Hello, just tried to reproduce this issue. I think the problem is with the usage of the segment register $fs in dosemu that is not compatible with gcc use of that segment register $fs.
It looks like in "regular" processes the $fs register stays always at a value of 0. But after starting the unzip32.exe from message #15 we get to the point where the stack protection canary value is filled in "dosemu_fault". But this time $fs = 0xb7, therefore the canary gets a differnt value than usual: 0x00005555555a5c4d <dosemu_fault+13>: mov %fs:0x28,%rax 0x00005555555a5c56 <dosemu_fault+22>: mov %rax,0x88(%rsp) Later "dosemu_fault" executes "init_handler" that calls "syscall". After that the $fs register is 0 again: 147 return syscall(SYS_arch_prctl, code, addr); Then at the end of dosemu_fault the stack protection canary value is now compared again, but with a different $fs the values are different: 0x00005555555a5d18 <dosemu_fault+216>: xor %fs:0x28,%rax 0x00005555555a5d21 <dosemu_fault+225>: jne 0x5555555a5e4b <dosemu_fault+523> ... 0x00005555555a5e4b <dosemu_fault+523>: callq 0x55555557a140 <__stack_chk_fail@plt> So really there is no stack smashing going on, just the detection is not working in this environment. This is also confirmed in this link [1]. There is also a hint how to avoid the stack protection mechanism to be added to some functions. Attached patch does exactly this. The stack smashing can be observed in the unstable package of dosemu too. Kind regards, Bernhard [1] https://aur.archlinux.org/packages/dosemu-git/
apt install xserver-xorg lightdm openbox dosemu dosemu-dbgsym gdb valgrind zip dpkg-dev devscripts mc git apt build-dep dosemu (mkdir dosemu; cd dosemu; apt source dosemu) wget --user-agent="" http://www.delorie.com/pub/djgpp/current/unzip32.exe mv unzip32.exe .dosemu/drive_c/ /usr/bin/xdosemu benutzer@debian:~$ /usr/bin/xdosemu *** stack smashing detected ***: /usr/bin/xdosemu terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f57d2425bfb] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f57d24ae1f7] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7f57d24ae1c0] /usr/bin/xdosemu(+0x51e50)[0x55604d00be50] /lib/x86_64-linux-gnu/libc.so.6(+0x33060)[0x7f57d23e8060] /usr/bin/xdosemu(run_dpmi+0x119)[0x55604d059dc9] ======= Memory map: ======== gdb -q --args /usr/bin/dosemu.bin -X -p -E "unzip32" handle SIGSEGV nostop noprint cont *** stack smashing detected ***: /usr/bin/dosemu.bin terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7ffff739abfb] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff74231f7] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff74231c0] /usr/bin/dosemu.bin(+0x51e50)[0x5555555a5e50] /lib/x86_64-linux-gnu/libc.so.6(+0x33060)[0x7ffff735d060] /usr/bin/dosemu.bin(run_dpmi+0x119)[0x5555555f3dc9] ======= Memory map: ======== (gdb) disassemble dosemu_fault,0x00005555555a5e4b+0x20 ... 0x0000561052192c4d <dosemu_fault+13>: mov %fs:0x28,%rax 0x0000561052192c56 <dosemu_fault+22>: mov %rax,0x88(%rsp) 0x0000561052192c5e <dosemu_fault+30>: xor %eax,%eax ... 0x0000561052192d10 <dosemu_fault+208>: mov 0x88(%rsp),%rax 0x0000561052192d18 <dosemu_fault+216>: xor %fs:0x28,%rax 0x0000561052192d21 <dosemu_fault+225>: jne 0x561052192e4b <dosemu_fault+523> ... 0x0000561052192e4b <dosemu_fault+523>: callq 0x561052167140 <__stack_chk_fail@plt> 0x0000561052192e50 <SIGIO_call+0>: sub $0x8,%rsp . gdb -q --args /usr/bin/dosemu.bin -X -p -E "unzip32" directory /home/benutzer/dosemu/orig/dosemu-1.4.0.7+20130105+b028d3f/src/arch/linux/async handle SIGSEGV nostop noprint set height 0 set width 0 set pagination off display/i $pc b *(dosemu_fault+30) run print/x 0x88+$rsp print/x *(int*)0x7fffffffe148 display/x $fs b *(dosemu_fault+13) if ($fs != 0) disa 1 cont benutzer@debian:~$ gdb -q --args /usr/bin/dosemu.bin -X -p -E "unzip32" Reading symbols from /usr/bin/dosemu.bin...Reading symbols from /usr/lib/debug/.build-id/e6/269b11b17af3136254880ec6b9bd18f464db59.debug...done. done. (gdb) directory /home/benutzer/dosemu/orig/dosemu-1.4.0.7+20130105+b028d3f/src/arch/linux/async Source directories searched: /home/benutzer/dosemu/orig/dosemu-1.4.0.7+20130105+b028d3f/src/arch/linux/async:$cdir:$cwd (gdb) handle SIGSEGV nostop noprint Signal Stop Print Pass to program Description SIGSEGV No No Yes Segmentation fault (gdb) set height 0 (gdb) set width 0 (gdb) set pagination off (gdb) display/i $pc 1: x/i $pc <error: No registers.> (gdb) b *(dosemu_fault+30) Breakpoint 1 at 0x51c5e: file sigsegv.c, line 453. (gdb) run Starting program: /usr/bin/dosemu.bin -X -p -E unzip32 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, 0x00005555555a5c5e in dosemu_fault (signal=11, si=0x7fffffffe2b0, uc=0x7fffffffe180) at sigsegv.c:453 453 { 1: x/i $pc => 0x5555555a5c5e <dosemu_fault+30>: xor %eax,%eax (gdb) print/x 0x88+$rsp $1 = 0x7fffffffe148 (gdb) print/x *(int*)0x7fffffffe148 $2 = 0xe1943200 (gdb) display/x $fs 2: /x $fs = 0x0 (gdb) (gdb) b *(dosemu_fault+13) if ($fs != 0) Breakpoint 2 at 0x5555555a5c4d: file sigsegv.c, line 453. (gdb) disa 1 (gdb) cont Continuing. Breakpoint 2, dosemu_fault (signal=11, si=0x7fffffffe2b0, uc=0x7fffffffe180) at sigsegv.c:453 453 { 1: x/i $pc => 0x5555555a5c4d <dosemu_fault+13>: mov %fs:0x28,%rax 2: /x $fs = 0xb7 (gdb) display/x *(int*)0x7fffffffe148 3: /x *(int*)0x7fffffffe148 = 0xe1943200 (gdb) undisp 3 (gdb) nexti 0x00005555555a5c56 453 { 1: x/i $pc => 0x5555555a5c56 <dosemu_fault+22>: mov %rax,0x88(%rsp) 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c5e 453 { 1: x/i $pc => 0x5555555a5c5e <dosemu_fault+30>: xor %eax,%eax 2: /x $fs = 0xb7 (gdb) dosemu_fault0 (scp=0x7fffffffe1a8, signal=11) at sigsegv.c:387 387 fault_cnt++; 1: x/i $pc => 0x5555555a5c60 <dosemu_fault+32>: mov 0x38515a(%rip),%eax # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c66 387 fault_cnt++; 1: x/i $pc => 0x5555555a5c66 <dosemu_fault+38>: add $0x1,%eax 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c69 387 fault_cnt++; 1: x/i $pc => 0x5555555a5c69 <dosemu_fault+41>: mov %eax,0x385151(%rip) # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0xb7 (gdb) 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c6f <dosemu_fault+47>: mov 0x38514b(%rip),%eax # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c75 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c75 <dosemu_fault+53>: cmp $0x2,%eax 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c78 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c78 <dosemu_fault+56>: jg 0x5555555a5e41 <dosemu_fault+513> 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c7e 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c7e <dosemu_fault+62>: lea 0x28(%rdx),%rbx 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c82 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c82 <dosemu_fault+66>: mov %edi,%r12d 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c85 388 if (fault_cnt > 2) { 1: x/i $pc => 0x5555555a5c85 <dosemu_fault+69>: mov %rdx,%rbp 2: /x $fs = 0xb7 (gdb) 397 init_handler(scp); 1: x/i $pc => 0x5555555a5c88 <dosemu_fault+72>: mov %rbx,%rdi 2: /x $fs = 0xb7 (gdb) 0x00005555555a5c8b 397 init_handler(scp); 1: x/i $pc => 0x5555555a5c8b <dosemu_fault+75>: callq 0x5555555a6790 <init_handler> 2: /x $fs = 0xb7 (gdb) 399 if (kernel_version_code < 0x20600+14) { 1: x/i $pc => 0x5555555a5c90 <dosemu_fault+80>: cmpl $0x2060d,0x527892(%rip) # 0x555555acd52c <kernel_version_code> 2: /x $fs = 0x0 (gdb) 0x00005555555a5c9a 399 if (kernel_version_code < 0x20600+14) { 1: x/i $pc => 0x5555555a5c9a <dosemu_fault+90>: jle 0x5555555a5d48 <dosemu_fault+264> 2: /x $fs = 0x0 (gdb) 411 if (fault_cnt > 1 && _trapno == 0xe && !DPMIValidSelector(_cs)) { 1: x/i $pc => 0x5555555a5ca0 <dosemu_fault+96>: mov 0x38511a(%rip),%eax # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0x0 (gdb) 0x00005555555a5ca6 411 if (fault_cnt > 1 && _trapno == 0xe && !DPMIValidSelector(_cs)) { 1: x/i $pc => 0x5555555a5ca6 <dosemu_fault+102>: cmp $0x1,%eax 2: /x $fs = 0x0 (gdb) 0x00005555555a5ca9 411 if (fault_cnt > 1 && _trapno == 0xe && !DPMIValidSelector(_cs)) { 1: x/i $pc => 0x5555555a5ca9 <dosemu_fault+105>: jle 0x5555555a5cbc <dosemu_fault+124> 2: /x $fs = 0x0 (gdb) debug_level (letter=103) at ../../../../src/include/dosemu_debug.h:187 187 return debug[letter].level; 1: x/i $pc => 0x5555555a5cbc <dosemu_fault+124>: movzbl 0x790cf5(%rip),%edi # 0x555555d369b8 <debug+2488> 2: /x $fs = 0x0 (gdb) dosemu_fault0 (scp=0x7fffffffe1a8, signal=11) at sigsegv.c:436 436 if (debug_level('g')>7) 1: x/i $pc => 0x5555555a5cc3 <dosemu_fault+131>: cmp $0x7,%edi 2: /x $fs = 0x0 (gdb) 0x00005555555a5cc6 436 if (debug_level('g')>7) 1: x/i $pc => 0x5555555a5cc6 <dosemu_fault+134>: jg 0x5555555a5e20 <dosemu_fault+480> 2: /x $fs = 0x0 (gdb) 440 retcode = dosemu_fault1 (signal, scp); 1: x/i $pc => 0x5555555a5ccc <dosemu_fault+140>: mov %r12d,%edi 2: /x $fs = 0x0 (gdb) 0x00005555555a5ccf 440 retcode = dosemu_fault1 (signal, scp); 1: x/i $pc => 0x5555555a5ccf <dosemu_fault+143>: mov %rbx,%rsi 2: /x $fs = 0x0 (gdb) 0x00005555555a5cd2 440 retcode = dosemu_fault1 (signal, scp); 1: x/i $pc => 0x5555555a5cd2 <dosemu_fault+146>: callq 0x5555555a5240 <dosemu_fault1> 2: /x $fs = 0x0 (gdb) debug_level (letter=<optimized out>) at ../../../../src/include/dosemu_debug.h:187 187 return debug[letter].level; 1: x/i $pc => 0x5555555a5cd7 <dosemu_fault+151>: movzbl 0x790cda(%rip),%edi # 0x555555d369b8 <debug+2488> 2: /x $fs = 0x0 (gdb) dosemu_fault0 (scp=0x7fffffffe1a8, signal=11) at sigsegv.c:440 440 retcode = dosemu_fault1 (signal, scp); 1: x/i $pc => 0x5555555a5cde <dosemu_fault+158>: mov %eax,%r12d 2: /x $fs = 0x0 (gdb) 442 if (debug_level('g')>8) 1: x/i $pc => 0x5555555a5ce1 <dosemu_fault+161>: cmp $0x8,%edi 2: /x $fs = 0x0 (gdb) 0x00005555555a5ce4 442 if (debug_level('g')>8) 1: x/i $pc => 0x5555555a5ce4 <dosemu_fault+164>: jle 0x5555555a5cf4 <dosemu_fault+180> 2: /x $fs = 0x0 (gdb) 444 if(retcode) 1: x/i $pc => 0x5555555a5cf4 <dosemu_fault+180>: test %r12d,%r12d 2: /x $fs = 0x0 (gdb) 0x00005555555a5cf7 444 if(retcode) 1: x/i $pc => 0x5555555a5cf7 <dosemu_fault+183>: jne 0x5555555a5d38 <dosemu_fault+248> 2: /x $fs = 0x0 (gdb) 445 _eax = retcode; 1: x/i $pc => 0x5555555a5d38 <dosemu_fault+248>: mov %r12d,0x90(%rbp) 2: /x $fs = 0x0 (gdb) 0x00005555555a5d3f 445 _eax = retcode; 1: x/i $pc => 0x5555555a5d3f <dosemu_fault+255>: jmp 0x5555555a5cf9 <dosemu_fault+185> 2: /x $fs = 0x0 (gdb) 446 dpmi_iret_setup(scp); 1: x/i $pc => 0x5555555a5cf9 <dosemu_fault+185>: mov %rbx,%rdi 2: /x $fs = 0x0 (gdb) 0x00005555555a5cfc 446 dpmi_iret_setup(scp); 1: x/i $pc => 0x5555555a5cfc <dosemu_fault+188>: callq 0x5555555ec840 <dpmi_iret_setup> 2: /x $fs = 0x0 (gdb) 447 fault_cnt--; 1: x/i $pc => 0x5555555a5d01 <dosemu_fault+193>: mov 0x3850b9(%rip),%eax # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0x0 (gdb) 0x00005555555a5d07 447 fault_cnt--; 1: x/i $pc => 0x5555555a5d07 <dosemu_fault+199>: sub $0x1,%eax 2: /x $fs = 0x0 (gdb) 0x00005555555a5d0a 447 fault_cnt--; 1: x/i $pc => 0x5555555a5d0a <dosemu_fault+202>: mov %eax,0x3850b0(%rip) # 0x55555592adc0 <fault_cnt> 2: /x $fs = 0x0 (gdb) dosemu_fault (signal=<optimized out>, si=<optimized out>, uc=0x7fffffffe180) at sigsegv.c:456 456 } 1: x/i $pc => 0x5555555a5d10 <dosemu_fault+208>: mov 0x88(%rsp),%rax 2: /x $fs = 0x0 (gdb) 0x00005555555a5d18 456 } 1: x/i $pc => 0x5555555a5d18 <dosemu_fault+216>: xor %fs:0x28,%rax 2: /x $fs = 0x0 (gdb) 0x00005555555a5d21 456 } 1: x/i $pc => 0x5555555a5d21 <dosemu_fault+225>: jne 0x5555555a5e4b <dosemu_fault+523> 2: /x $fs = 0x0 (gdb) 456 } 1: x/i $pc => 0x5555555a5e4b <dosemu_fault+523>: callq 0x55555557a140 <__stack_chk_fail@plt> 2: /x $fs = 0x0 (gdb) bt #0 dosemu_fault (signal=<optimized out>, si=<optimized out>, uc=0x7fffffffe180) at sigsegv.c:456 #1 <signal handler called> #2 0x00005555555f3dc9 in dpmi_transfer (scp=0x400bf, xfr=<optimized out>) at dpmi.c:407 #3 direct_dpmi_switch (scp=0x400bf) at dpmi.c:483 #4 dpmi_control () at dpmi.c:593 #5 run_dpmi () at dpmi.c:2870 #6 0x0000000000000000 in ?? () (gdb) disassemble dosemu_fault,0x00005555555a5e4b+0x20 Dump of assembler code from 0x5555555a5c40 to 0x5555555a5e6b: 0x00005555555a5c40 <dosemu_fault+0>: push %r13 0x00005555555a5c42 <dosemu_fault+2>: push %r12 0x00005555555a5c44 <dosemu_fault+4>: push %rbp 0x00005555555a5c45 <dosemu_fault+5>: push %rbx 0x00005555555a5c46 <dosemu_fault+6>: sub $0x98,%rsp 0x00005555555a5c4d <dosemu_fault+13>: mov %fs:0x28,%rax 0x00005555555a5c56 <dosemu_fault+22>: mov %rax,0x88(%rsp) 0x00005555555a5c5e <dosemu_fault+30>: xor %eax,%eax 0x00005555555a5c60 <dosemu_fault+32>: mov 0x38515a(%rip),%eax # 0x55555592adc0 <fault_cnt> 0x00005555555a5c66 <dosemu_fault+38>: add $0x1,%eax 0x00005555555a5c69 <dosemu_fault+41>: mov %eax,0x385151(%rip) # 0x55555592adc0 <fault_cnt> 0x00005555555a5c6f <dosemu_fault+47>: mov 0x38514b(%rip),%eax # 0x55555592adc0 <fault_cnt> 0x00005555555a5c75 <dosemu_fault+53>: cmp $0x2,%eax 0x00005555555a5c78 <dosemu_fault+56>: jg 0x5555555a5e41 <dosemu_fault+513> 0x00005555555a5c7e <dosemu_fault+62>: lea 0x28(%rdx),%rbx 0x00005555555a5c82 <dosemu_fault+66>: mov %edi,%r12d 0x00005555555a5c85 <dosemu_fault+69>: mov %rdx,%rbp 0x00005555555a5c88 <dosemu_fault+72>: mov %rbx,%rdi 0x00005555555a5c8b <dosemu_fault+75>: callq 0x5555555a6790 <init_handler> 0x00005555555a5c90 <dosemu_fault+80>: cmpl $0x2060d,0x527892(%rip) # 0x555555acd52c <kernel_version_code> 0x00005555555a5c9a <dosemu_fault+90>: jle 0x5555555a5d48 <dosemu_fault+264> 0x00005555555a5ca0 <dosemu_fault+96>: mov 0x38511a(%rip),%eax # 0x55555592adc0 <fault_cnt> 0x00005555555a5ca6 <dosemu_fault+102>: cmp $0x1,%eax 0x00005555555a5ca9 <dosemu_fault+105>: jle 0x5555555a5cbc <dosemu_fault+124> 0x00005555555a5cab <dosemu_fault+107>: movzwl 0xc8(%rbp),%ecx 0x00005555555a5cb2 <dosemu_fault+114>: cmp $0xe,%cx 0x00005555555a5cb6 <dosemu_fault+118>: je 0x5555555a5d70 <dosemu_fault+304> 0x00005555555a5cbc <dosemu_fault+124>: movzbl 0x790cf5(%rip),%edi # 0x555555d369b8 <debug+2488> 0x00005555555a5cc3 <dosemu_fault+131>: cmp $0x7,%edi 0x00005555555a5cc6 <dosemu_fault+134>: jg 0x5555555a5e20 <dosemu_fault+480> 0x00005555555a5ccc <dosemu_fault+140>: mov %r12d,%edi 0x00005555555a5ccf <dosemu_fault+143>: mov %rbx,%rsi 0x00005555555a5cd2 <dosemu_fault+146>: callq 0x5555555a5240 <dosemu_fault1> 0x00005555555a5cd7 <dosemu_fault+151>: movzbl 0x790cda(%rip),%edi # 0x555555d369b8 <debug+2488> 0x00005555555a5cde <dosemu_fault+158>: mov %eax,%r12d 0x00005555555a5ce1 <dosemu_fault+161>: cmp $0x8,%edi 0x00005555555a5ce4 <dosemu_fault+164>: jle 0x5555555a5cf4 <dosemu_fault+180> 0x00005555555a5ce6 <dosemu_fault+166>: lea 0xdd78b(%rip),%rsi # 0x555555683478 0x00005555555a5ced <dosemu_fault+173>: xor %eax,%eax 0x00005555555a5cef <dosemu_fault+175>: callq 0x5555555add70 <log_printf> 0x00005555555a5cf4 <dosemu_fault+180>: test %r12d,%r12d 0x00005555555a5cf7 <dosemu_fault+183>: jne 0x5555555a5d38 <dosemu_fault+248> 0x00005555555a5cf9 <dosemu_fault+185>: mov %rbx,%rdi 0x00005555555a5cfc <dosemu_fault+188>: callq 0x5555555ec840 <dpmi_iret_setup> 0x00005555555a5d01 <dosemu_fault+193>: mov 0x3850b9(%rip),%eax # 0x55555592adc0 <fault_cnt> 0x00005555555a5d07 <dosemu_fault+199>: sub $0x1,%eax 0x00005555555a5d0a <dosemu_fault+202>: mov %eax,0x3850b0(%rip) # 0x55555592adc0 <fault_cnt> 0x00005555555a5d10 <dosemu_fault+208>: mov 0x88(%rsp),%rax 0x00005555555a5d18 <dosemu_fault+216>: xor %fs:0x28,%rax 0x00005555555a5d21 <dosemu_fault+225>: jne 0x5555555a5e4b <dosemu_fault+523> 0x00005555555a5d27 <dosemu_fault+231>: add $0x98,%rsp 0x00005555555a5d2e <dosemu_fault+238>: pop %rbx 0x00005555555a5d2f <dosemu_fault+239>: pop %rbp 0x00005555555a5d30 <dosemu_fault+240>: pop %r12 0x00005555555a5d32 <dosemu_fault+242>: pop %r13 0x00005555555a5d34 <dosemu_fault+244>: retq 0x00005555555a5d35 <dosemu_fault+245>: nopl (%rax) 0x00005555555a5d38 <dosemu_fault+248>: mov %r12d,0x90(%rbp) 0x00005555555a5d3f <dosemu_fault+255>: jmp 0x5555555a5cf9 <dosemu_fault+185> 0x00005555555a5d41 <dosemu_fault+257>: nopl 0x0(%rax) 0x00005555555a5d48 <dosemu_fault+264>: mov %rsp,%rdi 0x00005555555a5d4b <dosemu_fault+267>: callq 0x55555557a500 <sigemptyset@plt> 0x00005555555a5d50 <dosemu_fault+272>: mov %r12d,%esi 0x00005555555a5d53 <dosemu_fault+275>: mov %rsp,%rdi 0x00005555555a5d56 <dosemu_fault+278>: callq 0x55555557ac30 <sigaddset@plt> 0x00005555555a5d5b <dosemu_fault+283>: xor %edx,%edx 0x00005555555a5d5d <dosemu_fault+285>: mov %rsp,%rsi 0x00005555555a5d60 <dosemu_fault+288>: mov $0x1,%edi 0x00005555555a5d65 <dosemu_fault+293>: callq 0x555555579e30 <sigprocmask@plt> 0x00005555555a5d6a <dosemu_fault+298>: jmpq 0x5555555a5ca0 <dosemu_fault+96> 0x00005555555a5d6f <dosemu_fault+303>: nop 0x00005555555a5d70 <dosemu_fault+304>: movzwl 0xb8(%rbp),%edx 0x00005555555a5d77 <dosemu_fault+311>: lea 0x842022(%rip),%rsi # 0x555555de7da0 <Segments> 0x00005555555a5d7e <dosemu_fault+318>: mov %edx,%eax 0x00005555555a5d80 <dosemu_fault+320>: shr $0x3,%ax 0x00005555555a5d84 <dosemu_fault+324>: and $0x1fff,%eax 0x00005555555a5d89 <dosemu_fault+329>: shl $0x4,%rax 0x00005555555a5d8d <dosemu_fault+333>: cmpl $0xfe,0xc(%rsi,%rax,1) 0x00005555555a5d95 <dosemu_fault+341>: je 0x5555555a5dc8 <dosemu_fault+392> 0x00005555555a5d97 <dosemu_fault+343>: and $0x4,%edx 0x00005555555a5d9a <dosemu_fault+346>: je 0x5555555a5dc8 <dosemu_fault+392> 0x00005555555a5d9c <dosemu_fault+348>: movzbl 0x790c15(%rip),%edi # 0x555555d369b8 <debug+2488> 0x00005555555a5da3 <dosemu_fault+355>: cmp $0x7,%edi 0x00005555555a5da6 <dosemu_fault+358>: jle 0x5555555a5ccc <dosemu_fault+140> 0x00005555555a5dac <dosemu_fault+364>: lea 0xdd695(%rip),%rsi # 0x555555683448 0x00005555555a5db3 <dosemu_fault+371>: mov %r12d,%edx 0x00005555555a5db6 <dosemu_fault+374>: xor %eax,%eax 0x00005555555a5db8 <dosemu_fault+376>: callq 0x5555555add70 <log_printf> 0x00005555555a5dbd <dosemu_fault+381>: jmpq 0x5555555a5ccc <dosemu_fault+140> 0x00005555555a5dc2 <dosemu_fault+386>: nopw 0x0(%rax,%rax,1) 0x00005555555a5dc8 <dosemu_fault+392>: mov 0xa8(%rbp),%rax 0x00005555555a5dcf <dosemu_fault+399>: movzbl (%rax),%eax 0x00005555555a5dd2 <dosemu_fault+402>: lea -0x64(%rax),%edx 0x00005555555a5dd5 <dosemu_fault+405>: cmp $0x1,%dl 0x00005555555a5dd8 <dosemu_fault+408>: jbe 0x5555555a5e30 <dosemu_fault+496> 0x00005555555a5dda <dosemu_fault+410>: cmpw $0x3,0x7a2142(%rip) # 0x555555d47f24 <config+4> 0x00005555555a5de2 <dosemu_fault+418>: jne 0x5555555a5cbc <dosemu_fault+124> 0x00005555555a5de8 <dosemu_fault+424>: mov 0x384f3a(%rip),%eax # 0x55555592ad28 <in_dpmi> 0x00005555555a5dee <dosemu_fault+430>: test %eax,%eax 0x00005555555a5df0 <dosemu_fault+432>: je 0x5555555a5cbc <dosemu_fault+124> 0x00005555555a5df6 <dosemu_fault+438>: mov 0x384f28(%rip),%eax # 0x55555592ad24 <in_dpmi_dos_int> 0x00005555555a5dfc <dosemu_fault+444>: test %eax,%eax 0x00005555555a5dfe <dosemu_fault+446>: jne 0x5555555a5cbc <dosemu_fault+124> 0x00005555555a5e04 <dosemu_fault+452>: mov %rbx,%rdi 0x00005555555a5e07 <dosemu_fault+455>: callq 0x5555555e8200 <e_emu_fault> 0x00005555555a5e0c <dosemu_fault+460>: test %eax,%eax 0x00005555555a5e0e <dosemu_fault+462>: je 0x5555555a5cbc <dosemu_fault+124> 0x00005555555a5e14 <dosemu_fault+468>: jmpq 0x5555555a5d01 <dosemu_fault+193> 0x00005555555a5e19 <dosemu_fault+473>: nopl 0x0(%rax) 0x00005555555a5e20 <dosemu_fault+480>: movzwl 0xc8(%rbp),%ecx 0x00005555555a5e27 <dosemu_fault+487>: jmp 0x5555555a5dac <dosemu_fault+364> 0x00005555555a5e29 <dosemu_fault+489>: nopl 0x0(%rax) 0x00005555555a5e30 <dosemu_fault+496>: movzbl %al,%edi 0x00005555555a5e33 <dosemu_fault+499>: callq 0x5555555a66c0 <check_fix_fs_gs_base> 0x00005555555a5e38 <dosemu_fault+504>: test %eax,%eax 0x00005555555a5e3a <dosemu_fault+506>: je 0x5555555a5dda <dosemu_fault+410> 0x00005555555a5e3c <dosemu_fault+508>: jmpq 0x5555555a5d01 <dosemu_fault+193> 0x00005555555a5e41 <dosemu_fault+513>: mov $0xff,%edi 0x00005555555a5e46 <dosemu_fault+518>: callq 0x555555579f00 <_exit@plt> => 0x00005555555a5e4b <dosemu_fault+523>: callq 0x55555557a140 <__stack_chk_fail@plt> 0x00005555555a5e50 <SIGIO_call+0>: sub $0x8,%rsp 0x00005555555a5e54 <SIGIO_call+4>: pushq 0x77fc5e(%rip) # 0x555555d25ab8 <fds_sigio+120> 0x00005555555a5e5a <SIGIO_call+10>: pushq 0x77fc50(%rip) # 0x555555d25ab0 <fds_sigio+112> 0x00005555555a5e60 <SIGIO_call+16>: pushq 0x77fc42(%rip) # 0x555555d25aa8 <fds_sigio+104> 0x00005555555a5e66 <SIGIO_call+22>: pushq 0x77fc34(%rip) # 0x555555d25aa0 <fds_sigio+96> End of assembler dump. https://aur.archlinux.org/packages/dosemu-git/ sed -i 's/((no_instrument_function/&,optimize("no-stack-protector")/' src/arch/linux/async/sigsegv.c src/arch/linux/async/signal.c
Description: Avoid stack protection for signal handler Dosemu's usage of the segment register e.g. fs is not compatible with Gcc's stack protection mechanism. Author: Bernhard Ãbelacker <bernha...@mailbox.org> --- Origin: other, https://aur.archlinux.org/packages/dosemu-git/ Bug: Bug-Debian: https://bugs.debian.org/829417 Bug-Ubuntu: Forwarded: no Reviewed-By: Last-Update: 2018-07-31 --- dosemu-1.4.0.7+20130105+b028d3f.orig/src/arch/linux/async/signal.c +++ dosemu-1.4.0.7+20130105+b028d3f/src/arch/linux/async/signal.c @@ -225,7 +225,7 @@ int check_fix_fs_gs_base(unsigned char p /* init_handler puts the handler in a sane state that glibc expects. That means restoring fs and gs for vm86 (necessary for 2.4 kernels) and fs, gs and eflags for DPMI. */ -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) void init_handler(struct sigcontext_struct *scp) { /* @@ -309,7 +309,7 @@ void init_handler(struct sigcontext_stru /* this cleaning up is necessary to avoid the port server becoming a zombie process */ -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) static void cleanup_child(struct sigcontext_struct *scp) { int status; @@ -322,7 +322,7 @@ static void cleanup_child(struct sigcont } } -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) static void leavedos_signal(int sig) { init_handler(NULL); @@ -804,7 +804,7 @@ static void sigalrm(struct sigcontext_st } } -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) static void sigasync0(int sig, struct sigcontext_struct *scp) { init_handler(scp); @@ -813,7 +813,7 @@ static void sigasync0(int sig, struct si dpmi_iret_setup(scp); } -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) static void sigasync(int sig, siginfo_t *si, void *uc) { sigasync0(sig, (struct sigcontext_struct *) --- dosemu-1.4.0.7+20130105+b028d3f.orig/src/arch/linux/async/sigsegv.c +++ dosemu-1.4.0.7+20130105+b028d3f/src/arch/linux/async/sigsegv.c @@ -37,7 +37,7 @@ void print_exception_info(struct sigcont /* * All of the functions in this module need to be declared with - * __attribute__((no_instrument_function)) + * __attribute__((no_instrument_function,optimize("no-stack-protector"))) * so that they can safely handle signals that occur in DPMI context when * DOSEMU is built with the "-pg" gcc flag (which enables instrumentation for * gprof profiling). @@ -62,7 +62,7 @@ void print_exception_info(struct sigcont * DANG_END_FUNCTION */ -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) int dosemu_fault1( #ifdef __linux__ int signal, struct sigcontext_struct *scp @@ -380,7 +380,7 @@ bad: } } -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) static void dosemu_fault0(int signal, struct sigcontext_struct *scp) { int retcode; @@ -448,7 +448,7 @@ static void dosemu_fault0(int signal, st } #ifdef __linux__ -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) void dosemu_fault(int signal, siginfo_t *si, void *uc) { dosemu_fault0(signal, (struct sigcontext_struct *) @@ -465,7 +465,7 @@ void dosemu_fault(int signal, siginfo_t * DANG_END_FUNCTION * */ -__attribute__((no_instrument_function)) +__attribute__((no_instrument_function,optimize("no-stack-protector"))) void print_exception_info(struct sigcontext_struct *scp) { int i;
