Kismet Wireless

Kismet Forums


Posted by:fisted
Subject:kismet_server - segfault in libnl prior to main()
Date:00:13:36 21/11/2012


i also posted this to the libnl mailing list, since i assume it's libnl's fault, but since i don't know exactly, i thought i should post here, too:

it's about kismet_server, latest svn version as of yesterday (2012/11/20)

here's the post:
In particular this is about kismet, a program using libnl, which segfaults right after launch, before even main() is called.
It looks like libnl is responsible, here's what i did and some information:

# uname -a
Linux fisted 3.6.6-gentoo12019 #1 SMP Tue Nov 20 06:07:13 CET 2012 x86_64 AMD Athlon(tm) II Dual-Core M300 AuthenticAMD GNU/Linux

libnl3 version is 3.2.14, or 3.2.14:3, the latter might be something gentoo-specific.
libnl1 version is libnl-1.1-r3
i have no idea why kismet wants both, anyway.

# ldd ./kismet_server (0x00007fff725ff000) => /lib64/ (0x00007fa052a7e000) => /lib64/ (0x00007fa05287a000) => /lib64/ (0x00007fa05261f000) => /usr/lib/gcc/x86_64-pc-linux-gnu/4.5.4/ (0x00007fa052319000) => /usr/lib64/ (0x00007fa0520d9000) => /usr/lib64/ (0x00007fa051ed2000) => /usr/lib64/ (0x00007fa051cb6000) => /lib64/ (0x00007fa0519be000) => /usr/lib/gcc/x86_64-pc-linux-gnu/4.5.4/ (0x00007fa0517a7000) => /lib64/ (0x00007fa0513f9000) => /lib64/ (0x00007fa0511dc000) => /lib64/ (0x00007fa050fd7000)
/lib64/ (0x00007fa052c84000) => /usr/lib64/ (0x00007fa050d82000)

# gdb ./kismet_server
GNU gdb (Gentoo 7.3.1 p2) 7.3.1
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/fisted/src/kismet/kismet_server...done.
(gdb) run
Starting program: /home/fisted/src/kismet/kismet_server
warning: Could not load shared library symbols for
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
genl_register (ops=0x7ffff5f1c6e0) at genl/mngt.c:260
260 ops->co_genl->o_cache_ops = ops;
(gdb) bt full
#0 genl_register (ops=0x7ffff5f1c6e0) at genl/mngt.c:260
err = <optimized out>
#1 0x00007ffff7de972f in call_init () from /lib64/
No symbol table info available.
#2 0x00007ffff7de981e in _dl_init_internal () from /lib64/
No symbol table info available.
#3 0x00007ffff7ddbbda in _dl_start_user () from /lib64/
No symbol table info available.
#4 0x0000000000000001 in ?? ()
No symbol table info available.
#5 0x00007fffffffdf6d in ?? ()
No symbol table info available.
#6 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) disass
Dump of assembler code for function genl_register:
0x00007ffff702bea0 <+0>: push %rbx
0x00007ffff702bea1 <+1>: cmpl $0x10,0xc(%rdi)
0x00007ffff702bea5 <+5>: mov %rdi,%rbx
0x00007ffff702bea8 <+8>: je 0x7ffff702beb8 <genl_register+24>
0x00007ffff702beaa <+10>: mov $0xffffffe6,%eax
0x00007ffff702beaf <+15>: pop %rbx
0x00007ffff702beb0 <+16>: retq
0x00007ffff702beb1 <+17>: nopl 0x0(%rax)
0x00007ffff702beb8 <+24>: mov 0x8(%rdi),%edx
0x00007ffff702bebb <+27>: mov $0xfffffff9,%eax
0x00007ffff702bec0 <+32>: cmp $0x3,%edx
0x00007ffff702bec3 <+35>: jbe 0x7ffff702beaf <genl_register+15>
0x00007ffff702bec5 <+37>: mov 0x50(%rdi),%rdi
0x00007ffff702bec9 <+41>: test %rdi,%rdi
0x00007ffff702becc <+44>: je 0x7ffff702beaf <genl_register+15>
0x00007ffff702bece <+46>: mov 0x60(%rbx),%rax
0x00007ffff702bed2 <+50>: sub $0x4,%edx
=> 0x00007ffff702bed5 <+53>: mov %rbx,0x10(%rdi)
0x00007ffff702bed9 <+57>: mov %edx,(%rdi)
0x00007ffff702bedb <+59>: mov %rax,0x8(%rdi)
0x00007ffff702bedf <+63>: mov 0x58(%rbx),%eax
0x00007ffff702bee2 <+66>: mov %eax,0x4(%rdi)
0x00007ffff702bee5 <+69>: lea -0x36c(%rip),%rax # 0x7ffff702bb80 <genl_msg_parser>
0x00007ffff702beec <+76>: mov %rax,0x20(%rbx)
0x00007ffff702bef0 <+80>: callq 0x7ffff702a450 <genl_register_family@plt>
0x00007ffff702bef5 <+85>: test %eax,%eax
0x00007ffff702bef7 <+87>: js 0x7ffff702beaf <genl_register+15>
0x00007ffff702bef9 <+89>: mov %rbx,%rdi
0x00007ffff702befc <+92>: pop %rbx
0x00007ffff702befd <+93>: jmpq 0x7ffff702a310 <nl_cache_mngt_register@plt>
End of assembler dump.
(gdb) i r
rax 0x0 0
rbx 0x7ffff5f1c6e0 140737319651040
rcx 0x66 102
rdx 0x0 0
rsi 0x7fffffffdca8 140737488346280
rdi 0x7ffff5d098dc 140737317476572
rbp 0x7fffffffdca8 0x7fffffffdca8
rsp 0x7fffffffdc00 0x7fffffffdc00
r8 0x7ffff68f7688 140737329985160
r9 0x1 1
r10 0x7fffffffd9b0 140737488345520
r11 0x7ffff702bea0 140737337540256
r12 0x7ffff5f180c8 140737319633096
r13 0x7fffffffdcb8 140737488346296
r14 0x1d 29
r15 0x20 32
rip 0x7ffff702bed5 0x7ffff702bed5 <genl_register+53>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

Any additional information required to debug/fix this?

Reply to this message