Nmap Development mailing list archives

Re: How to debug a segmentation fault

From: "Douglas F. Calvert" <dfc () anize org>
Date: Thu, 09 Nov 2006 13:58:46 -0500

Brett Hutley wrote:

On Thu, Nov 09, 2006 at 06:06:11AM -0500, Douglas F. Calvert wrote:

Hello,
 I am testing out nmap4.20a11 with linux 2.6.19-rc5. I am getting a lot
of segmentation faults when I scan with:

nmap -sV -O -n -oA basename -PE --version_all --allports
--randomize_hosts -n -v -v --max_retries 3 --log-errors -d5
1.1.14-16.1-254 > nmap.out  2>&1


*snip*

How would I go about figuring out why nmap is dying?


Typically you would compile with nmap debug enabled (the "-g" option
in gcc), then start gdb with the nmap binary.

shell$ gdb nmap

(gdb) set args -sV -O -n -oA basename -PE --version_all --allports (etc)

(gdb) run

When the program segfaults, type "up" to move up the stack frame
until you can see the line of the source code that is causing the
segfault (usually overwriting memory, or NULL pointer or some such).

I like running gdb under Emacs, so I can see the source code
easily, if you're not experienced with Emacs then that probably
isn't a good idea.

HTH, Brett



I played around with gdb but I am out of my league now. I can get nmap
to crash with a command similar to:

nmap -sV -O -n -PE -PS21,80,113,8080,22,25 -v -v -oA
hidden-discover-i686  --max_retries 3 --log-errors --version_all
--allports 10.220.14-16.1-254

on my i686 debian/unstable/2.6 and my macppc/ubuntu/edgy/2.6 machines. I
have attached gdb bt to the bottom of the email. It always dies right
around the time it realizes that the os_scan is not optimal. I can send
a "gdb bt full" if it would help I just did not want to spam everyone
with a lot of junk. I also tried the following command with a binary
created with "make debug." It never seemed to do anything but eat up a
lot of cpu. I am obviously not well versed in debugging but I am
interested in learning. Please let me know if anything else would be useful.

####################################################################
gdb of nmap crashing on i686(2.6.14-rc4)

Command:
nmap -sV -O -n -PE -PS21,80,113,8080,22,25 -v -v -oA
hidden-discover-i686 --max_retries 3 --log-errors --version_all
--allports 10.220.14-16.1-254

ldd nmap:
        linux-gate.so.1 =>  (0xffffe000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0xb7ebb000)
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e7c000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
(0xb7d42000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7c5d000)
        libm.so.6 => /lib/tls/libm.so.6 (0xb7c38000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7c2c000)
        libc.so.6 => /lib/tls/libc.so.6 (0xb7afa000)
        libdl.so.2 => /lib/tls/libdl.so.2 (0xb7af6000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7ae2000)
        /lib/ld-linux.so.2 (0xb7ef5000)

####################################################################
Warning:  OS detection for 10.220.14.6 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
Warning:  OS detection for 10.220.14.11 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
Warning:  OS detection for 10.220.14.16 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 5 hosts
Retrying OS detection (try #2) against 5 hosts
Retrying OS detection (try #3) against 10.220.14.3

Program received signal SIGSEGV, Segmentation fault.
0x0807a571 in std::list<OFProbe*, std::allocator<OFProbe*> >::begin
(this=0xc3ca009f) at
/usr/lib/gcc/i486-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:589
589           { return const_iterator(this->_M_impl._M_node._M_next); }
(gdb) bt
#0  0x0807a571 in std::list<OFProbe*, std::allocator<OFProbe*> >::begin
(this=0xc3ca009f) at
/usr/lib/gcc/i486-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:589
#1  0x0807a781 in std::list<OFProbe*, std::allocator<OFProbe*> >::size
(this=0xc3ca009f) at
/usr/lib/gcc/i486-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:657
#2  0x0807a7ae in HostOsScanStats::numProbesToSend (this=0xc3c9ffff) at
osscan2.cc:284
#3  0x080784a9 in doSeqTests (OSI=0x83e6e18, HOS=0x8bd2ec0) at
osscan2.cc:3351
#4  0x08079e92 in os_scan_2 (Targets=@0xbff2298c) at osscan2.cc:3831
#5  0x0807a10e in os_scan2 (Targets=@0xbff2298c) at osscan2.cc:3881
#6  0x0805272a in nmap_main (argc=16, argv=0xbff25c84) at nmap.cc:1579
#7  0x0804b748 in main (argc=16, argv=0xbff25c84) at main.cc:250
(gdb)

#####END of i686#####



####BEGIN PPC####


####################################################################
gdb of nmap crashing on macppc(2.6.17-10-powerpc):

Command:
nmap --version_all -sV -F --allports -PE -PS21,80,113,8080,22,25 -v -v
--log-errors --randomize_hosts -oA hidden-discover -T4 -O -n 10
.220.14-16.1-254

ldd nmap:
        linux-vdso32.so.1 =>  (0x00100000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0x0ffb5000)
        libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x0ff68000)
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x0ff04000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x0fd7d000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x0fc63000)
        libm.so.6 => /lib/libm.so.6 (0x0fb9b000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x0fb68000)
        libc.so.6 => /lib/libc.so.6 (0x0f9fb000)
        libdl.so.2 => /lib/libdl.so.2 (0x0f9d7000)
        libz.so.1 => /usr/lib/libz.so.1 (0x0f9a1000)
        /lib/ld.so.1 (0x30000000)


####################################################################

Warning:  OS detection for 10.220.15.222 will be MUCH less reliable
because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 30 hosts
Insufficient responses for TCP sequencing (2), OS detection may be less
accurate
Retrying OS detection (try #2) against 30 hosts
Insufficient responses for TCP sequencing (2), OS detection may be less
accurate
Retrying OS detection (try #3) against 12 hosts

Program received signal SIGSEGV, Segmentation fault.
0x10043a64 in std::list<OFProbe*, std::allocator<OFProbe*> >::begin
(this=0xa0) at
/usr/lib/gcc/powerpc-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:589
589           { return const_iterator(this->_M_impl._M_node._M_next); }
(gdb) bt
#0  0x10043a64 in std::list<OFProbe*, std::allocator<OFProbe*> >::begin
(this=0xa0) at
/usr/lib/gcc/powerpc-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:589
#1  0x1004401c in std::list<OFProbe*, std::allocator<OFProbe*> >::size
(this=0xa0) at
/usr/lib/gcc/powerpc-linux-gnu/4.1.2/../../../../include/c++/4.1.2/bits/stl_list.h:657
#2  0x100440a0 in HostOsScanStats::numProbesToSend (this=0x0) at
osscan2.cc:284
#3  0x10040efc in doSeqTests (OSI=0x10442498, HOS=0x10c84e40) at
osscan2.cc:3351
#4  0x10042d30 in os_scan_2 (Targets=@0x7fb11850) at osscan2.cc:3831
#5  0x100430b4 in os_scan2 (Targets=@0x7fb11850) at osscan2.cc:3881
#6  0x1000cf3c in nmap_main (argc=17, argv=0x7fb16464) at nmap.cc:1579
#7  0x10003f08 in main (argc=17, argv=0x7fb16464) at main.cc:250
(gdb)





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

How to debug a segmentation fault Douglas F. Calvert (Nov 09)
- Re: How to debug a segmentation fault Brett Hutley (Nov 09)
  - Re: How to debug a segmentation fault Douglas F. Calvert (Nov 09)