From: Martin Str|mberg <ams AT ludd DOT luth DOT se>
Message-Id: <200001061534.QAA06152@father.ludd.luth.se>
Subject: Re: The endless int31 hooking debugging continued
To: eliz AT is DOT elta DOT co DOT il (Eli Zaretskii)
Date: Thu, 6 Jan 100 16:34:54 +0100 (MET)
Cc: djgpp AT delorie DOT com (DJGPP)
In-Reply-To: <Pine.SUN.3.91.1000106120145.20220H-100000@is> from Eli Zaretskii at "Jan 6, 0 12:02:18 pm"
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Reply-To: djgpp AT delorie DOT com
Errors-To: dj-admin AT delorie DOT com
X-Mailing-List: djgpp AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

According to Eli Zaretskii:
> On Wed, 5 Jan 100, Martin Str|mberg wrote:
> > I've
> > tried pushing things to be able to restore them, but then I've got
> > some _really_ strange crashes (Invalid opcode, Stack fault, EIP
> > pointing into the middle of an instruction)!
> 
> I don't think it's because of the pushing, but please show the code
> which did that.

Ok, here's a strange one:
F:\HACKERY\DPMI_SEL>simple7.exe
cs = a7, ds = af, ss= af.
got interrupt vector
Page Fault cr2=10000004 at eip=ff63; flags=3086
eax=000000af ebx=00000014 ecx=00000012 edx=00000000 esi=000065c4 edi=000142d4
ebp=0000000e esp=0000ff88 cs=2b ds=af es=1 fs=8f gs=bf ss=af error=0004

This is so bad it hangs the computer (C-A-D did reboot it).


Disassembling gives:
    ff4d:       50              pushl  %eax
    ff4e:       84 c9           testb  %cl,%cl
    ff50:       0f 94 c0        sete   %al
    ff53:       88 85 98 fd ff  movb   %al,0xfffffd98(%ebp)
    ff58:       ff
    ff59:       0f b6 85 98 fd  movzbl 0xfffffd98(%ebp),%eax
    ff5e:       ff ff
    ff60:       50              pushl  %eax
    ff61:       52              pushl  %edx
    ff62:       8b b5 b0 fd ff  movl   0xfffffdb0(%ebp),%esi
    ff67:       ff
    ff68:       46              incl   %esi
    ff69:       56              pushl  %esi
    ff6a:       e8 25 fa ff ff  call   f994 <_glob2>
    ff6f:       89 c2           movl   %eax,%edx
    ff71:       83 c4 10        addl   $0x10,%esp
    ff74:       83 fa 03        cmpl   $0x3,%edx
    ff77:       0f 84 de fc ff  je     fc5b <L116>
    ff7c:       ff
    ff7d:       ff 0d 9c 6d 01  decl   0x16d9c
    ff82:       00
    ff83:       eb 68           jmp    ffed <L94>
    ff85:       8d 76 00        leal   0x0(%esi),%esi

0000ff88 <L106>:
    ff88:       f6 85 f1 fe ff  testb  $0x10,0xfffffef1(%ebp)
    ff8d:       ff 10

This seems to be in glob2.

It sure looks like I destroy the stack severly. But I don't see (in my
code) that I do.


----- Start of simple7.c. -----
#include <dpmi.h>
#include <go32.h>
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <crt0.h>

int _crt0_startup_flags = _CRT0_FLAG_LOCK_MEMORY;

__dpmi_paddr old_addr, new_addr;

void handler (void);
void handler_end (void);

char chain_str[] = "Chaining.\n\r";

unsigned short my_ds, org_ss;
unsigned int org_eax;

__asm__ (".globl _handler
_handler:

/* Save  registers. */
        pushl %eax
        pushl %ds
        pushl %es

/* Restore segments to valid DJGPP state. */
        pushl %eax
        movw %cs:_my_ds, %ax
        movw %ax, %ds
        popl %eax
        movl %eax, _org_eax
        movw %ss, %ax
        movw %ax, _org_ss
        movw _my_ds, %ax
        movw %ax, %es
        movw %ax, %ss
        movl _org_eax, %eax

/* Jump to previous handler. */
chain:
        pusha
        pushf
        pushl $_chain_str
        call _cputs
        addl $4, %esp
        popf
        popa

        movw _org_ss, %ax
        movw %ax, %ss
        popl %es
        popl %ds
        popl %eax
        ljmp %cs:_old_addr

        .globl _handler_end
_handler_end:
        nop");

int
main (void)
{
  int selector;
  __dpmi_paddr tmp_addr;

  my_ds = _my_ds();

  printf("cs = %hx, ds = %hx, ss= %hx.\n", _my_cs(), _my_ds(), _my_ss());

  if (__dpmi_get_protected_mode_interrupt_vector (0x31, &old_addr))
    {
      fprintf (stderr, "can not get interrupt\n");
      exit (EXIT_FAILURE);
    }

  printf ("got interrupt vector\n");

  new_addr.selector = _my_cs ();
  new_addr.offset32 = (unsigned long) handler;
  if (__dpmi_set_protected_mode_interrupt_vector (0x31, &new_addr))
    {
      fprintf (stderr, "can not set interrupt\n");
      exit (EXIT_FAILURE);
    }

  printf ("set interrupt vector\n");

  selector = __dpmi_allocate_ldt_descriptors (1);
  if (selector == -1)
    fprintf (stderr, "can not allocate selector\n");
  else
    __dpmi_free_ldt_descriptor (selector);

  printf ("allocated LDT descriptor?\n");

  while (__dpmi_get_protected_mode_interrupt_vector (0x31, &tmp_addr)
         || (tmp_addr.selector != new_addr.selector)
         || (tmp_addr.offset32 != new_addr.offset32)
         || __dpmi_set_protected_mode_interrupt_vector (0x31, &old_addr))
    {
      fprintf (stderr, "can not restore interrupt\n");
      system ("");
    }

  printf ("restored interrupt vector\n");

  return EXIT_SUCCESS;
}

/*
   Local Variables:
   compile-command: "gcc -g -O2 -Wall -o simple7 simple7.c"
   End:
   */
----- End of simple7.c. -----