,dword ptr [ebp+08]
401	%1f1381b7 0fb6cf movzx ecx,bh
402	%1f1381ba 83f956 cmp ecx,+56 ;'V'
403	%1f1381bd 740b jz %1f1381ca
404
405	%1f1381ca 80fb40 cmp bl,40 ;'@'
406	%1f1381cd 7ef0 jle %1f1381bf
407	%1f1381cf 80fb5a cmp bl,5a ;'Z'
408	%1f1381d2 7feb jg %1f1381bf
409
410	%1f1381d4 0fbefb movsx edi,bl
411	%1f1381d7 c1e705 shl edi,05
412	%1f1381da 50 push eax
413	%1f1381db 50 push eax
414	%1f1381dc 6a00 push +00
415	%1f1381de 8db7e8c18118 lea esi,[edi+1881c1e8]
416	%1f1381e4 68a0737d18 push 187d73a0
417	%1f1381e9 e867060000 call %1f138855
418	%1f1381ee 83c410 add esp,+10
419
420	# dd %187d73a0
421	%187d73a0 00010053 42420201 00000000 1f13658f
422
423	# da %1f13658f
424	%1f13658f mtxFSInfoVolumes
425
426	Hmmm...

Download in other formats:

Original Format