| 932 | self.at_sysinfo_ehdr = value |
| 933 | |
| 934 | def _parse_stack(self): |
| 935 | # Get a copy of the stack mapping |
| 936 | stack = self.stack |
| 937 | |
| 938 | if not stack: |
| 939 | return |
| 940 | |
| 941 | # If the stack does not end with zeroes, something is very wrong. |
| 942 | if not stack.data.endswith(b'\x00' * context.bytes): |
| 943 | log.warn_once("End of the stack is corrupted, skipping stack parsing (got: %s)", |
| 944 | enhex(self.data[-context.bytes:])) |
| 945 | return |
| 946 | |
| 947 | # AT_EXECFN is the start of the filename, e.g. '/bin/sh' |
| 948 | # Immediately preceding is a NULL-terminated environment variable string. |
| 949 | # We want to find the beginning of it |
| 950 | if not self.at_execfn: |
| 951 | address = stack.stop |
| 952 | address -= 2*self.bytes |
| 953 | address -= 1 |
| 954 | address = stack.rfind(b'\x00', None, address) |
| 955 | address += 1 |
| 956 | self.at_execfn = address |
| 957 | |
| 958 | address = self.at_execfn-1 |
| 959 | |
| 960 | |
| 961 | # Sanity check! |
| 962 | try: |
| 963 | if stack[address] != b'\x00': |
| 964 | log.warning("Error parsing corefile stack: Could not find end of environment") |
| 965 | return |
| 966 | except ValueError: |
| 967 | log.warning("Error parsing corefile stack: Address out of bounds") |
| 968 | return |
| 969 | |
| 970 | # address is currently set to the NULL terminator of the last |
| 971 | # environment variable. |
| 972 | address = stack.rfind(b'\x00', None, address) |
| 973 | |
| 974 | # We've found the beginning of the last environment variable. |
| 975 | # We should be able to search up the stack for the envp[] array to |
| 976 | # find a pointer to this address, followed by a NULL. |
| 977 | last_env_addr = address + 1 |
| 978 | p_last_env_addr = stack.find(pack(last_env_addr), None, last_env_addr) |
| 979 | if p_last_env_addr < 0: |
| 980 | # Something weird is happening. Just don't touch it. |
| 981 | log.warn_once("Error parsing corefile stack: Found bad environment at %#x", last_env_addr) |
| 982 | return |
| 983 | |
| 984 | # Sanity check that we did correctly find the envp NULL terminator. |
| 985 | envp_nullterm = p_last_env_addr+context.bytes |
| 986 | if self.unpack(envp_nullterm) != 0: |
| 987 | log.warning("Error parsing corefile stack: Could not find end of environment variables") |
| 988 | return |
| 989 | |
| 990 | # We've successfully located the end of the envp[] array. |
| 991 | # |