Raised This Month: $119 Target: $400
 29% 

[L4d2] Crash on ExtractParentName (libc)


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Dragokas
Veteran Member
Join Date: Nov 2017
Location: Ukraine
Old 11-22-2020 , 11:05   [L4d2] Crash on ExtractParentName (libc)
Reply With Quote #1

Hi,

does anybody know which instruction call libc function?

Is it
Code:
call    strchr
?

https://crash.limetech.org/5axo7vxvwrwe

Code:
0	libc-2.28.so + 0x986b6
1	server_srv.so!ExtractParentName(string_t) + 0x25
2	server_srv.so!SpawnHierarchicalList(int, HierarchicalSpawn_t*, bool) + 0xbc
3	server_srv.so!CMapEntitySpawner::SpawnAndActivate(bool) + 0x23
4	server_srv.so!MapEntity_ParseAllEntities(char const*, IMapEntityFilter*, bool) + 0x231
5	server_srv.so!CServerGameDLL::LevelInit(char const*, char const*, char const*, char const*, bool, bool) + 0x327
6	metamod.2.l4d2.so!__SourceHook_MFHCls_SGD_LevelInit::Func(char const*, char const*, char const*, char const*, bool, bool) + 0x161
7	server_srv.so + 0x696c80
8	stripper.16.l4d2.so!LevelInit_handler(char const*, char const*, char const*, char const*, bool, bool) + 0x215
9	sourcemod.logic.so!<name omitted> [AdminCache.cpp:325 + 0x19]
PHP Code:
SIGSEGV /SEGV_MAPERR accessing 0x6f427460

Thread 0 
(crashed):
   
0libc-2.28.so 0x986b6
      eip
0xf7c956b6  esp0xfffddae8  ebp0xfffddc08  ebx0xfffddc4c
      esi
0x6f427465  edi0x6f427460  eax0xfffddc4c  ecx0x00000005
      edx
0x0f67cc70  efl0x00210206  

      f7c956a5  66 0f 60 c9     punpcklbw xmm1
xmm1
      f7c956a9  83 e1 0f        
and ecx0xf
      f7c956ac  66 0f 70 c9 00  pshufd xmm1
xmm10x0
      f7c956b1  74 4d           jz 0xf7c95700
      f7c956b3  83 e7 f0        
and edi, -0x10
  
>   f7c956b6  66 0f 6f 07     movdqa xmm0, [edi]
      
f7c956ba  66 0f 74 d0     pcmpeqb xmm2xmm0
      f7c956be  66 0f 74 c1     pcmpeqb xmm0
xmm1
      f7c956c2  66 0f d7 d2     pmovmskb edx
xmm2
      f7c956c6  66 0f d7 c0     pmovmskb eax
xmm0
      f7c956ca  d3 fa           sar edx
cl

      fffddae8  a2 7a f8 ed e5 20 94 ed                           
.z... ..        

      
Found via instruction pointer in context


   1
server_srv.so!ExtractParentName(string_t) + 0x25
      eip
0xed9420e5  esp0xfffddaf0  ebp0xfffddc08  ebx0xfffddc4c
      esi
0x6f427465  edi0xedf87aa2  

      fffddaf0  65 74 42 6f 2c 00 00 00  80 38 b7 0c 10 4f b7 0c  etBo
,....8...O..
      
fffddb00  a0 65 b7 0c 30 7c b7 0c  c0 92 b7 0c 40 a7 b7 0c  .e..0|[email protected]
      
fffddb10  50 62 0e 12 c0 bb b7 0c  90 d1 b7 0c 40 50 d2 10  Pb[email protected]P..
      
fffddb20  40 a9 96 0a 00 3b 8a 10  c0 66 fd 0f e0 ea 77 0a  @....;...f....w.
      
fffddb30  f0 63 b9 0c 00 bc 52 0d  70 aa 8c 0d 50 d4 e2 10  .c....R.p...P...
      
fffddb40  80 5e 14 11 10 74 89 0d  70 36 fd 10 20 e8 b7 0c  .^...t..p6.. ...
      
fffddb50  70 54 9a 0c 50 aa df 0b  a0 a4 48 12 f0 be 06 0d  pT..P.....H.....
      
fffddb60  f0 19 93 13 50 0f c1 12  d0 8b dc 12 70 94 3e 0e  ....P.......p.>.
      
fffddb70  e0 21 c1 0c 50 f4 7d 0e  c0 11 e4 11 e0 7d bd 0f  .!..P.}......}..
      
fffddb80  80 e6 dd 11 30 41 d2 10  15 46 c2 f7 2c fe 85 ed  ....0A...F..,...
      
fffddb90  63 00 00 00 30 41 d2 10  a0 d2 41 11 50 15 f8 11  c...0A....A.P...
      
fffddba0  80 f9 ea 10 40 ed d1 10  70 cc 67 0f 61 00 00 00  [email protected]p.g.a...
      
fffddbb0  70 57 b8 0f b0 54 e0 11  b0 58 d2 11 20 f1 60 0f  pW...T...X.. .`.
      fffddbc0  74 8b 21 ee 30 41 d2 10  08 dc fd ff ac fd 8c ed  t.!.0A..........
      fffddbd0  20 f1 60 0f 30 41 d2 10  30 69 09 11 30 d8 f9 10   .
`.0A..0i..0...
      
fffddbe0  20 b7 04 13 c0 7f 09 11  00 00 00 00 00 00 00 00   ...............
      
fffddbf0  10 61 cb 0d a0 43 5b 11  a0 70 9f 0d c0 bb b7 0c  .a...C[..p......
      
fffddc00  70 aa 8c 0d 00 00 00 00  68 dc fd ff 9c 2d 94 ed  p.......h....-..

      
Found via call frame info


   2
server_srv.so!SpawnHierarchicalList(intHierarchicalSpawn_t*, bool) + 0xbc
      eip
0xed942d9c  esp0xfffddc10  ebp0xfffddc68  ebx0x0d8caa70
      esi
0x00000000  edi0xedf87aa2  

      fffddc10  4c dc fd ff 65 74 42 6f  30 41 d2 10 00 00 00 00  L
...etBo0A......
      
fffddc20  00 00 00 00 00 00 00 00  00 00 00 00 50 f4 7d 0e  ............P.}.
      
fffddc30  e0 21 c1 0c 70 94 3e 0e  20 d6 fa 00 b0 11 fd 0c  .!..p.>. .......
      
fffddc40  7a 08 00 00 2e 08 00 00  90 94 fd 0c 30 41 d2 10  z...........0A..
      
fffddc50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
      
fffddc60  ec e4 fd ff ec dc fd ff  88 dc fd ff 93 30 94 ed  .............0..

      
Found via call frame info


   3
server_srv.so!CMapEntitySpawner::SpawnAndActivate(bool) + 0x23
      eip
0xed943093  esp0xfffddc70  ebp0xfffddc88  ebx0x00000000
      esi
0xfffde4ec  edi0xfffddcec  

      fffddc70  7a 08 00 00 b0 11 fd 0c  00 00 00 00 74 fa 90 dd  z
...........t...
      
fffddc80  00 00 00 00 ec e4 fd ff  38 ed fd ff 01 3b 94 ed  ........8....;..

      
Found via call frame info


   4
server_srv.so!MapEntity_ParseAllEntities(char const*, IMapEntityFilter*, bool) + 0x231
      eip
0xed943b01  esp0xfffddc90  ebp0xfffded38  ebx0x00000000
      esi
0xfffde4ec  edi0xfffddcec 
Code:
ExtractParentName(string_t)                              ; int __stdcall ExtractParentName(char *)
ExtractParentName(string_t)                              _Z17ExtractParentName8string_t proc near
ExtractParentName(string_t)                                                                      ; CODE XREF: SpawnHierarchicalList(int,HierarchicalSpawn_t *,bool)+B7↓p
ExtractParentName(string_t)
ExtractParentName(string_t)                              var_108         = byte ptr -108h
ExtractParentName(string_t)                              arg_0           = dword ptr  8
ExtractParentName(string_t)                              s               = dword ptr  0Ch
ExtractParentName(string_t)
ExtractParentName(string_t)                              ; __unwind {
ExtractParentName(string_t)      55                                      push    ebp
ExtractParentName(string_t)+1    89 E5                                   mov     ebp, esp
ExtractParentName(string_t)+3    56                                      push    esi
ExtractParentName(string_t)+4    53                                      push    ebx
ExtractParentName(string_t)+5    81 EC 10 01 00 00                       sub     esp, 110h
ExtractParentName(string_t)+B    8B 75 0C                                mov     esi, [ebp+s]
ExtractParentName(string_t)+E    8B 5D 08                                mov     ebx, [ebp+arg_0]
ExtractParentName(string_t)+11   85 F6                                   test    esi, esi
ExtractParentName(string_t)+13   74 53                                   jz      short loc_6BA058
ExtractParentName(string_t)+15   C7 44 24 04 2C 00 00 00                 mov     dword ptr [esp+4], 2Ch ; ',' ; c
ExtractParentName(string_t)+1D   89 34 24                                mov     [esp], esi      ; s
ExtractParentName(string_t)+20   E8 B7 EE 95 00                          call    strchr
ExtractParentName(string_t)+25   85 C0                                   test    eax, eax
ExtractParentName(string_t)+27   74 3F                                   jz      short loc_6BA058
ExtractParentName(string_t)+29   89 74 24 08                             mov     [esp+8], esi    ; char *
ExtractParentName(string_t)+2D   8D B5 F8 FE FF FF                       lea     esi, [ebp+var_108]
ExtractParentName(string_t)+33   89 34 24                                mov     [esp], esi      ; char *
ExtractParentName(string_t)+36   C7 44 24 0C 2C 00 00 00                 mov     dword ptr [esp+0Ch], 2Ch ; ',' ; char
ExtractParentName(string_t)+3E   C7 44 24 04 00 01 00 00                 mov     dword ptr [esp+4], 100h ; unsigned int
ExtractParentName(string_t)+46   E8 75 2B 47 00                          call    _Z9nexttokenPcjPKcc ; nexttoken(char *,uint,char const*,char)
ExtractParentName(string_t)+4B   89 74 24 04                             mov     [esp+4], esi
ExtractParentName(string_t)+4F   89 1C 24                                mov     [esp], ebx      ; char *
ExtractParentName(string_t)+52   E8 79 99 D8 FF                          call    _Z17AllocPooledStringPKc ; AllocPooledString(char const*)
ExtractParentName(string_t)+57   89 D8                                   mov     eax, ebx
ExtractParentName(string_t)+59   83 EC 04                                sub     esp, 4
ExtractParentName(string_t)+5C   8D 65 F8                                lea     esp, [ebp-8]
ExtractParentName(string_t)+5F   5B                                      pop     ebx
ExtractParentName(string_t)+60   5E                                      pop     esi
ExtractParentName(string_t)+61   5D                                      pop     ebp
ExtractParentName(string_t)+62   C2 04 00                                retn    4
ExtractParentName(string_t)+62                           ; ---------------------------------------------------------------------------
ExtractParentName(string_t)+65   8D 76 00                                align 4
ExtractParentName(string_t)+68
ExtractParentName(string_t)+68                           loc_6BA058:                             ; CODE XREF: ExtractParentName(string_t)+13↑j
ExtractParentName(string_t)+68                                                                   ; ExtractParentName(string_t)+27↑j
ExtractParentName(string_t)+68   89 33                                   mov     [ebx], esi
ExtractParentName(string_t)+6A   8D 65 F8                                lea     esp, [ebp-8]
ExtractParentName(string_t)+6D   89 D8                                   mov     eax, ebx
ExtractParentName(string_t)+6F   5B                                      pop     ebx
ExtractParentName(string_t)+70   5E                                      pop     esi
ExtractParentName(string_t)+71   5D                                      pop     ebp
ExtractParentName(string_t)+72   C2 04 00                                retn    4
ExtractParentName(string_t)+72                           ; } // starts at 6B9FF0
ExtractParentName(string_t)+72                           _Z17ExtractParentName8string_t endp
Thank you.
__________________
Expert of CMD/VBS/VB6. Malware analyst. L4D fun (Bloody Witch)
[My plugins] [My tools] [GitHub] [Articles]

Last edited by Dragokas; 11-22-2020 at 11:07.
Dragokas is offline
Dragokas
Veteran Member
Join Date: Nov 2017
Location: Ukraine
Old 11-22-2020 , 12:16   Re: [L4d2] Crash on ExtractParentName (libc)
Reply With Quote #2

Nervermind, it is happening just before security_entity_limit.smx started working under fixing the max entity limit overloading. So, better to fix the cause, not consequences.
__________________
Expert of CMD/VBS/VB6. Malware analyst. L4D fun (Bloody Witch)
[My plugins] [My tools] [GitHub] [Articles]
Dragokas is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:21.


Powered by vBulletin®
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Theme made by Freecode