2

我在 Firefox 中有一个漏洞触发器 (CVE-2018-18492),它崩溃并给出 SIGSEGV。我使用 breakpadminidump_stackwalk从崩溃产生的 minidump 文件中获取其堆栈跟踪。我得到如下内容:

Thread 0 (crashed)
 0  0xd000b1000d
    rax = 0x00005576254ffac0   rdx = 0x0000000000000000
    rcx = 0x0000000000000001   rbx = 0x0000000000000000
    rsi = 0x0000557623c5e040   rdi = 0x00005576239d7c60
    rbp = 0x00007fffd0546890   rsp = 0x00007fffd0546568
     r8 = 0x0000000044815f7a    r9 = 0x00000000aa7e5e96
    r10 = 0x0000000000000001   r11 = 0x0000000000000001
    r12 = 0x0000557623c5e040   r13 = 0x00007fffd0546910
    r14 = 0x00005576239d7c60   r15 = 0x0000557623c5e040
    rip = 0x000000d000b1000d
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::dom::HTMLOptionsCollection_Binding::add [HTMLOptionsCollectionBinding.cpp : 165 + 0x1d]
    rbp = 0x00007fffd0546a70   rsp = 0x00007fffd05468a0
    rip = 0x00007f099629754c
    Found by: previous frame's frame pointer
 2  libxul.so!bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) [BindingUtils.cpp : 3296 + 0x9]
    rbx = 0x00007f099c307d10   rbp = 0x00007fffd0546b40
    rsp = 0x00007fffd0546a80   r12 = 0x00000000000000fb
    r13 = 0x00007fffd0546af0   r14 = 0x00007fffd0546ab0
    r15 = 0x00007fffd0546ad0   rip = 0x00007f099638680d
    Found by: call frame info
...

然后我用 gdb ( ) 再次运行相同的东西gdb /path/to/firefox/binary,它再次按预期崩溃,我用它bt来获取崩溃点的回溯。但是我得到了一些不同的东西:

#0  0x000055a17135b810 in  ()
#1  0x00007f23dd134dea in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (this=0x55a1712a3550, aReplace=<optimized out>, aNewChild=<optimized out>, aRefChild=<optimized out>, aError=...) at /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.cpp:2631
#2  0x00007f23dd8b0e7f in mozilla::dom::HTMLOptionsCollection_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLOptionsCollection*, JSJitMethodCallArgs const&) (cx=0x55a16e7867e0, obj=Python Exception <class 'gdb.error'> No type "Class" within class or namespace "js".:
0x7f23820aaf40, self=0x55a1701b1600, args=...) at /home/ug16zy2/firefox-63.0.3/objdir-ff-dbg/dom/bindings/HTMLOptionsCollectionBinding.cpp:165
#3  0x00007f23dd953158 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x55a16e7867e0, argc=1, vp=0x55a16f509ed0) at /home/ug16zy2/firefox-63.0.3/dom/bindings/BindingUtils.cpp:3296
...

注意两个输出的调用堆栈。似乎 gdbReplaceOrInsertBefore在 之上又提供了一个函数调用add,而 minidump 没有。

你知道是什么导致了它们之间的差异,为什么?

4

0 回答 0