segmentation fault x86 <_dl_debug_state>

Question

I have some asm programs made by my own compiler, and when i want to run them, they have at the very end a segmentation fault. All instructions are executed the way i want to, but the execution finishes by a segfault.

when i try to use gdb in order to look at the segfault, it appears that it always occurs at the line : 0x11ee90 <_dl_debug_state> push %ebp>

I don't even know what this line is, and firstly how to prevent it to cause a segfault.

here is an exemple of that kind of programm :

    file    "test_appel.c"
    .text                
.globl f  
    .type f, @function  
f:                        
    pushl   %ebp                     
    movl    %esp,   %ebp               
    subl    $16,    %esp
    movl    8(%ebp), %eax 
    pushl   %eax                        
    movl    12(%ebp), %eax 
    popl    %ecx          
    imull   %ecx,   %eax  
    movl    %eax,   16(%ebp) 
    movl    16(%ebp), %eax 
    leave
    ret         
    .section    .rodata
.LC0:
    .string "appel à fonction pour la multiplication\n"
.LC1:
    .string "resultat 2 * 3 = %d\n"
    .text                
.globl main  
    .type main, @function  
main:                        
    pushl   %ebp                     
    movl    %esp,   %ebp               
    andl    $-16,   %esp  
    subl    $32,    %esp
    movl    $2, %eax 
    movl    %eax,   8(%ebp) 
    movl    $3, %eax 
    movl    %eax,   12(%ebp) 
    movl    12(%ebp), %eax 
    movl    %eax    ,4(%esp) 
    movl    8(%ebp), %eax 
    movl    %eax    ,0(%esp) 
    call    f
    movl    %eax,   4(%ebp) 
    movl    4(%esp),    %eax    
    movl    (%esp), %ecx     
    pushl   %eax             
    pushl   %ecx             
    movl     $.LC0, %eax 
    movl    %eax,   (%esp)  
    call    printf         
    popl    %ecx             
    popl    %eax             
    movl    %eax,   4(%esp)   
    movl    %ecx,   (%esp)    
    movl    4(%esp),%eax      
    movl    (%esp), %ecx     
    pushl   %eax             
    pushl   %ecx             
    movl    4(%ebp), %eax 
    movl    %eax,   %edx
    movl    %edx,   4(%esp)                    
    movl    $.LC1,  (%esp)  
    call    printf                            
    popl    %ecx             
    popl    %eax             
    movl    %eax,   4(%esp)   
    movl    %ecx,   (%esp)    
    leave
    ret  

Answer 1

Problem is you are corrupting the return instruction. As you know, ebp + 4 always contains the return instruction address where the control jumps after execution of the called function. In your case you have statement like this:

       movl    %eax,   4(%ebp)

You are writing the return value of 'f()' into ebp+4 which corrupts the return instruction address. You remove this statement you will not get segmentation fault.

Answer 2

segfault, it appears that it always occurs at the line : 0x11ee90 <_dl_debug_state> push %ebp>

That just means that you've corrupted or exhausted the stack.

Your compiler does in fact appear to emit code that corrupts stack all over the place. In particular these instructions:

movl    %eax,   8(%ebp)
...
movl    %eax,   12(%ebp) 

corrupt local variables in your caller (which is part of libc), so it's not at all surprising to see a crash after main returns.

You probably meant to emit: movl %eax, -8(%ebp) and movl %eax, -12(%ebp).

Answer 3

when i try to use gdb in order to look at the segfault, it appears that it always occurs at the line : 0x11ee90 <_dl_debug_state> push %ebp>

The segmentation fault is occurring when during a function call a base pointer : %ebp is being pushed onto the stack. This looks like a repercussion of a stack corruption that occurred earlier.

you haven't shared the complete stack trace from GDB and nor the address space information.

In gdb when it seg faults do a disassemble to get more info and also the bt to get all the functions being called to get to this.