Crash Dump Analysis Patterns (Part 2, Linux)
This is a Linux variant of Dynamic Memory Corruption (process heap) pattern previously described for Mac OS X and Windows platforms.
The corruption may be internal for heap structures with subsequent memory access violation:
(gdb) bt
#0 0×000000000041482e in _int_malloc ()
#1 0×0000000000416d88 in malloc ()
#2 0×00000000004005dc in proc ()
#3 0×00000000004006ee in bar_three ()
#4 0×00000000004006fe in foo_three ()
#5 0×0000000000400716 in thread_three ()
#6 0×0000000000401760 in start_thread (arg=<optimized out>)
at pthread_create.c:304
#7 0×0000000000432609 in clone ()
#8 0×0000000000000000 in ?? ()
(gdb) x/i $rip
=> 0x41482e <_int_malloc+622>: mov %rbx,0×10(%r12)
(gdb) x $r12+0x10
0x21687371: Cannot access memory at address 0x21687371
(gdb) p (char[4])0x21687371
$1 = "qsh!"
Or it may be detected with a diagnostic message (similar to double free):
(gdb) bt
#0 0×000000000043ef65 in raise ()
#1 0×0000000000409fc0 in abort ()
#2 0×000000000040bf5b in __libc_message ()
#3 0×0000000000412042 in malloc_printerr ()
#4 0×0000000000416c27 in free ()
#5 0×0000000000400586 in proc ()
#6 0×000000000040067e in bar_four ()
#7 0×000000000040068e in foo_four ()
#8 0×00000000004006a6 in thread_four ()
#9 0×00000000004016c0 in start_thread (arg=<optimized out>)
at pthread_create.c:304
#10 0×0000000000432589 in clone ()
#11 0×0000000000000000 in ?? ()
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -